Regulators issue joint data protection alert for charities

12 Dec 2016 News

Charity Commission building

Fergus Burnett

The Charity Commission and the Fundraising Regulator have issued a joint alert, warning charities to “immediately cease” any fundraising activity that breaches the Data Protection Act. 

The two regulators issued the warning on Friday afternoon, and called on the fundraising sector to “immediately cease any activity described and set out by the ICO notices as being in breach of data protection law” and called for the sector to “review and assess activities in the areas of data collect, storage and use” to ensure it is compliant with data law. 

Both the Charity Commission and the Fundraising Regulator made the announcement at the end of a week which saw the ICO confirm that it had fined both the RSPCA and the British Heart Foundation for numerous breaches of the data protection act, following an investigation. 

The ICO’s investigation found evidence that both charities had shared hundreds of thousands, if not millions, of supporter’s personal data with list broking schemes over a period of a number of years. The ICO also ruled that both charities had been unlawfully wealth screening supporters and knowingly passing on the data of supporters who had opted-out of being contacted. 

Both the RSPCA and the BHF’s actions were roundly criticised by the Information Commissioner, who said she had personally exercised discretion to lower the fines, but said that “should not take away from how serious these breaches were, nor from how disappointed donors will be with the two charities fined today”. 

Joint statement sets out ‘key steps’ trustees and charities should take immediately

Alongside calling for charities to immediately cease any activity described by the ICO as being in breach of data protection law, the Charity Commission and Fundraising Regulator also set out a number of key points it said that charities and trustees alike to take. 

The regulators called for an immediate review and assessment of numerous things, including “activities in the areas of data collection, storage and use to ensure it is compliant with clear, data protection law – this should include reviewing fair processing statements to ensure they are explicit, clear, transparent and highly visible” and “current data governance systems and processes to ensure they are fit for purpose and evidence sufficient oversight, control, are operating and effective”. 

The statement said that, “where breaches are identified ensure you review the requirements for reporting to the ICO and comply – where a notification of breach is required to also submit a notification to the Charity Commission” and said, where breaches occur, to “consider the risk to those whose data has been breached and any action required to mitigate risks to those individuals and their data”. 

The joint statement concludes that charities should notify the Charity Commission “about any investigation of their charity by the Information Commissioner by reporting a serious incident”. 

‘Practices that some consider common practice’ in breach of DPA, says Commission

David Holdsworth, chief operating officer at the Charity Commission, said that charities must “learn the lessons” from last week and do so quickly, if they are to recover from the damaging findings of the investigation. 

“Charities must learn the lessons from this week and do so quickly. Practices that some charities consider ‘common practice’ are in breach of the data protection requirements and should be ceased immediately. Charities are subject to the same legal requirements as all other organisations and must properly safeguard personal information according to the law. Acting in breach of their legal obligations under data protection law has and will incur substantial financial penalties and generate damaging public criticism about charity fundraising.”

“Our expectation is that trustees have systems in place so that, at their charity, there is the right level of knowledge and awareness about the rules and that, crucially, they are adhered to.”

Stephen Dunmore, interim chief executive of the Fundraising Regulator, said the ICO’s findings last week should be a “wake-up call for the whole sector” and called on the sector to meet its legal obligations surrounding data protection. 

“The ICO’s monetary penalty notices for these two charities should be a wake-up call for the whole sector,” he said. “Charities must meet their legal obligations to ensure that they always have the proper consents in place for the use of personal data, both by purpose and communication channel.”

“Achieving compliance with data protection law is now an urgent priority, if charities are to avoid further reputational risk and re-establish public and donor confidence in fundraising.”


More on