Following monetary penalty notices issued against the RPSCA and the British Heart Foundation last December, the Information Commissioner's Office has fined another eleven charities for breaches of data protection laws. The ICO's action follows a two year investigation.

How did the charities breach data protection law?

The contraventions cover three broad activities:

  • Wealth screening - profiling donors so that they could be targeted for additional donations
  • Data and tele-matching - using third party data sources to fill in the gaps in donor records
  • Data sharing - trading personal details with other charities, creating a pool of donor data for sale

In carrying out these activities, the charities breached a number of the data protection principles set out in the Data Protection Act 1998 (DPA). These include principle 1 (that data is processed fairly and lawfully) and principle 2 (that data is used only for a purpose consistent with the purpose for which it was collected).

In total, the fines issued to the 13 charities come to £171,000, but the ICO has made clear that the level of fines was significantly reduced from the levels that might have applied had the organisations in question not been charities.

Has the ICO issued any guidance to charities?

The ICO published a conference paper on these issues in advance of a joint event with the Charities Commission and the (English and Welsh) Fundraising Regulator on fundraising and data protection. You can read the paper on the ICO website.

The paper emphasises that charities need to ensure that their use of personal data complies with the data protection principles.

Whilst the ICO has not said that these activities can never be carried out, organisations need to ensure that it is done in a lawful way.

That means ensuring that the individuals in question are provided with fair notice of what the charity will do with their data and ensuring that the organisation has satisfied one of the conditions in Schedule 2 of the Data Protection Act - ie valid and informed consent or the charity's legitimate interests. The latter involves balancing those interests against the intrusion into the individual's privacy.

There is also an overarching requirement for the processing to be fair. As Elizabeth Denham, the Information Commissioner, said in her keynote speech at the fundraising conference:

Fairness...means that personal information should only be used in a way that people would reasonably expect

Fair notice is usually provided by way of a privacy notice, and the ICO emphasises that charities will need to go to particular efforts to bring these activities to the attention of donors as (in its view) things like wealth screening would not fall within the reasonable expectations of individual donors. It should not be hidden in a link on a website.

When using third party data sources, charities also need to ensure that they are using that data in a manner that is consistent with the purpose for which it was originally collected. Just because data is shared by an individual on social media or is available from a public source or a third party does not mean that it can be used for any purpose. It is incumbent on the charity, as the data controller, to carry out appropriate diligence on its data sources.

As the ICO says, there may be reasons why an individual has decided not to share particular information. Whilst there is an obligation under the DPA to ensure that data is up to date, that does not mean that charities (or any other organisation) are required to find someone's new phone number when a previous phone number no longer works. It should simply delete the out of date number from its records.

Similar issues apply in relation to data sharing. Whilst data sharing is not prohibited by the DPA, it does need to be carried out in a manner that complies with the DPA. In these cases, the charities in question had failed to ensure that they did so. In one case, the charity unlawfully shared over 3,000,000 donor records with third parties, including lottery and prize promotion companies.

Charities and third sector organisations should also be thinking about how the steps that the General Data Protection Regulation (GDPR), which comes into force in May 2018 and will replace the Data Protection Act. Amongst other things, the GDPR will require organisations to be far more transparent in relation to how they use data and impose a new obligation to be able to demonstrate compliance.

To find out more, please visit our GDPR Hub or get in touch.

Contributor

Martin Sloan

Partner