Legitimate Interests Assessment

What is this document?

Like many charities, Smile Train UK proposes to use Facebook’s commonly-used social media advertising technology in order to present its fundraising appeals to its supporters who are Facebook users, or to identify new supporters on the Facebook platform.

Under data protection law in the UK, we require a 'lawful basis' to use individuals' personal data to do this. One such lawful basis is ‘legitimate interests', which allows us to use personal data where (a) we have a legitimate interest in doing so, (b) the use of data is reasonably necessary to pursue that interest and (c) this does not unduly impact on individuals’ rights and freedoms.

This document is a 'legitimate interests assessment'. It explains our thinking behind whether we can rely on legitimate interests to undertake this activity.

Introduction – application of data protection law to the activities

Smile Train UK (“STUK”) plans to use the Facebook Custom Audience (“FCA”) and Facebook Lookalike Audience (“FLA”) tools (the “Audience Tools”) to send targeted promotional material (including fundraising requests) to existing and prospective supporters.

Use of the Audience Tools involves processing existing and prospective supporters’ personal data.

We have considered whether rules under e-privacy law require us to obtain consent. In brief, we do not consider that we are obliged to obtain consent under e-privacy law.

Legitimate interests assessment

We understand that – alongside STUK’s other obligations as a controller – we must be able to rely on a lawful basis under Article 6 GDPR to process existing and prospective supporters’ personal data using the Audience Tools. We consider it neither obligatory nor appropriate to rely on the lawful basis of consent, and therefore consider that the lawful basis of legitimate interests under Article 6(1)(f) GDPR is the most applicable because we plan to use the Audience Tools to help achieve the legitimate interests of STUK and our beneficiaries.

We recognise that using the Programs will impact existing and new supporters’ fundamental rights and freedoms, including their right to data privacy, especially new supporters targeted through FLA who have never interacted with STUK before. We have therefore carried out this LIA to explain the basis of our conclusion that, on balance, the individuals’ fundamental rights and freedoms do not override our legitimate interests in carrying out this activity.

This LIA will be published on STUK’s website, available for review for all affected individuals.

PART 1: PURPOSE TEST

Does STUK have a legitimate interest in using the Audience Tools as planned?

1. Why do we want to process the personal data in question?

To provide promotional or fundraising material to existing or prospective supporters. This will help us to raise funds and other support for our charitable objectives: to help provide treatment and support for children with cleft lips and palates worldwide (for example by training local doctors and providing funding for medical procedures).

2. What benefits do we expect to get from the processing?

STUK will derive the following benefits:

• engaging with supporters on a modern and popular platform to promote our charitable objectives and ideals;
• raising funds which enable us to perform our charitable objectives (for example, by identifying people who have an interest in supporting, and have the means to financially support, STUK);
• better understanding our supporters, their reasons for supporting us, their interests and donation habits;
• better developing and managing relationships with supporters and contacting them in the most relevant way with the most relevant content; and
• more streamlined and effective fundraising and supporter engagement strategies, which will in turn help us raise more funds to achieve our charitable objectives on a more sustainable basis.

3. Do any third parties benefit from the processing?

Our beneficiaries. The children suffering from cleft lips and palates worldwide, who would otherwise not have access to treatment and other support, will benefit from the processing if it helps us to raise funds as we intend.

Our supporters. Supporters may benefit from the processing if it offers a more convenient method to engage with STUK. Prospective supporters may also benefit by learning about a cause which resonates with them and which they want to help or get involved with.

4. Are there any wider public benefits to the processing?

Yes. It is in the public interest to ensure that children with medical problems receive treatment sufficiently quickly and of an appropriate standard, and we believe this activity will help to achieve that.

5. How important are the benefits that STUK has identified?

Contacting existing supporters and attracting new supporters by social media is business-critical for STUK, given that individual donations make up a significant proportion of the funds we raise to achieve our charitable objectives. Given the presence of social media, we consider that it will be one of the most effective means available to raise vital funds and encourage other means of support.

6. What would the impact be if STUK could not go ahead with the processing?

Other channels of communication we could use to engage with our existing supporters, and other avenues we could pursue to find new supporters are not as cost-effective, user-friendly or quick as using the Audience Tools; meaning that we could lose out on vital funds to help treat and support children with cleft lip and palates.

