ICO Charities reminded of need to comply with Data Protection Act 1998
The Information Commissioner’s Office has fined charities the RSPCA and the British Heart Foundation £25,000 and £18,000 respectively for practices relating to the use of data relating to donors and potential donors. Amongst other breaches, the ICO discovered that the organisations had engaged in “wealth screening” of individuals for the purpose of targeting them for further fundraising.
The ICO’s investigations revealed that the charities had, without the knowledge or consent of the individuals concerned, engaged wealth management companies to ascertain how much money data subjects had, with a view to estimating the likely levels of donations they may be prepared to make. Millions of people were subject to financial analysis of this type.
An additional breach related to “data and tele-matching”. Where donors opted not to provide personal information when requested, the charities would engage external companies to obtain this, using existing data or telephone numbers to fill in the gaps.
The ICO also found that the charities had shared and exchanged personal data relating to donors with other charitable organisations. Whilst the organisations did provide the ability for donors to “opt out” of data sharing, the organisations had been vague and failed to disclose the data sharing practices they were involved in. Individuals could therefore not make an informed decision about whether or not to opt out. In short, the ICO found that they had fallen short of their legal duties.
The penalties imposed on the organisations could have been far higher. In setting the levels of fines, the ICO took into account that higher fines could cause distress to donors caused by the actions under investigation. This said, it is understood that the charities may be planning to appeal the ICO’s decision.
Separately, the charities also face an investigation from the Charities Commission for breaching charity law. Sarah Atkinson, director of policy and communications at the Commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable."
The case is a salutary reminder the charities are not exempt from compliance with the rules on data protection. In fact, the law is particularly applicable to them given their handling of extensive information relating to individual fundraisers and their finances. Charitable organisations are subject to the supervisory powers of the Charity Commission, as well as the ICO, so are well advised to invest the necessary resources to avoid scrutiny.
To assist in their data protection compliance efforts, the ICO has issued its top five tips for small and medium sized charities and third sector organisations:
- Tell people what you are doing with their data
Data subjects should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
- Make sure your staff are adequately trained
New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
- Use strong passwords
There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
- Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
- Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Whilst helpful, specific advice may be needed in particular circumstances. Please do not hesitate to get in touch if we can be of assistance.
Marcus Stuttard will provide his unique insight and a "state of the nation" market update.
Online safety – 2022 begins with regulatory developments in both the UK and the EU
Last week saw developments within the UK and EU in their attempts to ensure online businesses do more to address illegal online content.
To flex or not to flex: comparing traditional offices with flexible office space
Is Buy Now, Pay Later creating a new debt crisis?
BNPL providers are quick to claim that their services are offered with “no interest and no fees”, but is this really the case?
Charles Russell Speechlys advises Topland Group on two key transactions
Topland Group is one of the largest multi-billion pound, privately owned investment groups.
Social Tokens: What are the regulatory challenges in the UK?
Social tokens are one of the latest innovations in the crypto space and have grown significantly in recent years.
PRA to further scrutinise cloud computing in 2022
Philanthropy Insights – A discussion with John Pepin and Rennie Hoare of Philanthropy Impact
Join us as we discuss the current landscape of philanthropy in the UK and current trends, priorities and concerns amongst philanthropists.
Yahoo and Food Business Africa cover the firm's involvement in Oba Pack's investment in the Babator Farming Company
Oba Pack Company Limited, a Ghanaian-owned agribusiness, purchased the Babator Farming Company Limited (BFC) on 31 December 2021.
National Security and Investment Act comes into force
The Act has established a new regime for the review of mergers, acquisitions and transactions that could threaten national security.
Le Monde du Droit and Fin Year cover the firm's involvement in Resilience's acquisition of Betterise
The Paris office has advised Resilience on their acquisition of Betterise.
Richard Davies and Rahim Hirji write for the American Bar Association on tattoos, athletes and image rights
LeBron James. Zlatan Ibrahimović. Mike Tyson. What is the common factor?
Sarah Rowley appears in the Apollo and Charles Russell Speechlys’ art law series on the future of museum governance
Are the responsibilities and duties of museum boards in the UK the same as they were, say, 20 years ago?
Diversity and Inclusion: Clear transparency?
This article focuses on the published its Consultation Paper on diversity and inclusion on company boards and executive committees in July.
Rethinking Museum Governance
What are the legal responsibilities of museum trustees?
Charles Russell Speechlys advises FairXchange on investment from United Fintech
FairXchange was founded in 2016, to bring clarity and transparency to execution performance through the provision of independent data.
ESG - do your priorities need to change with a changing landscape?
This article lists the forthcoming legislation and other initiatives which impact on public and quoted companies.
Mandatory climate-related disclosures coming soon
On 28 October 2021, the government published its response to its consultation on mandatory climate-related disclosures.
Pro bono client The Matrix Trust opens The Hideaway café in Guildford
Profits from every purchase at the café are fed back into Matrix youth projects.
Charles Russell Speechlys advises Acora on the acquisition of M9 Holdings
The acquisition of M9 Holdings marks the latest stage in Acora’s growth journey.