The ICO has recently issued substantial fines to eleven major charities for breaching the first and second principles of the Data Protection Act 1998 (DPA). Charities regularly process the personal data of their supporters and donors, and when doing so they must abide by the principles of the DPA 1998.
A number of the breaches were found related to the following:
- Disclosure of data for wealth screening purposes – many of the charities were found to have engaged in wealth screening, by providing personal data of their supporters to wealth screening companies with the aim of identifying high value or wealthy individuals;
- Disclosure of data to third parties for tele – matching purposes – tele- matching is the process of using personal data to obtain telephone numbers of individuals who may not have provided this information. The charities disclosed personal data of their donors to external tele- matching companies and used the telephone numbers obtained to make live marketing calls; and
- Usage of personal data for live telephone or marketing purposes.
In each of these instances the charities, when initially collecting the individual’s data, did not inform them that their data would be processed in this manner. This was also not disclosed in any privacy notices or communications from the charity. Interestingly, the ICO stated that issuing a letter to an individual after the collection of their data, disclosing that the individual’s data would be used for marketing did not minimise the breach.
Charities should remain cautious when processing personal data, be careful to ensure compliance with DPA and avoid the above breaches.