7. Is STUK complying with any specific data protection rules that apply to this processing?

Yes. We understand and shall comply with our obligation to use personal data in a transparent manner. When we collect any personal data directly from them, individuals are presented with our privacy notice. Our privacy notice explains how and why we use individuals’ personal data, and their related rights and options.

We also understand and shall comply with our other obligations as a controller, for example in relation to data security (ensuring that our staff are appropriately trained in how to use the Audience Tools so that they use the hashing and encryption software appropriately, or that donations received after clicking through a Facebook advert are processed with the assistance of a reputable payment services provider who offer sufficient guarantees to protect donors’ personal data) and data minimisation (ensuring that we only upload the minimum amount of personal data into FCA which is necessary to ensure there are enough matches to produce an effective marketing list).

8. Is STUK complying with other relevant laws?

Yes. For example, we comply with applicable child protection law when including individual stories or images in our fundraising appeals, financial regulations applicable to soliciting and processing online donations and applicable fundraising regulations and guidelines.

9. Is STUK complying with industry guidelines or codes of practice?

Yes. We consider that our use of the Programs will be consistent with the Fundraising Regulator’s Code of Fundraising Practice.

10. Are there any other ethical issues with the processing?

We consider that, in fact, there are compelling ethical grounds for us to raise funds to meet our charitable objectives in the most effective, convenient and appropriate manner possible.

PART 2: NECESSITY TEST

1. Will this processing help STUK achieve the stated purposes?

Yes. The use of the Audience Tools will help STUK keep in touch with its existing supporters and establish contact with new supporters in a way which is convenient for, and relevant to, them; as well as raising vital funds in the process.

2. Is the processing proportionate to that purpose?

Yes. If STUK could not contact supporters in this way this could lead to a loss of crucial funds and a lack of supporter engagement, bearing in mind the popularity and presence of social media. We believe that the benefits to STUK, our beneficiaries and our supporters are justified in light of any (entirely legitimate) concerns of individuals who may have concerns about the way in which their personal data is processed.

3. Can we achieve the same purpose without the processing?

We could (at least try to) achieve the same purposes via other means of communication, for example via post, email, SMS or in-person campaigning (some of which we do use simultaneously). However, these other means of communication are not as effective (for example due to the comparative frequency with which people use social media as opposed to checking their email or opening their post, or because the Audience Tools will only serve advertisements to those who have previously expressed an interest in, or are likely to have an interest in, our organisation).

Other means of communication require us to spend more money on trying to solicit greater support – we consider that those funds would be better spent in pursuance of our charitable objectives.

4. Can we achieve the same purpose by processing less data, or by processing the personal data in another more obvious or less intrusive way?

Given modern use of social media, arguably other methods of communication, for example phone, email or letter, could be considered more intrusive forms of direct marketing.

We process the minimum amount of data necessary to use the Audience Tools effectively. It is possible to use the Audience Tools by uploading only email addresses. However, the more personal data that is uploaded increases the chances of producing more (and more accurate) matches. In seeking to find this balance, our current proposal is that we will upload only email address, first and last name, phone number, city, state, zip/ postal code and country. We have considered the risk that in doing so, we could be providing personal data to Facebook which Facebook does not currently have. However, we consider this risk to be safeguarded by the fact that (a) Facebook deletes hashed information once the audience is built, and (b) Facebook makes assurances on its website that it does not “learn any new identifying information about your customers” – which we understand to mean that Facebook does not keep this information and add it to its existing user profiles.

PART 3: BALANCING TEST

Is STUK’s legitimate interest outweighed by the rights and freedoms of the individuals whose personal data will be processed for Audience Tools?

Nature of the personal data

1. Is it special category data or criminal offence data?

No. The personal data which we upload into the Audience Tools will be existing supporters’ email addresses, first and last name, phone number, city, state, zip code and country.

2. Is it data which people are likely to consider particularly “private”?

Individuals may prefer us not to pass on their personal data to a third party for the purpose of receiving advertising. This is why in our privacy notice we explain that we may use personal data for promotional and marketing purposes, and offer them a clear and straightforward means of opting out of using their information for these purposes.

We do not consider that the information which Facebook accesses (at our instigation) is information that people would consider particularly private because they have provided it to Facebook where it is subject to the individuals’ privacy preferences.

3. Is STUK processing children’s data or data relating to other vulnerable people?

We do not intend to process personal data of children or vulnerable people for the purpose of using the Audience Tools, but will implement appropriate technical and organisational measures if we become aware that we are doing so.

