Are your charity's staff and volunteers aware of data protection needs?

Are your charity's staff and volunteers aware of data protection needs?

Are your charity's staff and volunteers aware of data protection needs?1

IT | Mairéad O'Reilly | 24 Sep 2012

Ignorance is not always bliss, warns Mairéad O'Reilly, as charities are warned to be more aware of their data protection responsibilities.

Lack of staff awareness is one reason why more charities are suffering data protection breaches. In August, the Information Commissioner’s Office (ICO), the UK regulator on data privacy, noted that charities may be struggling to look after people’s data.

Successfully protecting personal data depends on staff knowing what not to do.

Charities often hold very sensitive personal information about their beneficiaries, such as medical details, or information about ethnicity, religion or criminal records. This makes it particularly important for them to ensure that both paid staff and volunteers are educated in how to keep such records safe.

Many charities experience data protection breaches because staff and volunteers who are processing data do not fully understand the obligations of the charity to protect the personal data that they hold. And in many cases charities lack the resources to implement security systems which their commercial counterparts are introducing to protect sensitive personal information.

The use by charities of more diverse ways of holding and storing data, for instance on laptops and memory sticks, as well as the increasing trend towards overseas outsourcing, create a greater risk of data being lost. 

If you don’t have a clear policy of educating staff who process personal information on the key principles of data protection, you could be placing your charity at greater risk of data protection breaches and ultimately enforcement action by the ICO.

Charities should, at the very least, ensure they have policies on how to protect data. If breaches do occur and the ICO investigates, the existence of a policy and a clear record of staff training demonstrate that the charity itself takes data protection seriously. Failing to have any policy at all could be an indicator of poor data protection compliance.

In August, the ICO explicitly stated that charities could be fined up to £500,000 for serious data breaches. Until now the ICO has issued fines relatively sparingly and, so far, charities have been subject to investigations and have been required to give undertakings or been issued with an enforcement notices, rather than fines.

There has never been a fine issued against a charity by the ICO before and some charities have taken that to mean they are very low on the ICO’s priority list. But the recent announcement by the ICO can be seen as a message that it does take data protection breaches by charities seriously and expects them to be taking meaningful steps to ensure compliance.

Mairead O'Reilly is a senior associate at Bates Wells & Braithwaite

Adrian Beney
More Partnership
24 Sep 2012

Some of the Commissioner's advice is of particular concern to fundraisers. Their advice uses that ill-defined term "best practice." Who decides what's best? An ICO official, or someone who uses the data every day and knows their business?

Here's an example. The ICO web page say "Only keep people’s information for as long as necessary. Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required. "

So when is "no longer required" in fundraising terms?

So long as someone does not actively ask to be removed, (in which case the law requires the charity to do so,) for me this revolves around stewardship, around respecting people's previous giving and the commitment they have made to the charity already.

I would argue that every donor is a legacy prospect (indeed fundraising "best practice" argues that this is the case) so that every donor should be retained until dead, (unless they tell you otherwise) so that a legacy could be matched up to their lifetime giving. And since a dead person is not subject to the DPA then this means that one can argue quite cogently that the best period to keep someone's data is indefinitely.

Here's a parallel thought: I went to rent a DVD from Blockbuster the other night. It's about 2 years since I last used them. I had to re-register since they said "best practice" had demanded that they remove my name from their database 3 months after I last rented a DVD. My version of "best practice" would have had them look me up on the database and say "welcome back" rather than making me fill in another form.

So just because a previous customer, or donor, appears to be dormant doesn't mean they've lost interest. Of course it's important to be compliant with the law - but the interpretation of that law in the context of relevant and reasonable business processes needs to be intelligently done.


[Cancel] | Reply to:

Close »

Community Standards

The community and comments board is intended as a platform for informed and civilised debate.

We hope to encourage a broad range of views, however, there are standards that we expect commentators to uphold. We reserve the right to delete or amend any comments that do not adhere to these standards.

We welcome:

  • Robust but respectful debate
  • Strongly held opinions
  • Intelligent relevant discussion
  • The sharing of relevant experiences
  • New participants

We will not publish:

  • Rude, threatening, offensive, obscene or abusive language, or links to such material
  • Links to commercial organisations or spam postings. The comments board is not an advertising platform
  • The posting of contact details for yourself or others
  • Comments intended for malicious purpose or mindless abuse
  • Comments purporting to be from another person or organisation under false pretences
  • Gratuitous criticism, commentary or self-promotion
  • Any material which breaches copyright or privacy laws, or could be considered libellous
  • The use of the comments board for the pursuit or extension of personal disputes

Be aware:

  • Views expressed on the comments board are left at users’ discretion and are in no way views held or supported by Civil Society Media
  • Comments left by others may not be accurate, do not rely on them as fact
  • You may be misunderstood - sarcasm and humour can easily be taken out of context, try to be clear


  • Enjoy the opportunity to express your opinion and respect the right of others to express theirs
  • Confine your remarks to issues rather than personalities

Together we can keep our community a polite, respectful and intelligent platform for discussion.

Mairéad O'Reilly

Mairéad O’Reilly is a senior associate at Bates Wells & Braithwaite LLP London.

Popular Tags

Banking blog: 5 big fat myths about borrowing when you’re a charity

24 Mar 2015

Azlina Bulmer, programmes and development manager at our banking partner Charity Bank, debunks the falsehoods...

How was the Budget for the voluntary sector?

19 Mar 2015

The final Budget of this Parliament contained some useful giveaways and legal changes, but did little...

Phelanthropic thoughts

10 Mar 2015

Like so many others in civil society, Ian Allsop has a great deal to thank Daniel Phelan for.

Free eNews

Join the discussion

Twitter button