Thank you for contacting the Information Commissioner’s Office. We confirm
that we have received your correspondence.

If you have made a request for information held by the ICO we will contact
you as soon as possible if we need any further information to enable us to
answer your request. If we don't need any further information we will
respond to you within our published, and statutory, service levels. For
more information please visit [1]http://ico.org.uk/about_us/how_we_comply

. 

If you have raised a new information rights concern - we aim to send you
an initial response and case reference number within 30 days.

If you are concerned about the way an organisation is handling your
personal information, we will not usually look into it unless you have
raised it with the organisation first. For more information please see our
webpage ‘raising a concern with an organisation’ (go to our homepage and
follow the link ‘for the public’). You can also call the number below.

If you have requested advice - we aim to respond within 14 days.

If your correspondence relates to an existing case - we will add it to
your case and consider it on allocation to a case officer.

Copied correspondence - we do not respond to correspondence that has been
copied to us.

For more information about our services, please see our webpage ‘Service
standards and what to expect' (go to our homepage and follow the links for
‘Report a concern’ and ‘Service standards and what to expect'). You can
also call the number below.

If there is anything you would like to discuss with us, please call our
helpline on 0303 123 1113.

Yours sincerely

The Information Commissioner’s Office

Our newsletter

Details of how to sign up for our monthly e-newsletter can be found at
[2]http://www.ico.org.uk/tools_and_resource...

Twitter

Find us on Twitter at [3]http://www.twitter.com/ICOnews

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. http://ico.org.uk/about_us/how_we_comply
2. http://www.ico.org.uk/tools_and_resource...
3. http://www.twitter.com/ICOnews

15 March 2017

Case Reference Number IRQ0668389

Dear Ms Bowles,

I write in response to your email of 17 February 2017 in which you
submitted an information request to the ICO. Your request has been dealt
with under the Freedom of Information Act 2000 (FOIA) and our response is
below.
 
Your request
 
In your 17 February email you asked;
 
“The document circulated to attendees at the Fundraising and Regulatory
Compliance Conference held on 21 February 2017 referenced at
https://ico.org.uk/media/2013426/fundrai...
contains on page 8 the assertion that "Wealth screening is the kind of
processing that individuals are highly unlikely to expect as a result of
their charitable giving. They would not reasonably expect that such a gift
would lead the charity to profile their wealth to see whether they’d
increase their donations or leave a legacy donation.

Please give details of the evidence base which ICO has used to make this
statement.”
 
Our response
 
There is no specific “evidence base” held by us in respect of the
statement at page 8 of the ICO’s fundraising and regulatory compliance
conference paper.

You will be aware that the practice of wealth screening was a factor in
our decision to issue monetary penalties to both the RSPCA and the British
Heart Foundation. 

The Data Protection Act 1998 requires data controllers to be transparent
with individuals about how their information will be used. Our
investigations identified that donors were not provided with sufficient
information by these charities to enable them to understand what would be
done with their personal data. The charities fair processing information,
which is usually included within privacy notices, should have provided
information on this. The fact that it didn’t meant that donors could not
reasonably expect this type of processing of their personal data and they
could not therefore make an informed decision and exercise their rights
over their personal data.
 
It is important to note the ICO's function in regulating the Data
Protection Act 1998 (DPA). Section 55A of the DPA gives the Commissioner
the power to serve a monetary penalty where the Commissioner is satisfied
there has been a serious contravention of the law. The evidence for the
penalties issued to the two charities is set out clearly in each penalty
notice.
 
Section 55A also sets out the appeal rights for a data controller. These
include the opportunity to make representations to us before we take
regulatory action, and a Tribunal system that will review cases based on
either the issue of the penalty or the amount. I can add that neither
charity chose to exercise this appeal right.
 
It may be of interest if I add that the law requires the Commissioner to
prepare guidance on how fines will be issued. You can find this guidance
on our website here
[1]https://ico.org.uk/media/for-organisatio...

Additionally further information is contained in our Data Protection
Regulatory Action Policy available on our website here
[2]https://ico.org.uk/media/about-the-ico/p...
  
I'd particularly draw your attention to page 3 of this policy, which
explains that the typical initial drivers of enforcement are not limited
to complaints raised with us, particularly when processing is hidden from
view, where individuals have little or no choice and where sensitive
personal data are involved. Page 5 lists the criteria we consider when
assessing whether to take enforcement action and the guidance does not
require us to evidence each criterion.

This concludes our response to your request I hope that the explanation
provided is helpful.

Next steps / review procedure

If you are dissatisfied with the response you have received and wish to
request a review of our decision or make a complaint about how your
request has been handled you should write to the Information Access team
at the address below or e-mail [3][ICO request email].

Your request for internal review should be submitted to us within 40
working days of receipt by you of this response. Any such request received
after this time will only be considered at the discretion of the
Commissioner.
 
If having exhausted the review process you are not content that your
request or review has been dealt with correctly, you have a further right
of appeal to this office in our capacity as the statutory complaint
handler under the legislation. To make such an application, please visit
the ‘Concerns’ section of our website to make a Freedom of Information Act
or Environmental Information Regulations complaint online.
 
A copy of our review procedure is available here
[4]https://ico.org.uk/media/about-the-ico/p...

Yours sincerely
 
Steven Johnston
Lead Information Access Officer
 

The ICO's mission is to uphold information rights in the public interest.
To find out more about our work please visit our website, or subscribe to
our e-newsletter at ico.org.uk/newsletter.

If you are not the intended recipient of this email (and any attachment),
please inform the sender by return email and destroy all copies without
passing to any third parties.

If you'd like us to communicate with you in a particular way please do let
us know, or for more information about things to consider when
communicating with us by email, visit ico.org.uk/email

References

Visible links
1. https://ico.org.uk/media/for-organisatio...
2. https://ico.org.uk/media/about-the-ico/p...
3. mailto:[ICO request email]
4. https://ico.org.uk/media/about-the-ico/p...