Case Study 2/2001 Major Charitable Organisation - Data Protection Commissioner Ireland

CASE STUDY 2/2001

Major charitable organisation – disclosure of donors’ details to a financial institution – pro-active investigation – unfair obtaining – consent

Members of the public alerted a national “phone-in” radio show to the fact that they had been receiving mailings from a financial institution, which appeared to be aware that the individuals had made donations to Concern, a respected national charitable organisation. A representative of Concern explained on the radio show that the organisation had allowed the financial institution to promote its products by mailing Concern donors, without the express consent of these individuals. In return for offering this facility, Concern received a payment for each individual who responded positively to the direct mailing. The Concern representative indicated his belief that this practice was permissible under the Data Protection Act.

Having heard this interview, I immediately contacted Concern to request an urgent meeting and the meeting took place that same day. At this meeting, I pointed out that personal data held by Concern in relation to its donors should not be used or disclosed in a manner incompatible with the purpose for which the individuals had provided their details. I asked Concern to outline the method used to collect data. The Concern representatives produced a printout from the Concern web site, showing the sort of data requested from subscribers and the ‘opt-out’ boxes used on the form. These ‘opt-outs’ asked (a) if a person wanted to receive any further marketing, or (b) if the person consented to data being shared with “like-minded organisations”. The same questions were asked in postal or telephone variants.

As regard the direct mailing campaign, Concern informed me that they had been approached by a marketing company which had suggested an ‘affinity arrangement’ with the financial institution in question. In essence, Concern would make its list of donors available to the direct marketing company, which would issue special promotional mailings to the individuals on the list. Whenever any individual responded positively to the promotional offer, the financial institution would make a payment to Concern. This scheme appeared to offer advantages to all sides, and the agreement was made on this basis. A confidentiality agreement was put in place between Concern and the direct marketing company, so that no personal data would be disclosed to the financial institution itself.

Having considered the nature of the arrangement, I found that it was unsupported by the necessary levels of consent from Concern donors. I did not accept that a financial institution was a “like-minded organisation” of the sort envisaged in the Concern donation form. Accordingly, the use of the Concern database to facilitate direct marketing by financial institutions was not, to my mind, compatible with the purpose for which Concern had obtained the data, and therefore this was not a legitimate use of these data. Concern fully accepted my viewpoint on this matter; indicated that the process was to cease immediately; and undertook to ensure compliance with the Data Protection Act in future. Concern indicated – and I fully accepted – that they had never intended to be in breach of data protection law or to be in any way disrespectful of their donors’ privacy.

In no way do I, as Data Protection Commissioner, want to prevent the flow of much-needed money to any respectable charity such as Concern. There is no data protection objection to affinity relationships in principle, as long as such relationships are carried out in a proper and transparent manner, including appropriate clear and informed consent. While in this particular instance Concern inadvertently breached data protection law, the prompt manner in which the organisation responded to my unease assures me that Concern take their data protection responsibilities seriously.