Wednesday 18 February 2009

Data protection is a virus



The general obsession with data protection is now pandemic.

Pay attention and you’ll see opt-ins and opt-outs everywhere. No one remembers why they are there, and as defences weaken, the nation’s websites, mailings, ads and emails are becoming increasingly infected.

Charities seem to have fallen prey to a particularly virulent form of the disease.

“[Charity name] promises to respect your privacy. The data we hold is
in accordance with the Data Protection Act (1998) … [tediousness tediousness] … not disclose, or share personal information … [endless tedium] … like to keep you informed … [tedious suspicion-raising waffle] … if you do not want to receive … [oh great, here’s my way out] … ticking the box.”

But data protection (DP) rules are actually rather simple.

And more relaxed than most people realise.

On the Information Commissioners’ site, your legal obligations under the Data Protection Act (DPA) are helpfully summarised. The crucial question sits at number two on the list:

‘Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?’

What I find time and again is that marketers are hamstrung by over-zealous legal, communications or database teams who – and this is the critical point – follow the letter and not the spirit of the law.

Black and white
Sometimes, I acknowledge, the legislation is starkly clear, and in writing this post I am not advocating that you find ways to act illegally. For example, you must have an opt-in for email or SMS contact. Period.

But don’t you also need an opt-in for telephone contact?

Not necessarily.

For cold contacts, new supporters and many existing contacts, yes.

But with existing contacts who have received calls from you in the past and haven’t asked you to stop calling, you can rely on ‘implied opt-in’. As you can see from the question above, the Information Commissioners would ask you, “how and why did you gather telephone numbers, and would the person reasonably expect a call from you?”

So what about screening against TPS?

Yes, you must screen even existing contacts against TPS (telephone preference service) – although, again, you can rely on ‘implied opt-in’ if they have received calls in the past and not complained … which means you can call these people.

OK, it’s beginning to sound complicated.

The small print
There are eight Principles, upon which hang the entire legislation, documentation and industry of data protection in the UK.

And the second is the most important when considering communicating with your audiences.

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

…which roughly translates as: “you can get and use someone’s details only if they’ll reasonably know what you’ll use them for”.

In addition, the rule above only applies if at least one of these Conditions are met, and for most marketing purposes this will be Condition 1:

“The data subject has given his consent to the processing.”

Presumably this means marketers do not need women’s consent? (Top tip to the Info Commissioners on inclusive language: edit > replace all > ‘his’ with ‘their’.) Anyway, off my feminist soapbox and on with the task in hand.

It is certainly easy to see how charities get caught in the myriad snares lurking in DP legislation.

In the document ‘Data Protection Good Practice Note – Charities and marketing’ the Info Commissioners outline how they would ideally have non-profits apply the DPA. But in setting out such good practice, they have erred towards a more literal interpretation. The following sentence is a good example:

“When you collect information from people and are in direct contact with them, such as in a phone call or on a website, you should give them an immediate opportunity to object to future contact”

Notwithstanding the point I made above about opt-ins required for electronic communication, this sentence is simply too absolute – if applied literally.

Be reasonable
There is a difference between the letter of the law, good practice, acceptable practice and bad practice or breaking the law. The latter is clearly foolish and will bring reputational and financial damage on you and your organisation.

But to zealous communications and legal teams who insist on strict adherence to the precise wording of the Act or even good practice, I say to you that as the world changes around you, such strict legalism will make your fundraisers’ jobs far more difficult than it already is – and because it will limit funds raised, it will directly threaten your charity’s services.

I say this for two reasons. First, it is clearly not possible in a piece of legislation to envisage and account for every scenario it will be applied to.

But second, and more important, you do not need to be so strict.

The following sentence from the Info Commissioners’ guidance on email marketing referring to opt-ins, and the way in which they need to be worded, is just one example that shows this:

“‘Similar products and services.’ In our view, this means ‘what products and services do you reasonably expect to hear about from this organisation’.”

Reasonable’ is something I have found the Info Commissioners to be.

So, to bring this already lively post to life, let me give some examples…

If someone donates to your charity for the first time, in response to a mailing, you do not need to give them an opt-out.
  • Gasp!
  • Yes, that’s right. As long as you aren’t planning to sell their details (in which case you would need one), the supporter would reasonably expect that you will get back in touch – to thank them and probably (given that this is your job) to ask for more money.
  • They would not, however, reasonably expect you to send them something every week, call them each month and knock on their front door at Christmas

Similarly, when someone replies to a press ad that is offering information on legacies, you do not need an opt-out.
  • Really?
  • Yes, that’s right.
  • The supporter would reasonably expect you to contact them with the information – unless they think you’re rude.
  • And they would also reasonably expect that you’ll follow them up, not least to see if they have any further questions – or simply to check whether it arrived.
  • Nor is it unreasonable to send them occasional updates on your work.
  • They would not, however, reasonably expect to start receiving monthly appeal mailings, campaigners mailings, Christmas card catalogues and weekly phone calls.

And, just to be clear, in each of the above examples, if you wanted to call, text or email them, you would need an opt-in … although the following is sufficient: “Where you can contact me” – under the line asking them to write their email address or telephone number.

To further illustrate the dangers of over-application of the DPA to charity marketing, two recent examples come to mind.

The first is from a large national charity who, until very recently, included an opt-out on every piece of mail communication to donors. Every newsletter, appeal letter and thank you letter included a tick box, offering them the chance to become ‘no-mail’. This was lunacy. Even though supporters have the best of intentions when they opt out – “it will save them money,” they think – they invariably give less as a consequence.

The second was the enquiry form on the legacy pages of a major UK charity’s website. Beautifully designed, with award winning usability, the site’s effectiveness was ruined on the final screen. Just before hitting ‘submit’ the visitor was presented with three DP clauses. The first was an opt-in for email and telephone and the second was a lengthy explanation and an opt-out for them selling your details. But the worst shooting-themselves-in-the-foot moment came with the third, which required an opt-in: “Keep me informed of [charity name] products, offers and appeals by mail”. Somewhat unsurprisingly, most enquirers were no-mail – which meant the system flagged them as being unable to receive even the materials they had requested.

As I hope I have illustrated, the Information Commissioners are most interested in your overall treatment and protection of supporters’ data. They want to see that you will communicate with people in a way they would reasonably expect.

When your hands are tied
You could, if you really wanted to follow best practice, add a line to recruitment pieces saying something like, "We promise to look after your details in line with the Data Protection Act, and will not share personal information supplied by you with any third party organisations without your consent."

And from time to time (e.g. somewhere on your website and annually by post) you could tell existing supporters: “We promise to look after your details in line with the Data Protection Act, and will only use them to contact you about our work. If you would like to tell us how you would prefer to hear from us, please contact us here….”

Finally, at all times you must be able to demonstrate that the supporter is always able to contact you to opt out of further contact … and that you have systems in place to ensure that you can administer their wishes.

If you have specific questions – or if you can't believe that what I have written can be true – the Information Commissioners’ helpline is incredibly helpful: 08456 30 60 60. They will happily discuss any specific issue you may be facing.

As you’ll hear if you call them, one of the phrases they will use most is, “what would the customer or supporter reasonably expect?”

Very important stuff this. Interesting, isn’t it?

1 comment:

Amanda Santer said...

Very interesting, Matt - it can all be very confusing, though the principles are all rather straight forward - all in the interpretation I guess.

But with everything - there should be a journey, a personal Data journey and all organisations need to be clear on what that is from collection to disposal.

One thing for me also is the lack of information on how people disenable cookie technologies on websites that use them - at the very least refer them to aboutcookies.org.

Thanks Matt.