Charities and data protection - the basics
Charities must ensure they handle supporters' personal data correctly, or risk financial penalties and the loss of public trust, writes Bethan Walsh
Following various media reports in 2015 about significant pressure being placed on supporters to contribute to charities, the Information Commissioner’s Office (ICO) carried out investigations into the practices of several charities. These investigations were part of a wider operation by the ICO to tackle breaches of the Data Protection Act 1998 (DPA 1998).
As a result, significant monetary fines were issued to a number of high-profile charities, including the British Heart Foundation (BHF), the RSPCA, Cancer Research UK, the NSPCC, and Oxfam. Collectively, these charities were fined £156,000 after the information commissioner exercised her discretion to greatly reduce the fines.
The ICO said that some of the charities had been fined because they had engaged in the screening of millions of donors so they could target them for further funds, while others had traced and targeted new or lapsed donors based on personal information obtained from other sources. Some even traded personal details with other charities, creating a large pool of donor data for sale.
In particular, the BHF and RSPCA fell foul of the DPA 1998 in relation to:
Data sharing through a donor data-swapping scheme;
Wealth screening; and
Data matching (telephone matching).
These practices were found to be in breach of the first principle of the Act, which states that any personal data must be processed fairly and lawfully. The ICO’s decision was mainly based on the fact that the BHF and RSPCA had not sufficiently informed their supporters that their data would be shared and subject to wealth screening and data matching.
The lack of clarity and transparency meant that the supporters could not properly exercise their right to opt out of direct marketing. By failing to inform supporters of the way in which their data would be handled, the charities had essentially stripped them of their right to object.
These investigations raise concerns for the sector generally, and although the ICO has confirmed that there are no further investigations into the fundraising practices of charities following the media reports of 2015, this is an area in which the ICO is likely to continue its focus to ensure compliance within the sector.
All charities that process and hold information about individuals have a legal obligation to protect that data under the DPA 1998. This is not only about keeping information safe, but also keeping people safe. If personal data is misused and falls into the wrong hands that can be very harmful for the relevant individuals.
The DPA 1998 is only concerned with the treatment of ‘personal data’. For the purposes of the Act, information is personal if it is concerned with identifiable, living individuals, while data is information which is processed or recorded in a particular way or with a particular intention. Practitioners must ensure they review the full definitions for themselves.
The basic obligations of charities under the DPA 1998 are as follows:
Notify the ICO: Almost all organisations that act as data controllers must register with the ICO, providing details on the types of data they hold and the purposes for which it is processed. This registration must be renewed each year.
Informing people and being transparent: People have a legal right to be informed about how their data is being handled and with whom it might be shared. In these circumstances, ignorance is not bliss. Information that is stated to be held for a specific purpose can only be held for that purpose. For example, a charity that asks an individual to provide an email address so that they can be sent a newsletter cannot then send that individual a donation request, unless the charity confirms that the email address may also be used for that purpose. Charities should consider how people would expect their personal data to be handled. The answer should be set out in a clear privacy notice made available to supporters at the outset. Compliance with this requirement will also help charities to build lasting relationships with their supporters and will increase public trust and confidence in the sector as a whole.
Ensure staff are properly trained: Both new and existing members of staff should receive adequate training to ensure they understand how personal data is to be handled. New staff should be fully trained and existing staff should regularly receive refresher training. Every charity that handles personal data should also have a data protection policy in place.
Security: Ensure information is secure from potential hackers. This includes having strong passwords and encrypting certain folders and any portable devices, such as USB sticks, laptops, and tablets.
Retain personal data only for as long as is necessary: Personal data should only be held for as long as is necessary, and to ensure compliance a charity should have established retention periods in place. A process should also be implemented to ensure that personal data is properly and safely deleted once it is no longer required.
While these guidelines are suitable for small and medium-sized charities, larger organisations should consider outsourcing their data storage to specialists. It will be important to carry out due diligence checks on such specialists before engaging them to ensure they are suitable.
Data protection is a particularly complex area of law and this note is intended only as an indicator of the key basic points that charities should be aware of. It is important that charity trustees acknowledge that this is a matter on which they must have a firm handle, and responsibility for compliance should remain with the board and not be delegated to members of staff.
Compliance with the requirements of the DPA 1998 will help organisations build relationships with their supporters, as well as increasing public trust and confidence generally. Organisations that are trusted are more likely to have sustainable success, particularly with the introduction of the General Data Protection Regulation (GDPR), coming into force in May 2018.
GDPR is a new data protection regime for the current digital era that builds on the DPA 1998. It provides additional safeguards for individuals, which in turn places greater obligations on organisations. Under the GDPR, consent will need to be informed and freely given. A pre-ticked box on an online form will not be valid consent for the purposes of complying with the new regulation. We strongly recommend that charity trustees and CEOs start familiarising themselves with the GDPR sooner rather than later, for example by attending workshops and seminars on the matter.
The ICO has links to a number of resources and guidance notes on its website, including a toolkit created specifically for charities. Mishandled data can have serious repercussions for charities, their employees, and their supporters, and ensuring data is properly dealt with is a legal requirement. Poor data handling can lead to ICO investigation and severe financial penalties. It can also result in significantly reduced income, bad press, loss of reputation, and loss of trust from supporters and the general public. Compliance is not optional and it is in everyone’s interests to ensure data is properly handled. SJ
Bethan Walsh is an associate in the charity and social enterprise team at Geldards