No breach too small – the ICO takes action against charities

GDPR charity

In December 2016 the Information Commissioner’s Office (ICO) fined a historical society £400 after a laptop containing personal data was stolen while a member of staff was working away from the office. The data was not encrypted and contained details of donors and the artefacts they had gifted. The ICO investigation found ‘the organisation had no policies or procedures around homeworking, encryption and mobile devices which resulted in a breach of data protection law’. So, it is not just big business that needs to comply with data protection law. It applies to everyone, regardless of size or motive. In fact, some well-loved charities ran into trouble with the ICO this year.

In April 2017 an ICO report revealed that thirteen charities have been fined for non-compliance. The ICO is the independent authority set up to ‘uphold information rights in the public interest’. They have the power to take action when data rules are breached, regardless of scale.

Between 2015 and 2017 the ICO carried out an investigation into the practices of charity fundraising. The thirteen charities which were fined included Battersea Dogs’ and Cats’ Home, Cancer Research UK, Great Ormond Street Hospital, Macmillan Cancer Support, Oxfam, NSPCC, The Royal British Legion and Guide Dogs for the Blind Association. Fines ranged from £6,000 – £18,000 depending on the non-compliance identified. The breaches fell into three distinct areas:

Finding information about you, that you didn’t provide. The ICO asserts that the individual has the right to choose what personal information is provided. The practice of using external companies to find missing information or update out of date information is not permitted. Battersea Dogs’ Home received a £9,000 for using this approach in 740,181 cases between 2011 and 2015.

Sharing your details with other charities, no matter what the cause. It is common for some charities to exchange donor information. The practice of sharing donor information is not illegal but using an external organisation and not knowing with which other charities it is being shared is. Cancer Support UK was fined £16,000 for failing to follow data protection rules.

Ranking based on wealth. Some charities profile their donors based on wealth. External companies can also identify donors they believe charities should target because they are most likely to leave money in their wills. It is called legacy profiling. The Guide Dogs for the Blind Association was fined £15,000 for this and for sourcing information they did not have permission to access.

The important message is that it does not matter what size the organisation or whatever its status, the same rules apply. It is also worth noting that the rules regarding personal data will become significantly stricter when the General Data Protection Regulation (GDPR) becomes UK law in May 2018. To find out about your obligations and how to comply, including protecting personal information, see the ICO’s Data Protection Self Assessment Toolkit.

Posted 4 months ago on · Permalink