Key findings from the ICO's investigations into 11 charities

06 Apr 2017 Voices

Yesterday the Information Commissioner’s Office fined 11 charities a combined total of £138,000 for data protection breaches and published monetary penalty notices outlining what each charity did wrong.  

It published more than 200 pages explaining what it had found and the decision to fine the charities. Here’s a summary of key points from the ICO’s findings.  

The International Fund for Animal Welfare – fined £18,000

Data sharing 

  • Participated in Reciprocate between 2011 and 2015 and disclosed 4,948,633 records
  • Shared data with 60 other charities 
  • To opt out people had to write to IFAW
  • ICO found it had contravened the requirement to process personal data fairly because privacy notice was “unduly vague”
  • Also found that IFAW’s data processing was “incompatible” with its privacy notices 

Wealth screening 

  • Between 2012 and 2013 IFAW submitted 685,956 requests to wealth screening companies, relating to 466,206 supporters
  • ICO concluded that supporters did not have “sufficient information” to understand that they would be wealth screened and that IFAW had again not processed data fairly and that data was not processed in a way that was compatible with the privacy policy

Data-matching and tele-matching 

  • IFAW had used an external company to carry out data-matching since 1995
  • Between 2006 and 2016 it matched 220,286 telephone numbers to supporters
  • IFAW stopped tele-matching in February 2016
  • Between 2012 and 2013 IFAW used an external company to match 50,383 emails to supporters
  • ICO found that again IFAW did not process data fairly and was not in line with its privacy notice 

ICO also concluded that the charity was also likely to have broken Privacy and Electronic Communication rules, but has not fined IFAW in relation to this. 

Cancer Support UK (formerly Cancer Recovery Foundation UK) - fined £16,000

Data sharing 

  • CSUK participated in the Reciprocate scheme 
  • To opt out of the privacy notice supporters had to write to the charity 
  • It shared 3,075,550 records between 2010 and 2016 mostly with charities, but also with a health supplements company, lottery and prize promotion companies 
  • CSUK “contravened the requirement to process data fairly” and in way that was “incompatible” with its privacy notices

Cancer Research UK – fined £16,000

Wealth screening 

  • CRUK used a wealth screening company between 2010 and 2016 – has now ceased activity
  • It processed 10,017,997 records, relating to 3,523,566 supporters 
  • ICO concluded that privacy notices did not indicate data would be processed for wealth analysis 

Data-matching and tele-matching 

  • CRUK used external companies to undertake tele-matching 
  • Since July 2011 it has matched at least 678,887 telephone numbers to supporters 
  • Now ceased tele-matching 

Guide Dogs for the Blind Association - fined £15,000

Wealth screening 

  • Guide Dogs used a company to carry out wealth screening of its entire database in 2008 and 2012 
  • In 2012 its database held personal data for 1,770,221 subjects 
  • Guide Dogs used wealth screening for specific activity in 2010 (162,137 subjects) and 2015 (246,226 subjects) 
  • The charity has not carried out wealth screening since April 2015
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that Guide Dogs had not processed data fairly or in a way that was compatible with its privacy policy

Data-matching and tele-matching 

  • An external company under took tele-matching for Guide Dongs since 2010
  • Guide Dogs has 248,094 tele-matched numbers on its database, 165,730 are registered with the Telephone Preference Service
  • The charity ceased tele-matching in December 2016
  • Guide Dogs used an external company to identify people who had not agreed to Gift Aid their donations to Guide Dogs, but had to other charities
  • The charity bought 13,969 pieces of data relating to Gift Aid in 2014 and 12,704 in 2015 
  • Guide Dogs told the ICO that it would not repeat this activity
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that Guide Dogs had not processed data fairly or in a way that was compatible with its privacy policy

Macmillan Cancer Support - £14,000

Wealth screening 

  • Macmillan used wealth screening companies in 2009 and 2014
  • In 2014, 2,188,508 supporters’ details were processed
  • It has now ceased wealth screening 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that Macmillan had not processed data fairly or in a way that was compatible with its privacy policy

Data-matching and tele-matching 

  • An external company had undertaken tele-matching since 2009 
  • Macmillan does not have records of the exact number, but it is likely to “several hundred thousand” 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that Macmillan had not processed data fairly or in a way that was compatible with its privacy policy

Royal British Legion - fined £12,000 

Wealth screening 

  • RBL used a wealth screening company in three years 
  • In 2010 it processed 1,449,799 records, in 2012 it processed 1,478,279 records and in 2014 it processed 2,445,6670 records 
  • No further plans to wealth screen and is in the process of deleting information from its database
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that RBL had not processed data fairly or in a way that was compatible with its privacy policy

Data-matching and tele-matching 

  • RBL used external companies to carry out tele-matching since 2010
  • It is likely to have matched about 900,000 records 
  • RBL used an external company to match email addresses to supporters since 2010
  • It has matched 52,966 email addresses to supporters 
  • The charity no longer carries out data-matching 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that RBL had not processed data fairly or in a way that was compatible with its privacy policy

