ICO fines 11 major charities for data protection breaches

05 Apr 2017 News

The Information Commissioner’s Office has today fined 11 charities, including Cancer Research UK, Macmillan Cancer Support and NSPCC for breaches of data protection law.

The regulator had previously issued fines to the British Heart Foundation and RSPCA in December.

The ICO published the names of the charities and the amounts each have been fined in a statement on its website. Collectively the 11 charities have been fined £138,000.

The name of the charities and the amounts they have been fined are:

  • The International Fund for Animal Welfare - £18,000
  • Cancer Support UK - £16,000
  • Cancer Research UK - £16,000
  • Guide Dogs for the Blind Association - £15,000
  • Macmillan Cancer Support - £14,000
  • The Royal British Legion - £12,000
  • The NSPCC - £12,000
  • Great Ormond Street Hospital Children’s Charity - £11,000
  • WWF-UK - £9,000
  • Battersea Dogs and Cats Home - £9,000
  • Oxfam - £6,000

The ICO said that some of the charities had been fined because they had “screened millions of donors so they could target them for additional funds," while others had "traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.”

The fines follow the ICO’s findings against both the RSPCA and the BHF for similar breaches of the Data Protection Act in December 2016. The two charities were fined £25,000 and £18,000 respectively.

'Millions of people affected'

In a statement Elizabeth Denham, the Information Commissioner, said that “millions of people will have been affected by these charities’ contravention of the law” but said she had again exercised her discretion in “significantly reducing the level” of the fines.

“Millions of people will have been affected by these charities’ contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations,” said Denham.

“No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”

The fines issued to both the RSPCA and the BHF were also “significantly reduced” at Denham’s discretion to mitigate any risk of “adding to any distress caused to donors by the charities’ actions”.

‘These fines draw a line under a complex investigation’

Denham said: “These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law.”

The investigation into the 11 organisations was first announced in January and stemmed from a number of media reports about fundraising charities use of supporters’ personal data which were published in major newspapers between the middle of 2015 and the beginning of 2016.

The investigation was called Operation Cinnabar. The ICO said there are “no other outstanding investigations into charities” currently being conducted as part of this operation.

Civil Society Media is hosting two breakfast seminars discussing the EU General Data Protection Regulation (GDPR) ahead of its introduction in May 2018. Booking is now open on events - click here to book in May and here to book in June

 

 

More on