Fundraising charities have been abusing trust and exploiting donors by sharing details and profiling supporters, the Information Commissioner's Office said yesterday.
In findings published yesterday afternoon, the data protection watchdog said that both RSPCA and the British Heart Foundation were guilty of multiple breaches of the Data Protection Act 1998.
But it also made clear that it has a number of ongoing investigations into several other charities and expects to issue more fines.
It has not confirmed which charities are under investigation, but it is understood that it includes most of the large charities which were the subject of newspaper scrutiny last year over their fundraising practices.
The ICO said the RSPCA and British Heart Foundation had breached rules around wealth screening, data and tele-matching and data sharing. The ICO also said the two charities "secretly screened millions of their donors so they could target them for more money," and "traded personal details with other charities creating a massive pool of donor data for sale".
The ICO also confirmed that, as a result of its investigation, the RSPCA would be fined £25,000 and the BHF would be fined £18,000. Both of these figures were first reported yesterday morning by the Daily Mail – whose article in September 2015 into the selling and swapping of data by charities led to the ICO’s investigation.
But the regulator said these fines could have been ten times as large if the parties involved were not charities. These fines would have been among the largest ever issued by the ICO.
The ICO said Elizabeth Denham, the Information Commissioner, had “exercised her discretion in significantly reducing the level of today’s fines, taking into account the risk of adding to any distress caused to donors by the charities action, particularly in the context of potential further penalties as in the sector as a result of ongoing investigations.”
Denham said: “My exercise of discretion should not take away from how serious these breaches were, nor from how disappointed donors will be with the two charities we’ve fined today. The law exists to protect people’s rights and it applies irrespective of how altruistic the organisation’s motives might otherwise be.”
The data protection watchdog also said it will “lay an in-depth report before parliament in 2017”, and that it will “organise an educational event in partnership with the Charity Commission and the Fundraising Regulator”.
Ongoing investigations into fundraising charities
In a separate document contained within the ICO’s investigation findings, the data protection watchdog confirmed that its “investigation into other charities is nearing conclusion”.
The document, titled Charity fundraising practices, is aimed at the public and says that charities have been “ranking you based on your wealth”; “finding information about you, that you didn’t provide”, and “sharing your data with other charities, no matter what the cause and with no record.”
Beneath each of these statements is an explanation of what each of those practices mean, and a section on "what is wrong with that". It also advises anyone who “thinks they may be affected” by any of these to contact the Fundraising Regulator.
Charity Commission confirm open compliance cases into both charities
The Charity Commission has also announced compliance cases looking at the activity of both the RSPCA and the British Heart Foundation.
The Commission made its announcement yesterday afternoon in the wake of the ICO findings. A Commission spokesman said that the inquiries had been open for some time, but had been published to coincide with the ICO’s findings, due to the high levels of public interest in those findings.
The Commission spokesman said that, while this is an issue for both the ICO and the Fundraising Regulator, it has got involved to assess “whether the trustees of each charity have acted in accordance with their duties under charity law”.
The Commission said that “the two charities acted properly in reporting the ICO investigations and notice of financial penalties to the Charity Commission” and that both sets of trustees are “cooperating fully with the Commission”.
According to the statement, both charities have now given the Commission “assurances that they have ceased” the practices mentioned in the ICO investigation.
Sarah Atkinson, director of policy and communications at the Charity Commission, said: “The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable. Charities rely on public generosity to carry out their important work. In return the public trust charities to raise money in a considerate and responsible way and to use it effectively. The law requires, and the public expects, this will include safeguarding donors’ personal data.
"We are working with the charities concerned, the Information Commissioner and the new Fundraising Regulator, to ensure that any necessary remedial action is taken. The wider lessons for charities about their responsibility to protect donors’ personal data must be shared and acted on.”
The Commission also indicated that more investigation findings into charitable fundraising would soon follow.
"The Commission is aware that the ICO is investigating a number of other charities which may have similarly contravened the Data Protection Act, and may issue further monetary penalties," it said. "The Charity Commission will engage with these charities and in each case seek to establish whether the trustees have acted in accordance with their legal duties."
Both charities have been contacted for a statement.