The ICO fines UK charities for data protection breaches

The Information Commissioner’s Office (“ICO”) recently issued fines to a number of UK charities for breaching the Data Protection Act 1998 (“DPA”). The fines ranged from £6,000 to £18,000 and serve as a reminder of the ICO’s willingness to impose monetary penalties for breach of the DPA.

Following an investigation by the ICO after reports that donors were facing repeated and substantial pressure to contribute, eleven charities (including Oxfam, Great Ormond Street Hospital Children's Charity and Cancer Research UK) were discovered to have misused donors’ personal data. Each charity was found to have performed at least one of the following three practices in contravention of the DPA:

1. Ranking inpiduals based on wealth: some of the charities were found to have undertaken “wealth screening” where donors were investigated, ranked and targeted according to their wealth. Amongst other things, this helped establish which donors would be most likely to leave money to the charity in their wills.

2. Ascertaining information donors did not provide: some charities were found to have obtained data from other sources and investigated donors for information that they had not provided to the charity. For example, these charities used donors’ old phone numbers to trace new ones and used email addresses to match postal addresses.

3. Sharing donors’ data with other charities, no matter the cause: some charities were found to have traded personal data with other charities, creating a large pool of donor data for sale. This trading of data means that millions may have received undesired charity marketing.

The ICO decided to heavily reduce the amount of the fines to prevent adding further distress to donors caused by the charities’ actions. If not for this extenuating factor (as well as the altruistic nature of the organisations involved), it is likely that the fines would have been much greater.

However, this may not be the end of the matter for the charities. The Charity Commission for England and Wales has indicated that it will assess whether any further action needs to be taken. David Holdsworth, Chief Operating Officer at the Charity Commission, stated: “The generous British public expect charities to safeguard their data and raise funds responsibly, and in return they donate in their millions. Sadly in these cases charities have not kept their side of the bargain. We are working with the charities concerned, the Information Commissioner and the Fundraising Regulator to ensure that any necessary remedial action is taken.”

If you would like further guidance on the points discussed in this article or if you have any other query in relation to data protection, please contact Alan Nelson.