How to ensure you collect data ethically

Collecting data is vital to helping charities improve, fundraise, and deliver services to beneficiaries.

 

But in embracing data analytics, charities need to ensure they are collecting information ethically.

 

Data can involve details to help charities’ fundraising and service delivery, through surveys and interviews as well as gathering personal information relating to people’s health and wellbeing.

 

People trust charities to look after their data and the sector has a duty to ensure the information is protected.

Here we look at some of the main pieces of advice for charities to ensure they are collecting their data ethically.

 

 

Know the law

 

Charities need to comply with latest legislation and regulations around the collection and storage of data.

 

In the UK the key legislation is the General Data Protection Regulation (GDPR). This EU law was introduced into the UK in 2018 and has been incorporated into UK data protection legislation since Brexit. GDPR sits alongside with the Data Protection Act of 2018 to enshrine data protection in law.

 

A main principle of GDPR is ensuring there is a legitimate interest to collecting data. This is where the organisation has a legal reason to collect data that is within the law, fair, and transparent.

 

UK information watchdog the Information Commissioner’s Office (ICO) urges organisations to apply a three-part test to consider the legitimacy of collecting data. This involves assessing the purpose of collecting the data, whether data collection is necessary and ensuring its collection is not at odds with an individual’s interests.

 

 

Gain consent

 

Another top ethical consideration when collecting data is to obtain consent. The ICO advises that consent should mean to offer individuals “real choice and control”.

 

It adds: “Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”

 

Among advice for charities is to check their consent practices and ensure they meet standards of consent laid out in GDPR. This should focus on the need for ‘positive opt in’. Charities need to steer clear of using pre-ticked boxes that assume consent is there. Ticking such boxes and giving consent is up the individual, not the charity.

 

In addition, consent requests need to be kept separate from other terms and conditions and be clear and concise. Consent to collect data should not be a precondition of a service. There also needs to be an easy way for people to withdraw consent and be clearly told how to do so.

 

Charities are advised to keep evidence that consent has been given, to protect themselves legally.

 

 

Which data to keep or remove

 

A general principle of ethical data collection is not to keep information for longer than necessary. Charities need to be able to justify the collection of data at all times. If data is no longer needed for a specific purpose, then it needs to be removed.

 

Good practice is to periodically review data that is being held and erase or anonymise any that is no longer needed. Charities should be aware that individuals have a right under UK charity law to insist their data is erased if it is no longer needed.

 

Data can be kept for longer than the charity needs it, but only if it is in the public interest, such as being part of scientific or historical research.

 

Questions charities need to ask include:

• Why are we holding the data?
• Can we justify how long we can keep data?
• Is there a policy that sets retention limits for unused data?
• Is data being regularly reviewed and erased if no longer needed?
• Can individuals easily ask for data to be erased?
• Can you prove keeping data long term is in the public interest?

 

How to ethically remove data

 

Deleting data means that is destroyed. In the days of paper records this was simpler, as paper could be incinerated.

The situation is more complex with electronic data collection, with the ICO acknowledging that digital data can be removed ethically if information has been put beyond use. This may be because the permanent deletion of the data may be impossible for the charity to carry out.

 

The ICO is satisfied that data has been ‘put beyond use’ even if it has not been completely deleted from a system as long as the charity:

• Is not able to use the data and will not attempt to retrieve it
• Does not give another organisation access to the data
• Data is protected through “appropriate and organisational security”
• Commits to permanently delete information if, or when, this becomes possible

 

Communicating with people

 

Central to ethical data collection is transparency and ensuring people are communicated with. This includes making people aware of their rights around consent and the removal of data, as well as regularly consulting with stakeholders, beneficiaries, and others whose data is collected.

 

Privacy information when collecting data needs to be clear and easy to read. The reason for collecting data needs to be clearly stated too.

 

Remember that communicating with individuals, around how their data is used and collected, is a key requirement of GDPR and UK information law.