Charities should review their compliance with data protection and charity law obligations as a result of a recent statement from the UK Information Commission (ICO) and changes in fund raising practices.
Data protection and fund raising
The ICO, the UK-wide data protection regulator, issued a statement on 30 January 2017 that it has informed eleven charities the ICO intends to fine them for breaching their obligations under the Data Protection Act 1998 (“DPA”).
This statement follows an investigation by the ICO into the fundraising practices of charities, and the issuing of monetary penalties in December 2016 to the Royal Society for the Prevention of Cruelty to Animals (“RSPCA”) and the British Heart Foundation (“BHF”) for failing to handle donors’ personal data in compliance with their obligations under the DPA. The fines were for £25,000 and £18,000 respectively.
In particular the practices identified by the ICO as breaching the DPA were:
- Wealth screening to target donors for money
- Data and tele-matching of personal data obtained from other sources to trace and target new or lapsed donors
- Data sharing with other charities creating a massive pool of donor data for sale
Donors were not informed of these practices, and so were unable to consent or object. Therefore, the ICO found that these practices breached the first and second data protection principles set out in the DPA because the use of donors personal data in this way was not fair and the information was being used in a way that wasn’t compatible with the purpose for which it was collected.
Charities, like all other organisations that process personal data (information from which an individual is directly or indirectly identifiable) must comply with the terms of the DPA. As these cases demonstrate, failure to do so can have serious financial consequences. They can also have wider reputational implications which potentially affect giving within the charity sector. We have for example seen donors requesting reassurance from the charities they support about the ways in which their data is used. Breach of the DPA also means that the charity trustees in question are in breach of their statutory duties of care and responsibility under the charities legislation which can have regulatory implications.
These fines are part of the ICO’s wider focus on ensuring compliance within the charity and fundraising sector. In light of these decisions it is therefore important that all charities take the time to review their DPA procedures, donor protocols and fundraising practices to ensure compliance with both data protection and charity law requirements. In particular charities should consider how they use the personal data of potential donors/ donors (including who it is shared with), whether potential donors/ donors are told about this use when their personal data is collected and whether they are given the opportunity to consent/ object to this use.
It will therefore be very important for all charity trustees to keep up to date with the fundraising changes taking place in Scotland this year. We reported on these changes in our earlier ezine and will provide further updates as and when these changes occur.