1. The University of Southampton is a leading UK teaching and research institution with a global reputation for leading-edge research and scholarship across a wide range of subjects in engineering, science, social sciences, health and humanities. The Office of Development and Alumni Relations maintains strong relationships with graduates and supporters, with a global network of over 200,000 alumni.
2. Higher Education Institutions (HEl's) philanthropic giving continues to grow, supporting ground-breaking research, solving global problems and enabling students to continue education and benefit from enhanced student experiences. UK universities' philanthropic giving has reached record levels surpassing the £1 billion-a-year milestone for the first time. The development of philanthropy is fundamental in ensuring the long term sustainability of HE ls; a sector that contributes over £73 billion per year, nearly 3% of UK GDP, and supports 750,000 jobs (Universities UK Report).
3. If explicit consent at granular levels is a requirement for Universities to hold and process data on their former students and supporters, the unintended consequences of this will be a dramatic decline in the level of engagement from alumni and supporters and a significant decrease in philanthropy to Universities.
4. Defining Universities as "Public Authorities" under GDPR has significant impact in not being able to use legitimate interest as the bases for processing data. Moving to a consent only model would harm the relationship between graduate and institution and have a detrimental impact on an institutions ability to raise funds. This would lead to a change in the UK Higher Education marketplace, where UK HE ls would see a drop in funding, potentially becoming less globally competitive and put at a serious disadvantage in attracting the best and brightest students from across the globe.
5. This feedback will look at Theme 9 (Rights and Erasures) and Theme 12 (Processing od Data)
6. This feedback requests 4 considerations for derogation, given the power of secondary regislation of the member state:
a) HEl's should not be classified as public authorities under GDPR.
b) Research using publicly available data should be permitted.
c) Consent is not required for informational emails.
d) Where consent is required, a single consent for all e-marketing in HEls, valid indefinitely (until withdrawn) should be permitted.
Article 22 -Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Article 4: Definitions:
'profiling' means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
1. Under these definitions, we would consider that the 'research' completed in HEls Development Offices (Fundraising and Alumni Relations) is not considered to be 'Profiling' and would therefore not need explicit consent.
2. Development Offices carry out various forms of 'research' using information provided by alumni and supporters, publicly available information or information from reputable third parties. This research helps to develop a 'profile' of an individual. These profiles help us to develop our programmes, generally and in relations to groups and individuals -what events to offer, how to improve engagement, developing volunteering opportunities and potential philanthropic interests and capacity.
3. In most instances, the 'research' focuses our graduates and therefore an existing relationship exists. The 'research' may take place at any time in the individual's lifetime for the specific purpose -for example, we may have an event to support the career development of graduates in Engineering. We may use a variety of methods to identify which graduates may be interested in this to promote it to them (eg those who graduated in engineering, those who are identified as having a career in engineering, those who may be in their early stages of their career).
4. We also use this information to help ensure that we do not approach prospective donors with proposals which are beyond their financial means, and to help ensure that proposals address their interests and philanthropic ambitions. Without this 'research' it would not be possible to raise the significant philanthropic giving required to fund HEI research in the public interest.
5. The likely effect on the data subject is critical in defining if the activity is 'fair'. Our fund raising staff do not perform 'profiling' that constitutes a legal or significant effect. We believe that 'Automated profiling' would include an algorithm that decides an outcome (eg a mortgage, a credit card approval). "Automated" means that an action is beyond the data subject's control. In Fundraising, no profiling will result in an outcome beyond the data ubject's control - eg we may ask for a donation because of the results of some profiling, but it would be entirely the data subject's decision to respond to that request. We therefore consider that these fund raising 'research' activities are not considered automated profiling.
6. The definition of whether Universities will be a public authority is important here because "public authorities may not rely on legitimate interests". However, in recent conversations with the ICO, their suggestion has been that as a Hybrid Body "you could still consider
'legitimate interests' as a potential basis" (ICO Consent Guidance and Consultation). We would like clarity that HEls may continue to rely on legitimate interest as a legal basis for processing personal data for fundraising and alumni relations. Ideally this would be confirmation that HEls are not public authorities.