NSPCC - fined £12,000 

Data collection 

  • Between June 2014 and August 2015 the NSPCC’s standard form for collecting personal information did not provide information about how people’s data would be used for telemarketing and direct mail purposes
  • Prior to June 2014 the NSPCC had informed supporters of telemarketing, direct mail, and included an opt-out box
  • 22,354 individuals’ data was collected using the 2014 form 
  • 22,354 people were sent at total of 144,317 pieces of direct mail 
  • 11,360 individuals were telephoned up to November 2016
  • 3,527 calls were made to 2,540 TPS registered numbers
  • ICO concluded that people would not have realised their data was being processed 

Data-matching and tele-matching 

  • NSPCC used external companies to carry out tele-matching from 2010
  • Between April 2010 and May 2016 the charity tele-matched 246,751 individuals’ records 
  • 46,415 telephone numbers were TPS registered, and the NSPCC did not screen against the TPS
  • NSPCC used an external company to match email addresses to suppoters 
  • In November 2014 the charity data-matchied 115,741 individuals’ records 
  • NSPCC has ceased data and tele-matching activity
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that NSPCC had not processed data fairly or in a way that was compatible with its privacy policy

Wealth screening 

  • NSPCC used a wealth screening company to market specific events to selected people 
  • The charity provided names, addresses and donation history to the company 
  • In April 2014 NSPCC provided 2,105,145 records to be screened and the company tagged 3,217 records as being ‘millionaire(s)’ 
  • NSPCC contacted 493 of those tagged as ‘millionaire’ on that basis 
  • Separately NSPCC used a wealth screening company to screen 5,870,135 records and the company tagged 1,862 with a wealth flag. 70 individuals were targeted for a regional legacy event
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that NSPCC had not processed data fairly or in a way that was compatible with its privacy policy

Text donations 

  • ICO also highlighted that NSPCC’s text donation messaging for a DRTV campaign was likely to have contravened PECR 
  • After making a donation supporters were sent two messages – one about NSPCC’s work and the second about opting out 
  • ICO said the charity did not have permission to send either message but is not fining the charity for the activity 

Great Ormond Street Hospital Children’s Charity – fined £11,000 

Data sharing 

  • Participated in Reciprocate between 2011 and 2015
  • The charity shared 910,283 records
  • GOSHCC shared data with 40 other charities 
  • No longer shares data 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that GOSHCC had not processed data fairly or in a way that was compatible with its privacy policy

Wealth screening 

  • GOSHCC used a wealth screening company to run two campaigns to identify who could give more or leave a legacy
  • Between 2010 and 2016 it processed on average 795,000 records per month 
  • Activity ceased in July 2016
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that GOSHCC had not processed data fairly or in a way that was compatible with its privacy policy

Data-matching

  • GOSHCC used an external company to match email addresses to supporters between 2012 and 2015 
  • It matched 103,500 email addresses 
  • It also used an external company to match 208,000 dates of birth to individuals 
  • GOSHCC has now ceased data-matching 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that GOSHCC had not processed data fairly or in a way that was compatible with its privacy policy

WWF-UK fined £9,000 

Data sharing 

  • WWF-UK was a member of the Reciprocate scheme 
  • It joined the scheme in 2012 and left in June 2015 and in that time shared 174,512 records 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that WWF-UK had not processed data fairly or in a way that was compatible with its privacy policy

Wealth screening 

  • WWF-UK used a wealth screening company to identify donors who might make a larger donation on three occasions – 2006, 2011 and 2016
  • In 2011 it screened 211,352 records and in 2016 it screened 580,098 records
  • It has ceased using third parties for wealth screening 
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that WWF-UK had not processed data fairly or in a way that was compatible with its privacy policy

Data-matching and tele-matching 

  • WWF-UK began tele-matching in 2006 and stopped in March 2016
  • It tele-matched 83,475 records relating to 55,684 supporters 
  • It has ceased tele-matching activity
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that WWF-UK had not processed data fairly or in a way that was compatible with its privacy policy

Battersea Dogs’ and Cats’ Home – fined £9,000

Tele-matching 

  • BDCH used external companies to carry out tele-matching between November 2010 and July 2015 
  • Between January 2011 and July 2015 it processed 740,181 records 
  • 385,709 records were matched and 229,476 people were contacted
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that BDCH had not processed data fairly or in a way that was compatible with its privacy policy

Oxfam – fined £6,000 

Tele-matching 

  • Between 2003 and 2015 Oxfam used external companies to carry out tele-matching 
  • Since 2011 it has tele-matched 267,521 records and used numbers obtained to call people 
  • It ceased activity in 2015
  • Privacy notices did not indicate that the activity would be carried out 
  • ICO concluded that Oxfam had not processed data fairly or in a way that was compatible with its privacy policy

 


 

More on