Privacy & Cybersecurity Law Blog

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.

The ICO’s investigation has potentially significant consequences for charities and other types of organizations that routinely share personal data with third parties for marketing purposes. The investigation highlights the ICO’s focus on ensuring that valid consent has been obtained before personal data is shared for marketing purposes. In its announcement, the ICO made clear that a mere failure to opt out is not sufficient to validate consent for these purposes. In addition, the ICO noted that it was unreasonable to rely on Rae’s failure to opt out given the significant amount of time that has passed since 1994. The ICO has stated that it will investigate the matter further before deciding what action to take.