The ICO has published the final reports from its investigations into the RPSCA and the BHF, findings that both charities were guilty of wrongly disclosing hundreds of thousands of donor details.
In the reports published today, the ICO said it found that each year for 17 years the RSPCA had wrongly disclosed “between 105,697 and 794,768” records of people’s personal data – including names; addressed; gift aid status; amount of last donations – as part of a donor data swapping scheme called Reciprocate.
The ICO said that the RSPCA were “unable to provide details of the Reciprocate scheme’s members or the specific organisations to who it had disclosed records”.
The ICO also found that, between January 2012 and July 2015, the BHF also used the Reciprocate scheme and shared over one million data records, relating to 552,092 individuals to some 40 other charities. The BHF told the ICO that those records were confined to “similar or partner organisations”.
In both cases, the ICO found that both charities were in contravention of both Data Protection Principles 1 and 2, and the Commissioner was satisfied that these contraventions were “of a kind likely to cause substantial damage or substantial distress”.
The reports also confirm that the RSPCA has been fined £25,000, while the BHF has been fined £18,000.
RSPCA also shared data ‘despite opt-outs’
The ICO also found that the RSPCA had shared the data of people with the Reciprocate scheme, despite know that those people had opted out of contact from the charity.
According to the report, the RSPCA reported to the ICO on 19 November 2015 that “the personal data of 15,028 supporters were shared with a third party parties via the Reciprocate scheme after the supporters expressly opted out of their personal data being shared with other organisations”.
Between April 2014 and June 2015, the ICO said that “groups of such records were shared on 12 occasions”. The RSPCA subsequently informed the ICO that this had taken part due to the “wrong dataset being made available”.
The Commissioner said “a charity of the size and resources” of the RSPCA “should have checked whether or not opt-outs were being respected as regards the personal data it shared through the Reciprocate scheme”.
The BHF was not found to have shared the data of donors who had opted out of communications.
RSPCA gave wealth screening companies ‘entire database’
The RSPCA confirmed with the ICO that so-called ‘wealth screening’ is “common practice” and it is general practice to provide such companies with its “entire database”. In this case, the ICO said that the personal data of more than 7 million subjects were shared.
The RSPCA was again found to be in contravention of the Data Protection Act, in relation to wealth screening, as the Information Commissioner decided that the RSPCA’s fair processing notices “did not indicate that personal data may be processed for the purpose of wealth analysis” and, as a result, “supporters have not been provided with sufficient information to enable them to understand what would be done with their personal data”.
The BHF was also found to have contravened the DPA in relation to wealth screening, for much the same reason – passing on between 800,000 and 2.6 million records to such companies each year between 2010 and 2014. The ICO said that, in total, the BHF disclosed records containing the personal data of over 5 million subjects.
Both guilty of data-matching and tele-matching breaches
The BHF was also found to have disclosed records containing the personal data of over 700,000 subjects between 6 April 2010 and April 2015.
The ICO said that, while the RSPCA “does not hold records of the numbers of data subjects involved”, in its own tele and data-matching, the Commissioner understands that the number of data subjects involved since 2009 is “likely to exceed one million”.
Neither the RSPCA nor the BHF wished to comment further on the matter at the time.
The IoF said that it would make a comment at a later date, once it had had more time to analyse the reports.