The Information Commissioner's Office (ICO), the body responsible for ensuring that organisations comply with the Data Protection Act 1998 (the Act), has published new data protection guidance for charities to promote good practice in their handling of personal information and to ensure that they comply with the Act.
Over the last 12 months the ICO has undertaken advisory visits to 32 charitable organisations to see how the sector handles personal data and to assess what it does well and where there is room for improvement. The organisations visited varied greatly in size, resources, facilities and the sophistication of their systems and processes, however, the ICO found common themes running throughout the sector. In particular, the ICO found charities' dependence on volunteers to be a particular challenge, as there is often a high turnover in staff and it can be difficult for charities to ensure that volunteers are aware of their data protection responsibilities and comply with the Act. Furthermore, charities should ensure that proper procedures are implemented to reduce the risk of unauthorised and inappropriate access to personal information by new starters.
The ICO identified a number of areas of good practice in the charities it visited, including:
- Around a third provided information to their customers about how their personal data is processed and which organisations their information is shared with.
- Over a third granted employees access to IT systems and electronic data on a "need to know" basis.3. Around one quarter had a formal policy setting out data protection procedures and the roles and responsibilities of staff.
Areas where there was found to be room for improvement include:
- The production of formal retention schedules to ensure that personal data is only retained for an appropriate period of time.
- Physical and electronic security, such as the use of locked cabinets, minimum levels of password complexity and disabled USB ports and DVD/CD drives.
- A lack of annual refresher training on data protection for staff that handle personal data.