Charities fall foul of data protection obligations
Great Ormond Street Hospital Children’s Charity, the NSPCC, Cancer Research UK, Macmillan Cancer Support, The Guide Dogs for the Blind Association and the Royal British Legion have all received substantial fines from the ICO after it was discovered that their supporters had been illegally screened by the charities based on their wealth. Information obtained by the charities about donors’ income, property values and even friendship circles was then used to target wealthy donors in a bid to encourage them to leave a legacy to the various charities in their will.
Further fines were issued to Oxfam and Battersea Cats and Dogs Home for “telematching” – essentially obtaining further information about donors by using existing information they held without the donor’s permission.
Many of the charities have fought back claiming the fines, ranging from £6,000 to £18,000, are excessive and disproportionate. However as these cases clearly demonstrate, charities are bound by exactly the same rules as companies and all types of organisations in the UK. Leaving moral arguments about whether it is fair to punish charities in this way aside, particularly if the charity has taken immediate remedial action, the reality is that the penalties for breaching data protection are being actively enforced no matter how unintentionally a breach has occurred.
Data protection obligations are set to become even more onerous when the General Data Protection Regulations (GDPR) come into force on 25 May 2018 in the UK. The Government has confirmed that Brexit will not affect commencement. These regulations contain provisions for maximum financial penalties of 4% of annual worldwide turnover of the preceding financial year or 20 million euros, whichever is the greater, for various violations including breaches of the data protection principles and conditions for consent.
These recent headlines serve as a timely reminder for all types of organisations to be alert to the penalties for breaching data protection and to take specialist legal advice to prevent breaches occurring unnecessarily. If you are a charity, have you got robust mechanisms in place to protect your donors’ personal data?