The ICO has looked into at least 15 national charities over data protection failings in their fundraising practices since the start of last year.
Since May 2015, at least 15 charities have been named by either the FRSB or the ICO as having potentially breached data protection laws. Those charities named by the FRSB have been referred to the ICO.
It is not clear whether all of those charities are the subject of open investigations. The ICO has said it will not confirm which of those charities it is still investigating, although it has said several other investigations are ongoing.
As part of its recent findings regarding practices at the RSPCA and British Heart Foundation, the ICO said that ongoing investigations “into other charities” are nearing a conclusion.
Possible data breaches at Breast Cancer Campaign
In May 2015, the FRSB referred a complaint made against Breast Cancer Campaign to the ICO over potential breaches of the Data Protection Act and Privacy and Electronic Communications Regulations.
Colin Lloyd, then chair of the FRSB, said the case showed that the ICO had “recently been granted greater flexibility to pursue cases of abuse” in relation to telephone fundraising.
The ICO have yet to publish any action taken in relation to this case.
The Samuel Rae Case
The Daily Mail claimed that the four charities sold the personal details of an 87-year-old man suffering from dementia onto “unscrupulous catalogue scammers” who then duped him into giving away £35,000.
Steve Eckersley, head of enforcement at the ICO, said at the time: “We have been presented with some clearly concerning findings about data sharing and sale in the charity sector, and we will be investigating them further”.
The Daily Mail story that prompted this investigation was written on 1 September 2015, one day before the Mail story which prompted the investigation into the RSPCA and BHF.
Collapse of GoGen
In July 2015, the ICO launched an investigation into breaches of the Data Protection Act in relation to another Daily Mail article which accused agency fundraisers from GoGen of targeting vulnerable people and using loopholes to dodge TPS regulations.
The Mail named a number of charities, including Oxfam, NSPCC, Macmillan Cancer Support and the British Red Cross in its exposé.
While the directors of GoGen refuted the Daily Mail’s claims at the time, the charities involved all pulled out of their contracts with the agency and the organisation went into liquidation two weeks later.
Christopher Graham, then Information Commissioner, subsequently gave evidence at a Public Administration and Constitutional Affairs Committee hearing where he criticised some large charities for believing they were “above the law” when it came to adhering to the TPS.
His written evidence – published in January 2016 – explicitly named eight charities: Christian Aid, British Heart Foundation, Macmillan Cancer Support, Great Ormond Street Hospital Children's Charity, NSPCC, Barnardo’s, Oxfam and the British Red Cross.
It also made clear that the ICO had “the potential for imposing a monetary penalty” on charities making “unsolicited marketing calls to large numbers of individuals”.
Just over a month later, the British Red Cross was the first national charity to announce it had made a “best practice agreement” with the ICO in relation to only contacting donors who had explicitly opted-in to receiving fundraising calls in the last 24 months.
Age International subsequently announced it had reached a similar agreement with the ICO the following month, following a complaint being upheld against it by the FRSB and subsequently referred to the data protection watchdog.