The Information Commissioner’s Office has fined charities the RSPCA and the British Heart Foundation £25,000 and £18,000 respectively for practices relating to the use of data relating to donors and potential donors. Amongst other breaches, the ICO discovered that the organisations had engaged in “wealth screening” of individuals for the purpose of targeting them for further fundraising.
The ICO’s investigations revealed that the charities had, without the knowledge or consent of the individuals concerned, engaged wealth management companies to ascertain how much money data subjects had, with a view to estimating the likely levels of donations they may be prepared to make. Millions of people were subject to financial analysis of this type.
An additional breach related to “data and tele-matching”. Where donors opted not to provide personal information when requested, the charities would engage external companies to obtain this, using existing data or telephone numbers to fill in the gaps.
The ICO also found that the charities had shared and exchanged personal data relating to donors with other charitable organisations. Whilst the organisations did provide the ability for donors to “opt out” of data sharing, the organisations had been vague and failed to disclose the data sharing practices they were involved in. Individuals could therefore not make an informed decision about whether or not to opt out. In short, the ICO found that they had fallen short of their legal duties.
The penalties imposed on the organisations could have been far higher. In setting the levels of fines, the ICO took into account that higher fines could cause distress to donors caused by the actions under investigation. This said, it is understood that the charities may be planning to appeal the ICO’s decision.
Separately, the charities also face an investigation from the Charities Commission for breaching charity law. Sarah Atkinson, director of policy and communications at the Commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable."
The case is a salutary reminder the charities are not exempt from compliance with the rules on data protection. In fact, the law is particularly applicable to them given their handling of extensive information relating to individual fundraisers and their finances. Charitable organisations are subject to the supervisory powers of the Charity Commission, as well as the ICO, so are well advised to invest the necessary resources to avoid scrutiny.
To assist in their data protection compliance efforts, the ICO has issued its top five tips for small and medium sized charities and third sector organisations:
- Tell people what you are doing with their data Data subjects should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
- Make sure your staff are adequately trained New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
- Use strong passwords There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
- Encrypt all portable devices Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
- Only keep people’s information for as long as necessary Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Whilst helpful, specific advice may be needed in particular circumstances.