If the Facebook data scandal has confirmed one thing, it’s that data really is a new form of currency – and this isn’t just a cliché.
People want to know that their money is secure with their bank – that it will be in their bank account when they go to tap their card to buy something.
Similarly, it’s clear that people also want their data to be secure with the organisations they provide it to – that it won’t be misused, or shared without their consent. Or at least people are very unhappy when it turns out that their data isn’t secure – even if they didn’t pay much attention to the terms and conditions which applied to its use at the time of signing up (I must admit, I’m as guilty of that as others!).
One added challenge with data though is that it’s replicable – I can view the data in my Facebook account, but it can also be copied and shared with others without me even noticing. And that’s how Facebook has landed itself in this mess – a mess which may lead to more regulation of how our data is used by Facebook and other services.
The Facebook data scandal is a reminder that charities also need to be very careful with how they use data, including that of donors.
Charities have actually already had their “Facebook moment” – at least UK ones have – I’m talking about the UK’s 2015 charity fundraising scandal, which was precipitated by the death of 92-year-old Bristol resident Olive Cooke, who was suffering from depression. Prior to her death, Mrs Cooke had been deluged by hundreds of fundraising letters and phone calls from charities. According to her family, they had left her feeling distressed and overwhelmed, although they did not believe they were the cause of her death.
The tragedy prompted an investigation by the UK’s Fundraising Standards Board (FRSB), a self-regulatory body for the charity fundraising which has since been disbanded. The FRSB found evidence of widespread sharing or selling of personal donor data amongst charities or to third party fundraisers, combined with insufficient opt-out procedures. In the months after Mrs Cooke’s death, the FRSB received hundreds of complaints expressing similar concerns.
The actions of a group of charities which misused donor data sent shockwaves across the entire sector. Charities experienced a large drop in trust in 2016, with other scandals around the same time also contributing to this. It was clear that charities’ social license to operate was placed in jeopardy.
In response, a new self-regulatory body was established to replace the FRSB, the “Fundraising Regulator”. It now manages a “Fundraising Preference Service” which allows members of the public to opt-out from being contacted by charities, and administers a tough Code of Fundraising Practice which includes specific provisions about how donor data should be handled. Changes to charity regulation were also introduced through the Charities Act 2016.
So what does this all mean for charities in Australia?
We’re fortunate to have avoided such scandals up until this point. However, there are reports of sharing and selling of personal donor details amongst charities.
How charities use data in Australia is regulated through a combination of legislated privacy laws, sector self-regulation and common-sense.
Many Australian charities are subject to the provisions of the Privacy Act 1988 (Cth), which requires them to comply with the Australian Privacy Principles. Importantly, new mandatory data breach notification requirements came into force in February, and charities need to be familiar with them.
The Fundraising Institute of Australia Code also mandates that its members, upon request, provide information about how a donor’s contact details were obtained and assist donors to opt-out from receiving further approaches.
The ACNC has prepared excellent detailed guidance on how charities should go about managing people’s information and data. The guidance makes a number of very important points, which focus on a charity’s governance, legal obligations and stakeholder expectations.
Three of these points are extracted below:
Charities rely heavily on public trust and confidence for support. A good relationship with the public and a committed supporter base can take years – even decades – to build, but can take a fraction of that time to fall apart. It is important that a charity’s responsible persons consider the public perception of the way it – or the external service providers it has contracted – collects, stores and uses people’s information and data. Maintaining public trust, confidence and support is crucial for a charity’s work, and good governance practices are the foundation for this.
A charity must be clear about the purposes for which it collects, stores and uses people’s information and data. A charity must not share a person’s information or data with other charities or organisations unless the person has given consent for the charity to do so, or the person would reasonably expect the charity to do so.
Charities should, as a matter of good practice, have a policy that outlines the way they collect, store and use people’s information and data. Such a policy will determine the approach that a charity takes to managing information and data, guide the practices of its staff and volunteers, and provide assurances to its donors, supporters and members. It is good practice for a charity to have this freely available on its website.
Given the Facebook data scandal has focused attention like never before on how personal data can be used and misused, there’s no time like the present for charities to review their own data management practices and the ACNC guidance is an excellent starting point for that.
Effective data management practices are essential to ensure that charities retain their social license to operate. The most important currency for charities is trust and poor data management practices can very easily jeopardise that trust.