The information commissioner, Elizabeth Denham, has warned businesses that with one year to go until implementation of the General Data Protection Regulation, there’s no time to delay in preparing for ‘the biggest change to data protection law for a generation’.
Among a number of initiatives to mark one year until GDPR compliance, the Information Commissioner’s Office (ICO) has published an updated data protection self-assessment toolkit for SMEs, which includes a new element to help organisations assess their progress in preparing for the GDPR, and has updated its ‘12 steps to take now’ guidance. The ICO has also launched its information rights strategy, setting out its mission statement to increase public trust over the next four years.
The ICO recently issued 11 charities with a monetary penalty under section 55A of the Data Protection Act 1998 for misusing donors’ personal data.
The ICO investigations found that a number of the charities secretly screened millions of donors so they could target them for additional funds. The charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources and traded personal details with other charities, creating a large pool of donor data for sale.
The ICO has exercised its discretion in reducing the level of fines, taking into account the risk of adding to any distress caused to donors by the charities’ actions. The same approach was taken to fines issued to the RSPCA and British Heart Foundation in December 2016.
Common reporting standard
The common reporting standard (CRS), which is derived from the automatic exchange of information standard, requires ‘financial institutions’ to provide HMRC with information on financial accounts and came into force on 31 May 2017. Some charitable companies and trusts will be deemed to fall within this label, so it is important for charities to assess whether it applies to them.
A charity will qualify if it is deemed to be an investment entity, which is based on two sets of criteria: if it primarily conducts certain financial activities as a business for or on behalf of a customer; or if it is managed by a financial institution and meets the financial assets test. HMRC has realised that for certain types of entity it can be hard to distinguish whether they qualify, and so has provided additional guidance for trusts and charities. Charities that are not financial institutions will be non-financial entities and do not have reporting requirements under the CRS.
Digital marketing and fundraising
The Digital Economy Act 2017 came into force on 27 April, and there are a number of provisions which will affect charities and schools.
Where an organisation is direct marketing or fundraising, it has to comply with data protection legislation and, in particular, be able to meet the first data protection principle before using any individual’s personal data to contact them. In practice, this means being able to show that the organisation has consent, or that the use of the information for marketing is necessary for a legitimate interest of the organisation and there is no harm or prejudice to the individual in what the organisation is doing which would outweigh the legitimate interest being pursued.
As you will all be aware, from May 2018, the GDPR will require all consents to be specific, informed, freely given, and unambiguous – and the onus will be on organisations to prove that each and every time they rely on consent, they can show that the consent obtained meets those criteria.
For charities, where they are fundraising (which may include encouraging individuals to leave a legacy), there is the additional burden of the Fundraising Regulator and the code of fundraising practice, which are clear that if charities are relying on consent, it has to be in the form of an opt-in. There is a requirement for the information commissioner to produce a code of practice which will hopefully provide practical guidance. The key issue for charities will be how this fits with the Fundraising Regulator’s code, and whether there will be some consistency in approach.
The other interesting aspect of the new Act is that it leaves open the possibility of new fees that will be payable to the information commissioner. Under the EU legislation, registration fees would have been scrapped, but this Act allows for regulations to be made which can set an entirely new fee structure, payable by data controllers, even where they do not use the services of the information commissioner. Watch this space post Brexit.
The Charity Commission has updated its financial guidance for charity trustees, ‘Charity finances: trustee essentials (CC25)’. While trustees’ legal duties regarding financial management haven’t changed, the commission is making a conscious effort to ensure trustees are best placed to protect their charity’s assets and resources. The commission has said that it intends the guidance to be the ‘go-to’ financial publication for charity trustees and staff to address any knowledge gaps, to get assurances on whether they are doing the right thing, and to ensure that charity trustees understand their basic financial responsibilities. The guidance, which was originally published in 2011 under the title ‘Managing charity assets and resources’, has been ‘refreshed and made more accessible and readable’.
The commission has also re-published its ‘Charity governance, finance and resilience: 15 questions trustees should ask’ checklist. Small changes have been made to improve clarity.
The commission is conducting a wider ongoing review of how it supports charity trustees in this area, working with external partners and umbrella bodies. It has called upon financial professionals and accountants to take a leadership role in the renewal of financial governance in the charity sector.
Charity governance code consultation
The commission has announced that it is to withdraw its good governance guidance, 'The hallmarks of an effective charity (CC10)'. The guidance sets out the standards or hallmarks that trustees can follow to improve their charity’s performance and governance.
The change follows on from a consultation asking for comments on a newly proposed version of the charity governance code (CGC), first published in 2005. In its response to the consultation, the commission stated that ‘the sector itself needs to take the lead’ in terms of the promotion of good governance – in order to follow through on this line of thinking, the commission has made the decision to withdraw CC10 and instead promote the CGC.
Stone King submitted a response to the consultation. The view of our working party was that continuous improvement in governance is both necessary and desirable, but they were conscious that the tone of any guidance needs to be considered carefully so as not to put people off trusteeship. The working party also found that while the draft code provides very worthwhile guidance, it is important to remember that there is not a one-size-fits-all approach when it comes to governance of a charity and that, for the smaller charities, schools, and faith charities, the code could be intimidating and inaccessible when they attempt to translate it into practical everyday administration of their charity.
It was also felt to be important that the guidance is seen as good practice guidance as opposed to being a legal requirement. In a previous version of the CGC it was suggested there should be a nine-year maximum length of trusteeship. This became seen as a legal requirement rather than a recommendation of good practice, when in reality it should be for each charity to determine what is appropriate in the circumstances. A final version of the code is yet to be published and there has been an indication that some of these concerns will be taken into account.
Complementary and alternative medicine
The commission’s consultation on how it should approach registering organisations that promote complementary and alternative medicines (CAM) closed on 20 May. The commission had put a notice on its website some time ago stating that its guidance in this area was under review.
The Q&A section of the commission’s operational guidance states that ‘the efficacy of homeopathy was called into question in 2010 when parliamentary and media coverage suggested that the claimed health benefits are unfounded and that there is no evidence that its benefits exceed a placebo effect. However, there has been no subsequent parliamentary or legislative determination which has changed recognition of its efficacy.’
However, in September last year, the Good Thinking Society threatened the commission with judicial review, saying that failure to address concerns regarding the status of such charities could be unlawful. The commission responded by committing to a review of the law regarding the advancement of health as a charitable purpose, to be completed by 1 July 2017, and the consultation forms part of this.
Sarah Clune is an associate solicitor at Stone King