ICO Charities reminded of need to comply with Data Protection Act 1998
The Information Commissioner’s Office has fined charities the RSPCA and the British Heart Foundation £25,000 and £18,000 respectively for practices relating to the use of data relating to donors and potential donors. Amongst other breaches, the ICO discovered that the organisations had engaged in “wealth screening” of individuals for the purpose of targeting them for further fundraising.
The ICO’s investigations revealed that the charities had, without the knowledge or consent of the individuals concerned, engaged wealth management companies to ascertain how much money data subjects had, with a view to estimating the likely levels of donations they may be prepared to make. Millions of people were subject to financial analysis of this type.
An additional breach related to “data and tele-matching”. Where donors opted not to provide personal information when requested, the charities would engage external companies to obtain this, using existing data or telephone numbers to fill in the gaps.
The ICO also found that the charities had shared and exchanged personal data relating to donors with other charitable organisations. Whilst the organisations did provide the ability for donors to “opt out” of data sharing, the organisations had been vague and failed to disclose the data sharing practices they were involved in. Individuals could therefore not make an informed decision about whether or not to opt out. In short, the ICO found that they had fallen short of their legal duties.
The penalties imposed on the organisations could have been far higher. In setting the levels of fines, the ICO took into account that higher fines could cause distress to donors caused by the actions under investigation. This said, it is understood that the charities may be planning to appeal the ICO’s decision.
Separately, the charities also face an investigation from the Charities Commission for breaching charity law. Sarah Atkinson, director of policy and communications at the Commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable."
The case is a salutary reminder the charities are not exempt from compliance with the rules on data protection. In fact, the law is particularly applicable to them given their handling of extensive information relating to individual fundraisers and their finances. Charitable organisations are subject to the supervisory powers of the Charity Commission, as well as the ICO, so are well advised to invest the necessary resources to avoid scrutiny.
To assist in their data protection compliance efforts, the ICO has issued its top five tips for small and medium sized charities and third sector organisations:
- Tell people what you are doing with their data
Data subjects should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
- Make sure your staff are adequately trained
New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
- Use strong passwords
There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
- Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
- Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Whilst helpful, specific advice may be needed in particular circumstances. Please do not hesitate to get in touch if we can be of assistance.
News & Insights
Charity Connect Workshop
Join us at the next workshop in our Charity Connect series
Thumbs up – A company that embeds the Like button on its website can be considered a data controller jointly with Facebook
Companies that embed the Facebook “Like” button within their website pages can be considered as a joint data controller.
Charles Russell Speechlys advises Growthpoint Investec African Properties
This is part of GIAP’s strategy to aggregate a quality portfolio of commercial real estate assets across Africa.