• If consent is our only available legal basis, then for HE ls who all have genuine reasons to stay connected with their graduates, there will be unintended consequences of potentially cutting off engagement beneficial to the individual such as event invitations, career support, and so on, appropriate to different life stages. Additionally, if consent is our only available basis, engaging with potential supporters and donors is also significantly at risk.
• Legislation is required to clarify that either HE ls are not public authorities for GDPR purposes or what tasks are and are not tasks carried out in the public interest. The legislation should clarify that, for HEls, tasks carried out in the public interest or under Article 6(1)(e) are equivalent to the tasks expressly excluded from reliance on Article 6(1)(f)
7. We consider that, with sufficient Privacy Notices, it is 'fair' for Charities and HEls to process publicly available information to ensure that they do not approach people with proposals that they cannot afford, and to ensure that proposals presented to those capable of making significant philanthropic gifts address their philanthropic ambitions.
• Not conducting due diligence research using publicly available information will have the opposite consequence to that intended as it will stop us understanding the kind of philanthropic opportunities in which individuals may be interested, meaning prospective donors will receive proposals not of interest or beyond their financial means.
• If a consent only model is required, it is highly burdensome and therefore not in the interests of prospective donors to be asked for consent from many different charities to process publicly available personal data in the absence of a specific proposal that may be of interest to them.
• Prospective donors with the capacity to make significant philanthropic gifts expect appropriate research on their publicly available personal data and warmly welcome specific proposals appealing to their interests and philanthropic ambitions.
• Prospective donors have the right to object to further processing of their personal data if the proposal if not of interest.
8. Major gift fundraising relies on the ability to approach someone who may be interested in a cause, and have the capacity to give. In a consent only model, you could not research someone to find if they are potentially interested and have a capacity if you do not have their consent. But you cannot contact them to ask for consent because you would have to research them first to identify them. This jeopardises the future of philanthropy in the UK.
9. There is substantial evidence to show that high net worth individuals are not surprised to be approached by charities and are in fact put off by naive ill-prepared approaches. Please refer to the Good Asking Report, Dr Beth Breeze, 2017.
10. Where consent is required, to invite participation by email (event invitations, volunteering opportunities, philanthropy), we will conclude that it is "fair" for charities and HEls with a rich and multifaceted relationship with their supporters to hold for each person a single consent for processing personal data, and a single consent for direct electronic marketing.
• Supporters do not want to be asked continually for fine-grained consent.
• Tying preferences to fine-grained legal consents will severely hamper the rich relationship that is valued by supporters, ultimately reducing philanthropic funding for research in the public interest.
• Charities with rich and multifaceted relationships have no desire or interest in communicating with supporters in ways that they do not welcome, and have long standing mechanisms in place to gather and manage contact preferences.
• Supporters always have the right for their personal information to be deleted.
11. Where consent is required, we would consider it "reasonable" that consents held for alumni and supporters to be valid indefinitely (until withdrawn):
• Alumni and supporters value their lifelong relationship with HE ls.
• Alumni and supporters have frequent interactions with their HEI, providing opportunities to express their wishes and exercise their rights.
• Alumni understand and accept that the benefits and services they enjoy in their early careers are part of their lifelong relationship with their HEI, and that in later life they may well wish to make philanthropic gifts.
• An "opt out" for every communications is made available to recipients
12. Derogations sought include:
a) Secondary legislation required to determine HEls not a public authority under GDPR or what tasks are and are not tasks carried out in the public interest, clarifying that, for HEls, tasks carried out in the public interest or under Article 6(1)(e) are equivalent to the tasks expressly excluded from reliance on Article 6(1)(f).
b) Research using publicly available data for philanthropic purposes is permitted provided it does not cause significant impact on the data subject, and where existing relationships exist, data subjects are aware of the activity through well promoted Privacy Notices.
c) Consent is not required for informational emails.
d) Where consent is required, a single consent for all e-marketing in HEls, valid indefinitely (until withdrawn) will be compliant.