The ICO recently wrote to a number of universities to issue guidance on wealth screening, a practice we expressed some reservations about here on the Holly Palmer Consulting blog last year following a critical front page in the Daily Mail (you can read the MailOnline’s version of the newspaper piece here). The ICO’s letter was the conclusion to an investigation it undertook in response to that front page, and they’ve decided not to take any further action – a fact you can’t find on their website, although the letter was disclosed via a Freedom of Information request. You can find it here, together with a list of universities to whom the ICO wrote.
On the surface that would appear to be the end of the matter, and indeed the IDPE reported the story as such: “ICO to take no further action on wealth screening and data matching practices in universities”. But we think it would be a mistake to believe that the ICO has said there’s nothing to see here, as the conclusion to their guidance makes clear:
The ICO expects that any processing for the purposes set out above takes our guidance and advice into account. If we receive complaints in the future, any subsequent enquiries we make may lead to formal enforcement action.
So what does the guidance say, and what are its implications for our sector?
Consent vs legitimate interest
The ICO recognises that “wealth screening” covers a range of activities, from “segmenting your donor database by postcode, through to using dedicated third-party companies to obtain more personal information and generate donor profiles.” They point out that when undertaking such activities, “universities will have to rely on either consent, or that the processing is necessary for the purposes of pursuing legitimate interests.”
Determining which of these two lawful bases to use in each circumstance has been a matter of some debate until now. Adrian Beney of More Partnership argued in response to the Mail’s piece that wealth screening does not require the consent of the person being screened, with the caveat that a data protection impact assessment has been undertaken and the activity has been clearly communicated to the data subjects via a privacy notice – in essence, using legitimate interest. Elsewhere, Factary (who specialise in wealth screening) issued a guide on “GDPR-Compliant Wealth Screening” in which, whilst not expressing a view either way on whether legitimate interest or consent is the correct legal basis, notes that “Factary’s survey of prospect research teams in late 2016 showed that 54% of organisations had chosen Legitimate Interests and 3% had chosen Consent (the remaining 43% had yet to decide)”.
On the other hand, Tim Turner of 2040 Training has more recently deconstructed the privacy notice for alumni and supporters issued by Queen Mary (University of London), which includes detailed references to wealth screening. Tim writes: “I don’t believe that Queen Mary can possibly justify the amount of data that they propose to process and the purposes for which they think legitimate interests is an adequate umbrella”, and suspects that the ICO “might be surprised to see wealth screening being carried out so enthusiastically”.
We do not know what information the ICO received as part of its investigation, nor whether they were surprised. However, in seeking to clarify the matter of where legitimate interest ends and consent begins when it comes to wealth screening, they write:
Activities such as segmenting databases by reference to postcodes or other information you already have may represent a relatively low level of intrusion into privacy. In these cases, the legitimate interest condition may be a valid basis for processing. Far more intrusive are activities such as profiling individuals, particularly where this involves getting more information that the individual has not given you, either directly or via third-party companies. In these cases the legitimate interest condition is unlikely to apply. So you’d need to seek the consent of individuals before doing such processing. It follows that there is an element of risk in relying on the legitimate interest condition for wealth screening. For more certainty you should seek the individual’s consent.
Have they asked, and should they ask?
Here at Holly Palmer Consulting, we’ve read the privacy notices of all development offices belonging to Russell Group institutions. We found that, out of these 24 institutions, only one (the University of York) made no reference to wealth screening (although even in that instance there is still the disclosure that “some additions from third parties or public sources” may be added to the subject’s record). Within the other 23 privacy notices, there are numerous references to wealth screening:
- “We may occasionally carry out wealth screening” (https://www.birmingham.ac.uk/privacy/alumni.aspx)
- “We may use automated or manual processes such as wealth screening to analyse and segment our data.” (https://www.gla.ac.uk/alumni/welcomehome/privacynotice/)
- “We may use additional information such as geographical information and measures of affluence where available from external sources to assist us” (http://www.imperial.ac.uk/advancement/about-us/advancement-policies/privacy-policy/)
- “We may use your data for wealth screening, research and profiling” (https://alumni.kcl.ac.uk/privacy-statement–kings-college-london-alumni)
- “We may use approved third party analysts to carry out what is known as wealth screening” (https://alumni.leeds.ac.uk/privacy)
- “We may gather information about you from publicly available sources – for example Companies House, the Electoral Register and the media, this information is used to help us better understand you as an individual and your ability to support the University. We may carry out wealth screening, a process which uses trusted third-party partners to automate some of this work” (https://alumni.liv.ac.uk/page.aspx?pid=458)
- “We may carry out wealth screening, a process which uses trusted third-party partners to automate some of this work” (https://warwick.ac.uk/alumni/privacynotice01)
It’s clear that most well-resourced development offices are open to the possibility of conducting wealth screening, but have they obtained the necessary consent to do so? We can’t answer that question, but perhaps another question lies behind it: should they obtain consent to do so? After all, the ICO recommends consent here because it claims that wealth screening “is the kind of processing that individuals are unlikely to expect as a result of providing their personal data to a university, even where this data is given for the purposes of fundraising”. But on what basis are they making such a claim, and where is the evidence for it?
When we wrote about this topic a year ago we took a measured response and accepted that “there are solid arguments for why wealth-screening should take place”, which the Institute of Fundraising documented in their Good Asking report. The results of a YouGov poll were featured in that report, finding that 60% of those who prefer charities to communicate with them in a tailored way replied in the positive when asked: “Do you think that charities should be able to use information that’s publicly available (e.g. through Google searches or local newspaper articles) to be able to best tailor their approaches to their supporters?”
That one metric alone doesn’t provide a solid basis on which to form an argument about what donors expect, particularly when a survey conducted three months later found that just 14% of British adults would opt in if a charity wanted to “use publicly available data to better understand you and target you with better appeals and campaigns”. If the ICO are wrong to claim that wealth screening isn’t something that alumni would reasonably expect, then anyone who holds a contrary view needs corroborating evidence, and it simply isn’t enough to cherry pick metrics from UK-wide surveys. The lack of complaints received when development offices circulate privacy notices that include references to wealth screening also proves little either way, particularly when less than a third of recipients open emails – and fewer still click through. The number who open their mail is unknown, but given the length of some of the privacy notices we’ve been sent ourselves as university donors, the chances of a close reading are small.
It’s time to move on
Instead of tying ourselves in knots to justify wealth screening practices within the law, is it time to consider alternative approaches to donor research? Nick Ellinger of DonorVoice has argued extensively against the reliance on third-party data in audience research, and in our own experience the richest insights have been gained when the information is willingly provided by alumni and donors themselves. It’s certainly easier and less resource-intensive to commission wealth screening specialists than it is to conduct primary audience research, but maybe it’s time to change the way we think and talk about how we gain an understand of those from whom we seek support.
In the message welcoming delegates to the recent CASE Regular Giving conference, the Chairs wrote:
For the past few years there has been talk about things outside of our control as fundraising professionals – from consent legislation to Brexit to public policy and perception. We feel it is time to refocus on what we do, why we do it, how we can do it better, and what we will do next.
For similar reasons, the theme at the CASE Development Services conference held just a month before was “the supporter experience”, and the Institute of Fundraising held an entire conference on the same topic back in September (with scarcely a mention of GDPR).
The conversation is therefore changing, shifting away from regulatory compliance to the values that we’d like to guide our decisions – not just in in relation to data protection, but our wider fundraising practices too. We hope to see more of our colleagues debate these issues and share their views on the subject in 2019 as part of the higher education donor experience project.