Unlisted retail bonds – a positive development for investors and issuers
18 Jun 2013
In recent weeks, a number of social organisations have launched unlisted retail bonds. Philip Secrett...
Share
Are your charity's staff and volunteers aware of data protection needs?
Ignorance is not always bliss, warns Mairéad O'Reilly, as charities are warned to be more aware of their data protection responsibilities.
Lack of staff awareness is one reason why more charities are suffering data protection breaches. In August, the Information Commissioner’s Office (ICO), the UK regulator on data privacy, noted that charities may be struggling to look after people’s data.
Successfully protecting personal data depends on staff knowing what not to do.
Charities often hold very sensitive personal information about their beneficiaries, such as medical details, or information about ethnicity, religion or criminal records. This makes it particularly important for them to ensure that both paid staff and volunteers are educated in how to keep such records safe.
Many charities experience data protection breaches because staff and volunteers who are processing data do not fully understand the obligations of the charity to protect the personal data that they hold. And in many cases charities lack the resources to implement security systems which their commercial counterparts are introducing to protect sensitive personal information.
The use by charities of more diverse ways of holding and storing data, for instance on laptops and memory sticks, as well as the increasing trend towards overseas outsourcing, create a greater risk of data being lost.
If you don’t have a clear policy of educating staff who process personal information on the key principles of data protection, you could be placing your charity at greater risk of data protection breaches and ultimately enforcement action by the ICO.
Charities should, at the very least, ensure they have policies on how to protect data. If breaches do occur and the ICO investigates, the existence of a policy and a clear record of staff training demonstrate that the charity itself takes data protection seriously. Failing to have any policy at all could be an indicator of poor data protection compliance.
In August, the ICO explicitly stated that charities could be fined up to £500,000 for serious data breaches. Until now the ICO has issued fines relatively sparingly and, so far, charities have been subject to investigations and have been required to give undertakings or been issued with an enforcement notices, rather than fines.
There has never been a fine issued against a charity by the ICO before and some charities have taken that to mean they are very low on the ICO’s priority list. But the recent announcement by the ICO can be seen as a message that it does take data protection breaches by charities seriously and expects them to be taking meaningful steps to ensure compliance.
Mairead O'Reilly is a senior associate at Bates Wells & Braithwaite
Tags
Related
ICO to give one-day training to charities on data protection
£70k fine after Norwood worker leaves records on doorstep
ICO publishes anonymisation code
Fair Data mark launched to identify responsible data protection
Martin Farrell (43)
Tesse Akpeki (41)
Robert Ashton (28)
Andrew Chaggar (22)
Tania Mason (19)
David Philpott (13)
Ian Allsop (12)
Niki May Young (11)
Celina Ribeiro (9)
David Davison (8)
Less +++
More +++
Charity Awards 2013 - What it takes to be a winner
17 Jun 2013
The Charity Awards 2013 ceremony took place on 13 June in recognition of the outstanding work undertaken...
Public benefit test - to be, or not to be?
7 Jun 2013
Charity Finance editor and former Charity Commission chief executive, Andrew Hind offers his analysis...
Attending our one day courses is a highly effective way of ensuring new and existing trustees fully understand their role, responsibilities and liabilities.
>> Find out more <<
Governance (with optional website)
from £95.00
BUY NOW
Charity Property Conference 2013
29 Oct 2013
VAT & Tax Conference 2013
29 Oct 2013
Charity Investment Conference 2013
29 Oct 2013
Charity Technology Conference 2013
27 Nov 2013
Contact us
Civil Society Media Limited
15 Prescott Place
London SW4 6BS
United Kingdom
Tel +44 (0)20 7819 1200
Fax +44 (0)20 7819 1201
info@civilsociety.co.uk
Co. Reg: 2855714
VAT reg no: GB 629 3702 31
Adrian Beney
Partner
More Partnership
24 Sep 2012
Some of the Commissioner's advice is of particular concern to fundraisers. Their advice uses that ill-defined term "best practice." Who decides what's best? An ICO official, or someone who uses the data every day and knows their business?
Here's an example. The ICO web page say "Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required. "
So when is "no longer required" in fundraising terms?
So long as someone does not actively ask to be removed, (in which case the law requires the charity to do so,) for me this revolves around stewardship, around respecting people's previous giving and the commitment they have made to the charity already.
I would argue that every donor is a legacy prospect (indeed fundraising "best practice" argues that this is the case) so that every donor should be retained until dead, (unless they tell you otherwise) so that a legacy could be matched up to their lifetime giving. And since a dead person is not subject to the DPA then this means that one can argue quite cogently that the best period to keep someone's data is indefinitely.
Here's a parallel thought: I went to rent a DVD from Blockbuster the other night. It's about 2 years since I last used them. I had to re-register since they said "best practice" had demanded that they remove my name from their database 3 months after I last rented a DVD. My version of "best practice" would have had them look me up on the database and say "welcome back" rather than making me fill in another form.
So just because a previous customer, or donor, appears to be dormant doesn't mean they've lost interest. Of course it's important to be compliant with the law - but the interpretation of that law in the context of relevant and reasonable business processes needs to be intelligently done.
[Reply]