Following the Information Commissioner’s Office announcement today that it has issued monetary penalties to 2 charities for contraventions of the Data Protection Act, the Charity Commission confirms that it has open compliance cases into both RSPCA and the British Heart Foundation. The charity regulator is assessing whether the trustees of each charity have acted in accordance with their duties under charity law. The Commission’s guidance to trustees on fundraising makes it clear that trustees need to understand and comply with the relevant data protection laws and requirements.
The 2 charities acted properly in reporting the ICO investigations and notice of financial penalties to the Commission and the trustees are cooperating fully with the Commission. Both charities have now given us assurances that they have ceased these practices.
Sarah Atkinson, Director of Policy & Communications at the Charity Commission, said:
The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable. Charities rely on public generosity to carry out their important work. In return the public trust charities to raise money in a considerate and responsible way and to use it effectively. The law requires, and the public expects, this will include safeguarding donors’ personal data.
We are working with the charities concerned, the Information Commissioner and the new Fundraising Regulator, to ensure that any necessary remedial action is taken. The wider lessons for charities about their responsibility to protect donors’ personal data must be shared and acted on.
The Commission is aware that the ICO is investigating a number of other charities which may have similarly contravened the Data Protection Act, and may issue further monetary penalties. The Commission will engage with these charities and in each case seek to establish whether the trustees have acted in accordance with their legal duties.
The Commission, ICO and the Fundraising Regulator will also be hosting a joint educational event for charities early next year on data protection requirements.
Notes to editors
Fundraising is subject to a self-regulatory system which sets and enforces clear standards of conduct for fundraising in the Code of Fundraising Practice. The Fundraising Regulator was set up in 2016 to regulate all types of fundraising by charities based in England and Wales and adjudicate concerns and complaints about fundraising against the Code of Fundraising Practice.
The Charity Commission has a role in fundraising regulation where there is evidence that trustee actions or failings, in fulfilling their duties towards their charity, pose a serious risk to the charity, to charitable funds, or to public trust and confidence. This role, and trustee responsibilities for fundraising, are set out in the Commission’s guidance Charity fundraising: a guide to trustee duties (CC20).