ICO Fines Charities for Data Breaches
The Information Commissioner's Office ("ICO") carried out an investigation between 2015 and 2017 into the practices adopted by a number of charities when handling donors' personal data. The investigation uncovered serious breaches of the Data Protection Act 1998 and resulted in 13 charities being fined by the ICO.
In December 2016, the British Heart Foundation and the RSPCA were issued with fines totalling £43,000. The following charities were issued with fines in April 2017 as a result of the same investigation:
- Battersea Dogs' and Cats' Home (£9,000)
- Cancer Research UK (£16,000)
- Cancer Support UK (£16,000)
- Great Ormond Street Hospital Children's Charity (£11,000)
- Macmillan Cancer Support (£14,000)
- Oxfam (£6,000)
- The Guide Dogs for the Blind Association (£15,000)
- The International Fund for Animal Welfare (£18,000)
- The National Society for the Prevention of Cruelty to Children (£12,000)
- The Royal British Legion (£12,000)
- WWF-UK (£9,000)
Common themes can be identified in respect of the practices adopted by the charities detailed above which resulted in the ICO issuing fines. Many of the charities were found to have engaged companies to find out missing information about their donors. For example, missing telephone numbers or email addresses. Such information could then be used to contact the donors. The majority of the charities were also found to have shared donor information with other charities without permission.
Some charities were found to have engaged companies to investigate their donors in order to rank them based on wealth. Such companies would also identify which donors were more likely to leave money in their will to a charity. This information could then be used by the charity target certain donors. Such practices could, as was found here, breach the Data Protection Act 1998 and have the potential to cause substantial harm and distress to donors.
When announcing the fines, Elizabeth Denham, the Information Commissioner, commented that she used her discretion to significantly reduce the amount of the fines. The Information Commissioner further commented that she would not exercise this discretion in the future with charities found to be in breach of their data protection obligations, thereby issuing a warning shot at charities to protect donors' personal data or face a significant penalty.
The EU General Data Protection Regulation ("GDPR") will come into force automatically across the EU in May 2018. The GDPR will increase the enforcement powers of the ICO and will significantly raise the level of fines which can be issued. Additional obligations will also be imposed on data controllers and data processors. Charities would be wise to pay heed to the Information Commissioner's comments and take steps now to review and get their data protection policies and procedures in order, especially with the added impetus of the GDPR around the corner.
If you would like further information on how you can ensure your organisation complies with its data protection obligations, please do not hesitate to contact David White on 01482 337209 or by email to firstname.lastname@example.org.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.