ICO Charities reminded of need to comply with Data Protection Act 1998
The Information Commissioner’s Office has fined charities the RSPCA and the British Heart Foundation £25,000 and £18,000 respectively for practices relating to the use of data relating to donors and potential donors. Amongst other breaches, the ICO discovered that the organisations had engaged in “wealth screening” of individuals for the purpose of targeting them for further fundraising.
The ICO’s investigations revealed that the charities had, without the knowledge or consent of the individuals concerned, engaged wealth management companies to ascertain how much money data subjects had, with a view to estimating the likely levels of donations they may be prepared to make. Millions of people were subject to financial analysis of this type.
An additional breach related to “data and tele-matching”. Where donors opted not to provide personal information when requested, the charities would engage external companies to obtain this, using existing data or telephone numbers to fill in the gaps.
The ICO also found that the charities had shared and exchanged personal data relating to donors with other charitable organisations. Whilst the organisations did provide the ability for donors to “opt out” of data sharing, the organisations had been vague and failed to disclose the data sharing practices they were involved in. Individuals could therefore not make an informed decision about whether or not to opt out. In short, the ICO found that they had fallen short of their legal duties.
The penalties imposed on the organisations could have been far higher. In setting the levels of fines, the ICO took into account that higher fines could cause distress to donors caused by the actions under investigation. This said, it is understood that the charities may be planning to appeal the ICO’s decision.
Separately, the charities also face an investigation from the Charities Commission for breaching charity law. Sarah Atkinson, director of policy and communications at the Commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable."
The case is a salutary reminder the charities are not exempt from compliance with the rules on data protection. In fact, the law is particularly applicable to them given their handling of extensive information relating to individual fundraisers and their finances. Charitable organisations are subject to the supervisory powers of the Charity Commission, as well as the ICO, so are well advised to invest the necessary resources to avoid scrutiny.
To assist in their data protection compliance efforts, the ICO has issued its top five tips for small and medium sized charities and third sector organisations:
- Tell people what you are doing with their data
Data subjects should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
- Make sure your staff are adequately trained
New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
- Use strong passwords
There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
- Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
- Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Whilst helpful, specific advice may be needed in particular circumstances. Please do not hesitate to get in touch if we can be of assistance.
Phase out of temporary restrictions on use of winding up petitions
Hannah takes a look at the recent UK Government announcement on statutory demands and the presentation of winding up petitions
Preparing your company for sale
We set out here some initial steps to consider in anticipation of a sale.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
2020: Influencer, 2021: Creative Director – what could go wrong?
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Pro bono partnership with Atkins and Z2K sees successful first Disability Benefit Appeals case
Charles Russell Speechlys launched our partnership with Atkins and Zacchaeus 2000 Trust to take on Disability Benefit Appeals cases.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Charles Russell Speechlys advises Grape Paradise on the acquisition of a fine wine business
Charles Russell Speechlys has advised Grape Paradise on the acquisition of the Sarment Group in the China Mainland territories.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Olivia Crane writes for The Grocer on the importance of robust data protection policies for checkout-less stores
The ‘personal data footprint’ created by this type of service and technology isn’t something that should be overlooked.
The Business Magazine and The Surrey Chambers of Commerce report on the firm's involvement in the sale of Online Fuels Limited to DTN
The firm advised the shareholder management team on the sale of shares in Online Fuels to global data, analytics, and technology group, DTN.
Charles Russell Speechlys advises Appital Ltd on £2.5m Investment led by Frontline Ventures
Appital is an Equity Capital Marketplace which aims to bring innovation to Equity Capital Markets.
The Business Magazine, Insider Media, Business South and The Surrey Chambers of Commerce report on the firm's involvement in Appital's £2.5m growth capital investment
The injection will accelerate the development of Appital’s technology infrastructure, integration with financial institutions.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Healthcare team advises Country Court Care on £57m sale of three care homes
Country Court Care Group Ltd has been active almost 35 years as a nursing and care home operator.
Charles Russell Speechlys advises Metier on US$39m investment into Africa Mobile Networks
AMN builds, owns, operates and maintains mobile network infrastructure in Africa.
Amelia Goodwin writes for Civil Society on a recent employment tribunal ruling which found that anxiety constitutes a disability
The tribunal found that an anxiety state constitutes a disability for the purposes of the Equality Act 2010.
Pro bono advice helps charity acquire properties for homeless people
Transform is a Surrey-based charity providing housing and support to more than 1,700 homeless and vulnerable people every year.
Charles Russell Speechlys advises Apposite Capital on acquisition of i2a Diagnostics
i2a is a leading provider of laboratory instruments, software and reagents for the clinical microbiology market in France.