Ignorance is not always bliss, warns Mairéad O'Reilly, as charities are warned to be more aware of their data protection responsibilities.
Lack of staff awareness is one reason why more charities are suffering data protection breaches. In August, the Information Commissioner’s Office (ICO), the UK regulator on data privacy, noted that charities may be struggling to look after people’s data.
Successfully protecting personal data depends on staff knowing what not to do.
Charities often hold very sensitive personal information about their beneficiaries, such as medical details, or information about ethnicity, religion or criminal records. This makes it particularly important for them to ensure that both paid staff and volunteers are educated in how to keep such records safe.
Many charities experience data protection breaches because staff and volunteers who are processing data do not fully understand the obligations of the charity to protect the personal data that they hold. And in many cases charities lack the resources to implement security systems which their commercial counterparts are introducing to protect sensitive personal information.
The use by charities of more diverse ways of holding and storing data, for instance on laptops and memory sticks, as well as the increasing trend towards overseas outsourcing, create a greater risk of data being lost.
If you don’t have a clear policy of educating staff who process personal information on the key principles of data protection, you could be placing your charity at greater risk of data protection breaches and ultimately enforcement action by the ICO.
Charities should, at the very least, ensure they have policies on how to protect data. If breaches do occur and the ICO investigates, the existence of a policy and a clear record of staff training demonstrate that the charity itself takes data protection seriously. Failing to have any policy at all could be an indicator of poor data protection compliance.
In August, the ICO explicitly stated that charities could be fined up to £500,000 for serious data breaches. Until now the ICO has issued fines relatively sparingly and, so far, charities have been subject to investigations and have been required to give undertakings or been issued with an enforcement notices, rather than fines.
There has never been a fine issued against a charity by the ICO before and some charities have taken that to mean they are very low on the ICO’s priority list. But the recent announcement by the ICO can be seen as a message that it does take data protection breaches by charities seriously and expects them to be taking meaningful steps to ensure compliance.
Mairead O'Reilly is a senior associate at Bates Wells & Braithwaite