An ICO investigation into charity fundraising practices has led to two charities being fined and eleven being issued with Notices of Intent to fine.

The ICO investigation revealed multiple data protection breaches by charities, including the secret wealth screening of donors in order to target them for more money.

The ICO's investigation, which took place during 2015/16, revealed numerous serious and widespread data protection breaches in the charity and fundraising sector. In particular, the ICO found that charities:

  1. employed wealth management companies to secretly screen the wealth of their donors, in order to target them for more money;
  2. shared donor data with each other without permission; and
  3. used companies to "fill in gaps" in personal information provided by donors. For example, where a donor only provided an email address, the charity would engage a company to find out the donor's telephone number and/or postal address, so that the charity could also contact the donor using these additional contact details.

Such practices were conducted without the permission or knowledge of donors.

The British Heart Foundation and the RSPCA are the first to be fined - £18,000 and £25,000 respectively.

The practices adopted by the charities have been slammed by Information Commissioner, Elizabeth Denham. She expressed concern that the: “widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information.”

The ICO is now focusing on educating charities on their data protection obligations. For further information, see the ICO blog statement.