Cookies on Knowhow Nonprofit

We use cookies in order for parts of Knowhow Nonprofit to work properly, and also to collect information about how you use the site. We use this information to improve the site and tailor our services to you. For more, see our page on privacy and data protection.

OK

Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

Data protection and fundraising

How to collect, store and use people's personal details.

Major data protection law reform is happening in 2018. Find out more and how to prepare for the GDPR from the Information Commissioners Office and see our links below.

How to collect, store and use people's personal details

You should assume that any fundraising appeal made directly to individuals is covered by the Data Protection Act. This includes any unsolicited contact by post, phone, email or text message. This is covered by the act because you are using donors’ personal information.

It does not matter where your list comes from – your own members, people who have made enquiries, a bought-in list etc. The best way to ensure compliance (and good practice) is to get things right from the moment you start to compile the list. Start with your data capture forms, on paper, online and from phone calls.

Keep people informed on data usage from the start

Before people give you their details, they should know that you might use their information for fundraising or marketing. A simple declaration may be enough, for example: ‘We will keep your details so we can contact you about our future activities and how you can support us’.

Make it clear who you are collecting the information for (for example, for both a charity and its trading company).

Be ‘fair’ about using data

You can only use data in ways which are ‘compatible’ with the original purpose(s) it was obtained for. Data collection must be transparent. If you have people’s details already and have not told them you might use the data for marketing or fundraising, you may need their consent. Think carefully about how best to approach people in this situation. Take advice from the Information Commissioner’s Office (ICO) as necessary.

Give people the opportunity to say no

If someone ever tells you they do not want their details used for marketing or fundraising, you must ensure they are not contacted. Don’t leave it for them to tell you. At minimum offer an opt-out tick box when you collect data. If this is not possible, tell them an easy way to opt out.

It is an offence to make a cold marketing call to a number on the telephone preference service (TPS) register unless you have specific permission from the individual. There is some doubt over whether fundraising counts as marketing for TPS purposes (it almost certainly does for data protection purposes.).

People may consider marketing or fundraising by phone, email or other electronic means more intrusive. It is best practice to get positive consent for these forms of contact (opt in). This is required for donations, but for events and merchandise sales etc, an opt out may be acceptable. Regular contact by email – even a newsletter that is not strictly marketing or fundraising – should always contain instructions on how to unsubscribe.

Share data carefully

Whenever data leaves your organisation for any reason you must take adequate security measures to prevent it getting lost or falling into the wrong hands. This means:

  • always use the most secure means of transfer available in the circumstances: for example, VPN (not email), courier or registered post (not ordinary post)
  • minimise the quantity and extent of data involved. Exclude any individuals or data items that are not required for the purpose
  • encrypt data and password protect the file or media on which the data is transferred. This reduces accessibility if it falls into the wrong hands. Security requirements vary depending on the nature and size of the data being sent. The ICO can provide advice on this.

If you buy in or swap lists you must be satisfied the people concerned have been told and have not opted out. For email lists they must always opt in. When you buy or rent a list, ask for a written warranty that appropriate consents are in place.

If you are going to share or sell data you must always tell people in advance that this will happen. Indicate the type (and, for regular transfers, the identity) of organisations you will pass the data to.

If you send data to a third party for processing (for example, an agency that will make the calls or a mailing house to send out information) you are responsible for what happens to it. You must make sure the processor has proper security and will only use the data for the purposes you have authorised.

If you share data with an organisation overseas (possibly even when you put it on a website where it is accessible overseas) you must comply with the rules for transferring data abroad.

Everyone has the right to see their personal records. You can charge up to £10 and send it within 40 days of a written request.

Every website must have a privacy statement explaining how you use personal data. Ensure it is up to date, accessible and covers all your main responsibilities.

If you take money from people by credit or debit card, make sure you are familiar with the Payment card industry data security standard.

Source: Published with permission from the Directory of Social Change.

Get more help

Guidance on creating data protection policies in our Knowledge bank

NCVO's good practice recommendations on how charities should communicate with their donors for fundraising purposes, including how they manage and use donors’ personal data.

NCVO offers training on data protection and using data – check out our latest events

A specific guide on Fundraising and Data Protection Reform from 2040 Training

The Institute of Fundraising has guidance on GDPR: THE Essentials for fundraising organisations

Page last edited May 10, 2017

Help us to improve this page – give us feedback.

1 star 2 stars 3 stars 4 stars 5 stars 3/5 from 359 ratings