ICO Charities reminded of need to comply with Data Protection Act 1998
The Information Commissioner’s Office has fined charities the RSPCA and the British Heart Foundation £25,000 and £18,000 respectively for practices relating to the use of data relating to donors and potential donors. Amongst other breaches, the ICO discovered that the organisations had engaged in “wealth screening” of individuals for the purpose of targeting them for further fundraising.
The ICO’s investigations revealed that the charities had, without the knowledge or consent of the individuals concerned, engaged wealth management companies to ascertain how much money data subjects had, with a view to estimating the likely levels of donations they may be prepared to make. Millions of people were subject to financial analysis of this type.
An additional breach related to “data and tele-matching”. Where donors opted not to provide personal information when requested, the charities would engage external companies to obtain this, using existing data or telephone numbers to fill in the gaps.
The ICO also found that the charities had shared and exchanged personal data relating to donors with other charitable organisations. Whilst the organisations did provide the ability for donors to “opt out” of data sharing, the organisations had been vague and failed to disclose the data sharing practices they were involved in. Individuals could therefore not make an informed decision about whether or not to opt out. In short, the ICO found that they had fallen short of their legal duties.
The penalties imposed on the organisations could have been far higher. In setting the levels of fines, the ICO took into account that higher fines could cause distress to donors caused by the actions under investigation. This said, it is understood that the charities may be planning to appeal the ICO’s decision.
Separately, the charities also face an investigation from the Charities Commission for breaching charity law. Sarah Atkinson, director of policy and communications at the Commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable."
The case is a salutary reminder the charities are not exempt from compliance with the rules on data protection. In fact, the law is particularly applicable to them given their handling of extensive information relating to individual fundraisers and their finances. Charitable organisations are subject to the supervisory powers of the Charity Commission, as well as the ICO, so are well advised to invest the necessary resources to avoid scrutiny.
To assist in their data protection compliance efforts, the ICO has issued its top five tips for small and medium sized charities and third sector organisations:
- Tell people what you are doing with their data
Data subjects should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used. - Make sure your staff are adequately trained
New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff. - Use strong passwords
There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves. - Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted. - Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Whilst helpful, specific advice may be needed in particular circumstances. Please do not hesitate to get in touch if we can be of assistance.
Our thinking
Charity Training: Digital Transformation in the Charity Sector (Session 2)
We would be delighted if you could join us for the second session in our new series of bite-size webinars for charities.
Charity Training Webinar Series: Brand Protection (Session 1)
We would be delighted if you could join us for the first in our new series of bite-size webinars for charities.
Patrick Gearon FCIArb
Insolvency Legislation in the GCC
The interesting times of the last 14 months were preceded by the interesting times of the financial crisis of 2008/2009.
Paul Stone
Focus Antitrust - 14 April 2021
This week's competition update.
James Scott
ESG – Searching for substance behind the acronym
ESG is an acronym much used but perhaps less understood.
Caroline Swain
THE. PUB. IS. OPEN. but for how long?
Emma Humphreys
How will the commercial property market exit COVID-19 restrictions?
Paul Stone
Focus Antitrust - 7 April 2021
This week's competition update.
Rahim Hirji
No ticket, no merger: Viagogo and StubHub are one step closer to merging but must satisfy the CMA’s conditions
The £3.2bn acquisition of online ticketing company Stubhub by one of its competitors, Viagogo is one step closer to being finalised.
Sarah Farrelly
Pro bono partnership between Charles Russell Speechlys and Social Business Trust
Our partnership with Social Business Trust (SBT) is going from strength to strength.
Paul Henty
Client alert: Construction under competition law spotlight
We outline the three investigations which have either recently concluded or are ongoing together with what this means for businesses.
Paul Stone
Focus Antitrust - 31 March 2021
This week's competition update.
Paul Arathoon
Charles Russell Speechlys advises on Trident Royalties’ US$28m Placing
Trident Royalties plc is a growth-focused mining royalty and streaming company.
Paul Arathoon
Charles Russell Speechlys advises Avation plc on £7.5m secondary placing
Headquartered in Singapore, Avation plc manages a fleet of aircraft which it leases to airlines across the world.
Martin Wright
The Corporate team's involvement in Fishawack Health’s acquisition of PRMA featured in Yahoo! Finance USA, Markets Insider and Morning Star
Martin Wright and the Corporate team provided legal support on the acquisition of PRMA Consulting.
Mark Bailey
CIS General Insurance Limited v IBM United Kingdom Limited - An analysis
Slow and chaotic – lessons from a digital transformation disaster in CIS General Insurance Limited v IBM United Kingdom Limited.
Paul Stone
Focus Antitrust - 24 March 2021
This week's competition update.
Adrian Mayer
Charles Russell Speechlys, Strategic Partners of the Asoko Insight West Africa's Family-Owned Business Report
The report is the most comprehensive study of Family-Owned Businesses throughout West Africa.
Jessica Arrol
Jessica Arrol quoted by Real Deals on the implementation of SFDR
SFDR aims to remove greenwashing and promote transparency in reporting ESG, but GPs and LPs are experiencing its flaws.
Paul Stone
Focus Antitrust - 17 March 2021
This week's competition update.