We do not deliberately seek donations or other support from children, but where children wish to donate and it is appropriate in the circumstances, we do not want to preclude them from doing so. We will implement appropriate technical and organisational measures to safeguard their personal data, and will ensure that our planned use of their personal data (and reasons for doing so) is explained in an age-appropriate manner.

4. Is the data about people in their personal or professional capacity?

The personal data relates to people in their personal capacity, i.e. their personal engagement with STUK.

Reasonable expectations

The processing should be within individuals’ reasonable expectations as they will have been informed by our privacy notice (either when they first provide us with their personal data or when we first contact them) that their personal data may be processed in this manner. One way of helping to mitigate risk would be to ensure that the way we refer to this use of individuals’ personal data is more prominent in our privacy notice including setting out all the categories of personal data that we share with Facebook. We also think that it is reasonable to assume that both existing and prospective supporters would expect a charity to promote its charitable aims on social media. However, we will monitor any feedback and complaints when we review this LIA.

We acknowledge that the ICO has criticised the Audience Tools in its report “Democracy disrupted? Personal information and political influence” . In particular, we note that the ICO indicated that it had “significant fair processing concerns” . Existing and prospective supporters may (entirely legitimately) therefore reasonably expect that we explain our planned use of the Audience Tools in a transparent manner, including the potential impact on their rights to data privacy; implement appropriate safeguards and offer them a means to opt out of our processing their personal data by using the Audience Tools.

5. Does STUK have an existing relationship with affected individuals?

We have an existing relationship with individuals who are served advertisements through FCA, but not those individuals who are served advertisements through FLA.

6. What is the nature of that relationship and how have we used their personal data in the past?

It is a relationship between a charity and a supporter. Depending on individuals’ preferences and the ways in which they have interacted with us, we have used their personal data to, for example, communicate with them to, process donations, provide information and services, and facilitate their participation in our events and conduct research.

7. Did STUK collect the relevant personal data directly from the individual? What did we tell them at the time?

Personal data contained in existing and prospective supporters’ Facebook profiles is collected by Facebook. We otherwise collect relevant personal data directly from supporters either when an individual directly interacts with us (such that we are able to upload their personal data to FCA) or subsequently (such that they click through our advert on their Facebook profile and then provide us with further personal data).

8. If STUK obtained the data from a third party, what did the third party tell the individuals about reuse by other parties for other purposes and does this cover STUK and our use?

We do not “obtain” personal data from Facebook – Facebook identify the profiles of existing and prospective supporters and provides them with advertising content which we supply to Facebook. STUK only ever obtains personal data directly from supporters, when they click through those adverts or otherwise choose to interact with us having seen the adverts.

9. How long ago did STUK collect the relevant personal data? Have there been any changes in technology or context since that would affect expectations?

Existing supporters’ personal data has been collected over the last fifteen years. There have been no changes in technology, but our use of the Audience Tools would amount to a change of context in how these individuals’ personal data is used.

10. Is STUK’s intended purpose and method widely understood?

We consider that it is generally common practice, and understood by the public, that charities will seek to engage with supporters and solicit donations and other support using social media.

11. Is STUK intending to do anything new or innovative?

No.> The processing is not new or innovative.

12. Does STUK have any evidence about individuals’ expectations – e.g. from market research, focus groups or other forms of consultation? We have not carried out any specific research or consultations. Instead we plan to set individuals’ expectations by being transparent i.e. using our privacy notice.

13. Are there any other factors in the circumstances which mean that affected individuals would or would not expect the processing? Once we have updated our privacy notice and informed individuals accordingly, there are no factors in the circumstances that mean individuals would not expect the processing.

We do acknowledge here that other EU data protection authorities, for example the Bavarian Data Protection Authority, have considered that consent is the only available lawful basis because the processing of personal data carried out through these social media tools is too opaque for legitimate interests to be an option . Individuals familiar with these views may therefore expect that we seek their consent. Additionally, we recognise that the ICO’s draft Direct Marketing Code of Practice (published January 2020) has indicated that for custom audience social media tools, it is likely that consent is the appropriate lawful basis.

