Are your charity's staff and volunteers aware of data protection needs?

Are your charity's staff and volunteers aware of data protection needs?

Are your charity's staff and volunteers aware of data protection needs?1

IT | Mairéad O'Reilly | 24 Sep 2012

Ignorance is not always bliss, warns Mairéad O'Reilly, as charities are warned to be more aware of their data protection responsibilities.

Lack of staff awareness is one reason why more charities are suffering data protection breaches. In August, the Information Commissioner’s Office (ICO), the UK regulator on data privacy, noted that charities may be struggling to look after people’s data.

Successfully protecting personal data depends on staff knowing what not to do.

Charities often hold very sensitive personal information about their beneficiaries, such as medical details, or information about ethnicity, religion or criminal records. This makes it particularly important for them to ensure that both paid staff and volunteers are educated in how to keep such records safe.

Many charities experience data protection breaches because staff and volunteers who are processing data do not fully understand the obligations of the charity to protect the personal data that they hold. And in many cases charities lack the resources to implement security systems which their commercial counterparts are introducing to protect sensitive personal information.

The use by charities of more diverse ways of holding and storing data, for instance on laptops and memory sticks, as well as the increasing trend towards overseas outsourcing, create a greater risk of data being lost. 

If you don’t have a clear policy of educating staff who process personal information on the key principles of data protection, you could be placing your charity at greater risk of data protection breaches and ultimately enforcement action by the ICO.

Charities should, at the very least, ensure they have policies on how to protect data. If breaches do occur and the ICO investigates, the existence of a policy and a clear record of staff training demonstrate that the charity itself takes data protection seriously. Failing to have any policy at all could be an indicator of poor data protection compliance.

In August, the ICO explicitly stated that charities could be fined up to £500,000 for serious data breaches. Until now the ICO has issued fines relatively sparingly and, so far, charities have been subject to investigations and have been required to give undertakings or been issued with an enforcement notices, rather than fines.

There has never been a fine issued against a charity by the ICO before and some charities have taken that to mean they are very low on the ICO’s priority list. But the recent announcement by the ICO can be seen as a message that it does take data protection breaches by charities seriously and expects them to be taking meaningful steps to ensure compliance.

Mairead O'Reilly is a senior associate at Bates Wells & Braithwaite

Adrian Beney
More Partnership
24 Sep 2012

Some of the Commissioner's advice is of particular concern to fundraisers. Their advice uses that ill-defined term "best practice." Who decides what's best? An ICO official, or someone who uses the data every day and knows their business?

Here's an example. The ICO web page say "Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required. "

So when is "no longer required" in fundraising terms?

So long as someone does not actively ask to be removed, (in which case the law requires the charity to do so,) for me this revolves around stewardship, around respecting people's previous giving and the commitment they have made to the charity already.

I would argue that every donor is a legacy prospect (indeed fundraising "best practice" argues that this is the case) so that every donor should be retained until dead, (unless they tell you otherwise) so that a legacy could be matched up to their lifetime giving. And since a dead person is not subject to the DPA then this means that one can argue quite cogently that the best period to keep someone's data is indefinitely.

Here's a parallel thought: I went to rent a DVD from Blockbuster the other night. It's about 2 years since I last used them. I had to re-register since they said "best practice" had demanded that they remove my name from their database 3 months after I last rented a DVD. My version of "best practice" would have had them look me up on the database and say "welcome back" rather than making me fill in another form.

So just because a previous customer, or donor, appears to be dormant doesn't mean they've lost interest. Of course it's important to be compliant with the law - but the interpretation of that law in the context of relevant and reasonable business processes needs to be intelligently done.


[Cancel] | Reply to:

Close »

Community Standards

The community and comments board is intended as a platform for informed and civilised debate.

We hope to encourage a broad range of views, however, there are standards that we expect commentators to uphold. We reserve the right to delete or amend any comments that do not adhere to these standards.

We welcome:

  • Robust but respectful debate
  • Strongly held opinions
  • Intelligent relevant discussion
  • The sharing of relevant experiences
  • New participants

We will not publish:

  • Rude, threatening, offensive, obscene or abusive language, or links to such material
  • Links to commercial organisations or spam postings. The comments board is not an advertising platform
  • The posting of contact details for yourself or others
  • Comments intended for malicious purpose or mindless abuse
  • Comments purporting to be from another person or organisation under false pretences
  • Gratuitous criticism, commentary or self-promotion
  • Any material which breaches copyright or privacy laws, or could be considered libellous
  • The use of the comments board for the pursuit or extension of personal disputes

Be aware:

  • Views expressed on the comments board are left at users’ discretion and are in no way views held or supported by Civil Society Media
  • Comments left by others may not be accurate, do not rely on them as fact
  • You may be misunderstood - sarcasm and humour can easily be taken out of context, try to be clear


  • Enjoy the opportunity to express your opinion and respect the right of others to express theirs
  • Confine your remarks to issues rather than personalities

Together we can keep our community a polite, respectful and intelligent platform for discussion.


