The charity sector has hit the headlines again with the fines levied on 11 household name organisations by the Information Commissioner’s Office (ICO); the body that administers Data Protection Regulations. The news comes just a matter of months after the RSPCA and British Heart Foundation were fined by the ICO for similar breaches.
The most recent fines ranged between £6,000 and £18,000, with the RSPCA being hit with a £25,000 fine in December, but they could have been much higher had the Information Commissioner not made a point of capping the figures so as not to undermine further the public’s confidence in the charities.
The rules around Data Protection are undoubtedly stringent, and all charities, and indeed all organisations that handle personal data, clearly need to take their responsibilities very seriously. But the organisations in question are large enough to have the resources to ensure that they don’t fall foul of the law. Notably, however, the infringements in this case were not to do with careless handling of data – contact lists carelessly left on desks, or unencrypted laptops found on trains – but rather more conscious and concerted efforts to mine donor information to increase income by using data in ways that donors never consented to. According to the ICO this included screening “millions of donors so they could target them for additional funds,” and tracing or targeting “new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.”
And if the fines and adverse publicity weren’t bad enough, the Charity Commission is now investigating all 13 charities and the culpability of their trustees for these breaches of the law.
So what does this mean for smaller charities, already grappling with complex and onerous Data Protection regulations?
The most obvious point is that as well has ensuring that data willingly provided by donors and supporters is kept physically safe and secure, there is a further risk when using this data in ways not anticipated by the donor. That includes old data that a lapsed donor may not even know you retain, such as using an old telephone number to track someone down at a new address. This might well be seen to have a chilling effect on the ability of charities to innovate in how they relate to supporters and how they raise funds, but as these cases demonstrate, the risks are real and the sanctions can be substantial.
For advice on how to manage these and other risks within your organisation, contact Jon Benjamin at consultingmjb@gmail.com