Likely impact

14. What are the possible impacts of the planned processing on the affected individuals?

• Individuals may feel that receiving direct marketing via social media, having had no interaction with us before or in circumstances where they made a one-off donation, may be intrusive given that the primary function of social media tools is online social interaction.
• There have been widely-publicised concerns about how Facebook handles personal data, and therefore individuals may be worried about our sending their personal data to Facebook.
• Facebook will analyse individuals’ personal data on our behalf to make judgments or decisions about them; for example analysing individuals’ interests in other organisations to suggest that we serve them with targeted STUK advertising.
• We will transfer individuals’ personal data to Facebook as an external supplier (although this will be done using Facebook’s hashing tool such that individuals could not be identified from the uploaded information if it fell into unauthorised hands, and using Facebook’s secure, encrypted line).
• We will send tailored content to individuals – targeted advertisements will be tailored at a basic level based on individuals’ prior interactions with us or other interests they have publicly expressed.

15. Will those individuals lose any control over the use of their personal data?

Individuals will have control at each stage. We will offer existing supporters a means of opting-out, prospective supporters who are identified do not have to click through our adverts if they choose not to (in which case we will not receive their personal data) and the information which is combined is information which individuals have provided to Facebook and which is subject to their advertising and privacy choices.

16. What is the likelihood and severity of any potential impact?

Affected individuals may feel uncomfortable or concerned about our use of the Audience Tools, especially bearing in mind media criticism of Facebook’s use of personal data.

17. Are any affected individuals likely to object to the planned processing, or find the planned processing privacy-intrusive?

People may object to the processing or find it intrusive, but we will be transparent and provide individuals with an opportunity to object.

18. Would STUK be happy to explain the planned processing to individuals?

Yes. This will be explained in our privacy notice, and we are publishing this LIA.

19. Can STUK adopt any safeguards to minimise any adverse impact on affected individuals?

Yes. We will adopt the following safeguards:

• Refer prominently in our privacy notice to the use of individuals’ personal data as part of Audience Tools.
• Using Facebook’s hashing technology and encrypted line when uploading existing supporters’ personal data.
• Giving clear and straightforward means for individuals to complain or provide feedback, and monitoring responses regularly.
• Ensuring that any personal data we collected through the use of Audience Tools is held securely in accordance with our internal policies on information security and data retention.
• Explicitly informing individuals about their relevant rights under the GDPR in our privacy notices, in particular their right to object to the processing under Article 21 GDPR.
• An annual review of our use of the Audience Tools, in particular to see whether our objectives have been met to a sufficient extent to justify processing individuals’ personal data.

20. Can STUK offer individuals an opt-out?

Yes. A right to opt-out will be made clear in our privacy notice, and we will not provide to Facebook the personal data of any individual who indicates they do not wish to receive direct marketing.

PART 4: OUR DECISION

We are satisfied that STUK can rely on legitimate interests for use of the Audience Tools for the time being. However, we are aware that there are particular regulatory concerns surrounding the use of Audience Tools and therefore we will keep this decision under review. We consider that the interests, rights and freedoms of individual supporters, while very important, do not override the legitimate interests of STUK, our beneficiaries and supporters in developing support and raising funds for our charitable objectives, which we consider to be extremely important.

Of particular importance in reaching this conclusion was that:

• the personal data used by Facebook to create target audiences for our advertisements has already been provided by relevant individuals to their social media profiles and is subject to their privacy and advertising choices in Facebook;
• there is a widespread acceptance in society that charities will engage with supporters and raise funds using social media;
• it is likely to be an effective and efficient method for us to attract support and raise funds, meaning that we can concentrate funds / other resources on helping our beneficiaries;
• individuals are not obliged to click on our advertisements;
• our privacy notice will explain how and why we use individuals’ personal data for these purposes;
• we do not think any of the potential impacts are excessively privacy intrusive; and
• we will provide a mechanism for individuals to opt-out.

PART 5: NEXT STEPS

• STUK will keep a record of this LIA, and keep it under review.
• STUK will monitor applicable Data Privacy Law, in particular developments in relation to the E-Privacy Regulation (EU law currently being debated).
• We will publish a summary of this LIA on our website.
• The safeguards set out above will be implemented.
• STUK will also carry out a Data Protection Impact Assessment.
• We will consider further the need for consultation with the Information Commissioner’s Office if the circumstances require it in the future.
• Include details of our purposes and lawful basis for processing in our privacy information, including an outline of our legitimate interests.

LIA completed by: Ian Vallance, Director, STUK

Date: August 2020