Mairéad O'Reilly

Mairéad O’Reilly is a senior associate at Bates Wells & Braithwaite LLP London.

Tesse Akpeki (55) Martin Farrell (46) Robert Ashton (41) Tania Mason (23) Andrew Chaggar (23) David Ainsworth (20) David Philpott (14) Making Good: The Future of the Voluntary Sector (13) Ian Allsop (12) Vibeka Mair (11)
Niki May Young (11) Celina Ribeiro (10) Dorothy Dalton (10) Kirsty Weakley (10) Leon Ward (10) Gordon Hunter (9) David Davison (8) John Tate (8) Neal Green (5) Jeremy Swain (5) Rowena Lewis (5) Andrew Hind CB (4) Daniel Phelan (4) Belinda Pratten (4) Suzi Leather (3) Stephen Lloyd (3) Pauline Broomhead (3) Rosie Chapman (3) Andrew Purkis (3) Ingrid Marson (3) Alexander Swallow (3) Alice Sharman (3) Sir Stuart Etherington (2) Adrian Beney (2) Joe Saxton (2) Jesper Christensen (2) Paul Gibson (2) Andrew Scadding (2) Anne Moynihan (2) Rosamund McCarthy (2) Kevin Carey (2) Garreth Spillane (2) June O'Sullivan (2) Dan Corry (2) Paul Emery (2) Simon Steeden (2) Andrew O'Brien (2) Lesley-Anne Alexander CBE (1) Victoria Cook (1) Claris D'cruz (1) Peter Gotham (1) Sir Thomas Hughes-Hallett (1) Justin Davis Smith (1) Kate Sayer (1) Alison McKenna (1) Paul Palmer (1) Anne-Marie Piper (1) Jo Swinhoe (1) Karl Wilding (1) Richard Williams (1) Mike Hudson (1) Sir Christopher Kelly (1) Martin Brookes (1) Simon Hebditch (1) Lindsay Driscoll (1) Jo Coleman (1) Cedric Frederick (1) Jonathan Lewis (1) Dame Mary Marsh (1) Jill Pitkeathley (1) Nick Brooks (1) Linda Laurance (1) Suzie Who (1) James Thompson (1) Stephen Hammersley (1) John May (1) Julian Blake (1) Malcolm Hurlston (1) Andy Gregg (1) Anne Owers (1) Beth Yorath (1) Paul Amadi (1) Caroline Beaumont (1) Judith Davey (1) Diane Lightfoot (1) Douglas Rouse (1) Jackie Turpin (1) Jonathan Last (1) Lynda Thomas (1) Tom Flood (1) Dan Sutch (1) Jenni Cahill (1) Jonathan Crown (1) Ruchir Shah (1) Katy Wing (1) George Ames (1) Jenny North (1) Sir David Varney (1) Liam Barrington-Bush (1) Mairéad O'Reilly (1) Tobin Aldrich (1) Michael O'Toole (1) Lisa Clavering (1) Jamie Ward-Smith (1) Ian Joseph (1) Sarah Atkinson (1) Jonathan Bruck (1) Rachel Short (1) Dr Debra Beck (1) Andy Rich (1) Ian Leggett (1) Leigh Daynes (1) Tim Willis (1) Richard Caulfield (1) Emma Callagher (1)
Less +++ More +++

The long and unhappy saga of the Local Sustainability Fund

29 Jun 2015

Last week the government announced a £20m pot of funding for charities. This sounds like good news, says...

Government can't ask charities to compete for contracts while savaging council spending

15 Jun 2015

The government cannot tell charities they must compete for contracts in a market while slashing the spending...

'Northern Powerhouse'? Almost as clearly defined as the big society

4 Jun 2015

Ian Allsop talks tomatoes and why charities should look north for income growth opportunities under the...

Free eNews

Join the discussion


Attending our one day courses is a highly effective way of ensuring new and existing trustees fully understand their role, responsibilities and liabilities.

>> Find out more <<