Chuggers (and why I’m not a fan of them)

Imagine I walked up to you on the street with my arm outstretched to shake your hand and making direct eye contact with you and smiling. Imagine if the next thing I said or did was to ask you to give me

• Your name
• Your credit card or bank details
• Your mobile phone number
• Your home address
• Your email address
• A copy of your signature

and a range of other personal data. Which I wrote down on a piece of paper and stuck in my bag before thanking you and walking off.

Chances are I wouldn’t get very far in gathering that information. Your natural sense of risk would (or should) kick in. Chances are you’d call the police on me.

But imagine that scenario again with one small change. I’m wearing a polyester jacket with the logo of a charity on it and I’ve got an ID badge hung around my neck and a backpack. What would you do then? Hey, I’m collecting for a charity.

I am a charitable person. I like to support good causes and I like to contribute as much as I can when ever I can to such causes. But I’d say no to me because  of my personal sense of Information risk.

Others base their dislike of Chuggers (Charity Muggers) on the methods that some use to get people to sign up, methods which are often the result of the commission or quota based systems that some of these people work under (and I’ve content elsewhere about why quotas are a BAD idea in the delivery of quality service). Of course, these are methods which charities who use this means of fundraising disavow all knowledge of and disown completely, but which I have witnessed.

My avoidance of chuggers is based simply on good Information Security practice. I don’t like the idea of my data being in a bag around someone’s neck or a plastic zip-lock folder, in a public place.  From a Data Protection of view I’d rather not have to have a real-world test of the compliance of the organisations that run these collection methods with things like the Data Security Breach Code of Practice or the requirement under S2 of the Data Protection Acts to take reasonable and appropriate steps to ensure the security of personal data. Particularly not with my data. The data that is obtained by Chuggers is Personal Data within the meaning of the legislation as it is data that has been obtained with the intention of processing it electronically or of filing it in a relevant filing system, ergo it needs to be treated with care.

I’ve advised clients in the non-profit sector of the potential for brand damage arising from something as simple as one of their Chuggers being mugged and their bag being stolen… or to put it another way: the temporary storage location of an array of personal data. I’m not saying don’t use the method. What I’m saying is your controls need to be very tight.

Among the controls that need to be in place is appropriate training for staff on Data Protection. I’m not sure if such training is happening as many of the techniques I’ve seen or heard of being used to get people to stop could actually be construed as being contrary to the requirement for consent to processing of data to be freely given. That said, a volunteer for one charity came on a Data Protection course I taught a few years back and they stopped using chuggers afterwards.

If the UK experience is anything to go by, my risk aversion is justified. The ICO there has investigated charities for loss of data. It is inevitable that similar will happen here, if it hasn’t already (but if it has I can’t find a reference to it on the Data Protection Commissioner’s website). The root cause in the UK case I link to was a lack of training and awareness that lead to a loss of data.

So how should your chugger experience go? Well, first of all you should know what happens to all this information you have just given them. The chugger is meant to either give you a data protection statement to read or explain to you who will be processing (using) your information, who they will share it with and also give you the chance to say you do not want them to pass it on to anyone else. They should also make sure that once you have signed the form to agree to what you want to do, the form is kept safe and secure, rather than what normally happens where they add it to some others in a plastic folder or clipboard they are holding.

My advice to anyone accosted by a chugger is: if you can’t get away, ask politely for a copy of the charity’s form for you to fill in at your leisure. If they don’t give it to you take their name from their ID badge and report them to their Charity and if the Charity doesn’t take it seriously report it to the Data Protection Commissioner. (If they don’t have an ID badge, assume they are not representing a charity and you’re about to be mugged – react accordingly).

My advice to any Chugger who is careless with their folder or is mugged for their bag… notify your Charity immediately. The Charity should notify the Gardaí as well and make sure they know that there was personal and financial data stolen/mislaid. The charity should also notify the Data Protection Commissioner. As the paper work will not have been processed you won’t be able to notify the Data Subjects directly (as is required under the Code of Practice) so they will likely have to put out a public statement about the loss of data to alert people who have given their details to the risk of identity theft.

Personally, I make my donations either on-line (and I look for PCI compliant payment processors and HTTPS security on the donation page) or over the phone. I have never and will never donate to a charity by means of a chugger, and when faced with a choice I will opt for a charity that doesn’t use them.