ICO to investigate charities and fundraising agency over cold calling customers
The Daily Mail has recently reported that the fundraising agency Go-Gen, which carries out campaigns on behalf some of the UK's largest charities, has been making unsolicited calls to households registered with the Telephone Preference Service ("TPS"). The British Red Cross, NSPCC, Oxfam and Macmillan have all been accused in the report of hounding vulnerable people, including those with dementia, for money despite being on an official 'no-call' list.
The report has resulted in an investigation by the Information Commissioner's Office ("ICO") for potential data protection breaches. Stephen Eckersley, the ICO's Head of Enforcement, commented that "On the face of it this could be a breach of both the Data Protection Act and the Privacy and Electronic Communication Regulations ("the Regulations"). We will be launching an investigation into the call centre and charities involved."
The ICO will have to determine if and how the individuals on the 'no-call' list otherwise provided consent for the call. The Data Protection Act 1998 ("DPA") does not define consent but national courts are required to interpret consent by reference to the Data Protection Directive which defines consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." The Data Protection Directive also provides that in order to be valid, consent must be unambiguous.
Under the ICO Guidance, organisations cannot make live unsolicited marketing calls where the number has been registered with the TPS. The TPS therefore acts as a general opt-out of receiving marketing calls. This can be counteracted if the individual has specifically told the organisation that they do not object to their calls, for example, by ticking an 'opt-in' box agreeing to that organisation's marketing calls, or by signing up for a service where there is a clear and prominent statement that doing so indicates that they do not object.
It is yet to be seen whether the procedures adopted by Go-Gen and the charities detailed above fall foul of the DPA or the Regulations but the story certainly acts as a warning to other organisations who should review their policies and procedures and ensure that they are compliant with the DPA and the Regulations. Where an organisation wishes to call an individual registered with the TPS, the organisation must be able to demonstrate that that individual has taken positive steps to consent to that call. Opt-in consent is always the best way to achieve this.
If the ICO finds that there has been a breach of the DPA or the Regulations the maximum penalty it can levy is £500,000. The law was recently amended to reduce the evidential burden on ICO so that it no longer has to show "substantial damage or substantial distress" before imposing a fine in respect of a serious breach of the Regulations which relates to cold calling (and other forms of unsolicited direct marketing). This makes it easier for the ICO to issue substantial monetary penalty notices where it feels appropriate to do so.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.