The Charity Commission, the independent regulator of charities in England and Wales, and the Fundraising Regulator, are issuing an alert to all charities. It reminds trustees that they must, in addition to following charity law requirements, ensure that there are systems in place at their charity to identify and comply with any data protection laws and regulations that apply to its activities.
Following data protection law is a critical compliance area for any charity that handles personal information. It includes, but is not restricted to, collection, use and storage of donors’ personal data. The Commission’s guidance, Charity fundraising: a guide to trustee duties (CC20), is clear that trustees are responsible for having systems and processes in place at their charity to ensure that its fundraising is compliant with this legislation.
This week, 2 charities have been found to be in breach of the Data Protection Act and have been issued with monetary penalties by the Information Commissioner. Further charities are also under investigation.
The Commission and the Fundraising Regulator are therefore issuing this alert to support trustees as well as remind them of their legal duties and responsibilities in this area. This alert should be read in conjunction with our published guidance, the published guidance of the ICO and Fundraising Regulator alongside seeking professional advice where necessary. Below we also set out key steps as regulators we expect trustees and charities to immediately take:
- immediately cease any activity without explicit consent described and set out by the ICO notices of 5 December 2016 (published 9 December 2016) as being in breach of data protection law
- review and assess activities in the areas of data collection, storage and use to ensure it is compliant with data protection law - this should include reviewing fair processing statements to ensure they are explicit, clear, transparent and highly visible
- review and assess current data governance systems and processes to ensure they are fit for purpose and evidence sufficient oversight, control, are operating and effective - this includes ensuring there is a clear framework of ownership and accountability in place
- where breaches are identified ensure you review the requirements for reporting to the ICO and comply - where a notification of breach is required to also submit a notification to the Commission under the reporting a serious incident process
- where breaches have occurred consider the risk to those whose data has been breached and any action required to mitigate risks to those individuals and their data - this should include notification to those affected if appropriate following a risk assessment by the data controller
- notify the Commission about any investigation of their charity by the Information Commissioner by reporting a serious incident
David Holdsworth, Chief Operating Officer and Registrar of Charities for England and Wales, said:
Charities must learn the lessons from this week and do so quickly. Practices that some charities consider ‘common practice’ are in breach of the data protection requirements and should be ceased immediately.
Charities are subject to the same legal requirements as all other organisations and must properly safeguard personal information according to the law. Acting in breach of their legal obligations under data protection law has and will incur substantial financial penalties and generate damaging public criticism about charity fundraising.
Our expectation is that trustees have systems in place so that, at their charity, there is the right level of knowledge and awareness about the rules and that, crucially, they are adhered to.
Stephen Dunmore, Chief Executive of the Fundraising Regulator, said:
The ICO’s monetary penalty notices for these 2 charities should be a wake-up call for the whole sector. Charities must meet their legal obligations to ensure that they always have the proper consents in place for the use of personal data, both by purpose and communication channel.
Achieving compliance with data protection law is now an urgent priority, if charities are to avoid further reputational risk and re-establish public and donor confidence in fundraising.
The Commission, ICO and the Fundraising Regulator will also be hosting a joint educational event for charities early next year on data protection requirements. At the conference, the Fundraising Regulator is also planning to launch practical guidance for the charity sector on data protection and consent issues, following on from the NCVO’s recommendations in September 2016.
Further information for charities is available: