(back to index)

D&A - Compliance with PECR, Etherington & Data Protection Regulation

Proposal Sponsor: 
Paul Weighand & Jenny Shaw

Overview

There are three separate strands with related regulatory changes at present:

  • The Privacy and Electronic Communications Regulations (PECR)
  • The Etherington review of how charities are regulated
  • The draft EU Data Protection Regulation

The University will need to ensure compliance with any new rules, and be able to demonstrate this, in order to continue to be able to contact alumni and supporters.

What would happen if the project did not take place?: 

If the project did not happen there a number of potential risks the University must consider accepting:

  • Exposure to fines and/or sanctions, up to being ordered to stop using the database for fundraising purposes, by the Information Commissioner’s Office (ICO)
  • Damage to the University’s reputation
  • Significant negative impact on University’s philanthropic goals
  • Significant negative impact on the University’s goal of building a Lifelong Community
  • Student satisfaction could be adversely affected by not being able to provide networking, employment and mentoring opportunities with alumni
Who does it affect?: 

This would impact on:

  • Communication with all current and future alumni, General Council members, supporters and other contacts held on the D&A database (in the region of 2.6million outward communications per year, including 500,000 emails)
  • Future students employability and mentoring opportunities
  • All fundraising activity generating income for the University of Edinburgh Development Trust, including for scholarships and bursaries for students and for development projects across the University
  • Alumni engagement activity for Colleges and Schools

D&A will need to implement the changes with our external database supplier, Access Group, with some support from IS Apps.

Why is it needed/What are the benefits?: 

As well as the vast amount of data held on our alumni base, the D&A database, thankQ, holds qualitative data on more than 4,300 major gift prospects and supporters, consisting of alumni, private individuals, trusts, corporates and other organisations. This puts the database in the region of £700 million potential philanthropic gift capacity. Last year we secured more than £17 million in new cash and pledges.

The misuse of data could lead to punitive measures by the ICO, data management is therefore exceptionally important. We are currently working with colleagues in Records Management to ensure that we are compliant in our data protection obligations and have begun consultation with other colleagues to gather information about the various touchpoints we have to communicate with students about developing their lifelong relationship with the University and continuing this after graduation.

BI/MI requirement?: 

N/A

External costs?: 

There will be external supplier costs in making the changes to the alumni portal channels and web donation pages linked to the golden copy alumni database, thankQ, with ongoing support maintenance costs. As we don’t yet know the scale of the changes that will be required it’s not possible to provide accurate costs. Taking into account the current day rate of our database supplier and previous changes made to the portal and web pages this could be a minimum £20,000 cost over four years.

Compliance justification (if relevant): 

Some potential changes in the various proposed legislation which would require updates to supporting systems include:

  • Creation of a new Fundraising Regulator would lead to some associated financial levy on fundraising expenditure for Edinburgh. (Etherington Review specifically)
  • Creation of a Fundraising Preference Service (similar to TPS) would potentially prohibit Edinburgh from contacting anyone registered with the service. (Etherington Review specifically)
  • Profiling allows Edinburgh to target activity based on the attributes of personal data held. The final outcome on this is still uncertain. Advice from Records Management is that it is almost certain that we will have to tell people that we profile individuals and give some information about the sort of profiling and its envisaged effect.  There may well be a right to object to profiling.
  • Explicit consent to contact in all cases is the worst case scenario and would require a substantial effort to tackle if this becomes a requirement. Records Management colleagues have advised that we should not alter our processes now, as the draft legislation has not yet been finalised.

Draft EU legislation should be finalised in 2016 and will come into force before 2018 http://ec.europa.eu/justice/data-protection/

A response to the Etherington review has yet to be published by the current government https://www.gov.uk/government/news/fundraising-self-regulation-review-published-ministerial-statement

Fit with University strategy: 

This development is required to:

  • enable the University to continue building an informed, engaged and supportive international community of alumni and supporters, promoting the University’s achievements both locally and globally
  • provide networking, employability and mentoring opportunities for students
  • achieve the University’s goal of doubling philanthropic income in five years

http://www.docs.sasg.ed.ac.uk/gasp/strategicplanning/201216/StrategicPlan201216.pdf

The above development supports the University Strategy in the following areas:

Goals - Excellence in Education

Enablers - Infrastructure

Themes - Outstanding Student Experience

Themes - Lifelong Community

Planning Status: 
Approved
Portfolio: 
USG
Planned Start: 
16/17
Multi-Year: 
Yes
Project Owner: 
USG
Procurement > £50K: 
No
Funding Source: 
Core Grant
IS Admin Tab
Estimation Reference: 

Notes from estimation meeting November 2015:

As this is not likely to impact software development, and will primarily be in relation to promoting code related to channels which ThankQ will develop this is most likely to be of type infrastructure and have an estimation of SMALL. This is reasonably confident as it's similar to previous work, as long as the assumption that very minimal software development time is needed is valid.

What is it that Etherington has been investigating and why do we have to comply?

It’s wider than Etherington, there are 3 strands that we would need to comply with: privacy in electronic communications regulations EU. Determines whether or not we can contact people electronically – need consent to be able to contact people. Phone also have to screen for telephone preference service – record and contact/not. Only need explicit consent for email marketing, e.g. fundraising email.

Etherington is looking at the way that charities are regulated. There will be a new charity regulator and we’ll likely have to pay a levy to support the regulator. There is a potential for setting up a fundraising preference service similar to TPS so we’ll need to gather and record that information too.

Draft EU data protection regulation will look at matters of consent across the board for all communications. That will include profiling, so may need to understand people’s preference for being profiled.

We need to try and gather consent before this becomes law, so that we can contact who is in our database – with good quality information that says that people are happy for us to contact them. Tick boxes don’t work, so need a range of ways to gather the information qualitatively.

What are the timescales that the changes will be needed in?

The changes are currently in draft legislation. Advice from Records Management is that it will be 2017/18 when the real effect will take place. We need to be in a position before that. Not expecting work prior to July 2016 – planning for 16/17 is reasonable.

What are the likely changes needed?

ThankQ portal channels – where we capture contact and employment details and mailing preferences. Going to need to revisit those portal channels and make changes, and have those changes fed into ThankQ.

Online donation pages on the website – need to look at the buttons they click and store more qualitative information and feed back into ThankQ.

May need to look at web forms or other to ask questions, record and analyse – surveying.

How much of the changes are likely to be for ThankQ to do, and how much IS Apps?

Web forms for donation - development by ThankQ.

Portal – most development on the ThankQ side.

Which of the MyEd channels are expected to be impacted?

  1. Alumni directory - unlikely
  2. Alumni keeping in touch – likely revisit
  3. Alumni update personal details – likely revisit
  4. Alumni messaging service - unlikely
  5. Alumni card sign up - unlikely
  6. Alumni admin – No - no longer used

Is there any BI reporting needed?

Not aware of any current reporting requirement from BI, no need identified at the moment.

Estimation Type: 
IT Infrastructure
Estimation Confidence: 
Reasonably Confident (similar to previous work)
Estimated IS Apps Days: 
Small
Estimated Business Partner Days: 
Medium
Impact on other service area: 

Development & Alumni will liaise with the other areas of the University that may be impacted: this could include recruitment and admissions and student systems as well as IS for potential changes to the computing regulations, dependent on the compliance requirements that emerge.

(back to index)