ICO Fines Two Major Charities For “Wealth Screening” and Other Data Protection Breaches
ICO Fines Two Major Charities For “Wealth Screening” and Other Data Protection Breaches
The latest development in the long-running saga of fundraising standards emerged this week as the Information Commissioner’s Office confirmed that it will be levying fines on two of the country’s best-known charities. The RSPCA will be fined £25,000 while the British Heart Foundation will have to pay £18,000 in respect of breaches of data protection laws.
It is clear that the ICO is sending out a stern message to charities about the seriousness of these breaches, although its statement on 6 December confirms that the Information Commissioner exercised her discretion to keep the fines at a lower level than they might otherwise have been, balancing the need to be seen to take robust regulatory action against the further damage that will be caused by requiring donors’ funds to be used to pay these fines.
The ruling on the RSPCA represents the outcome of an ICO investigation that had been opened in September 2015 in the light of the publication by the Daily Mail of reports revealing irregularities and malpractice in charity fundraising. In one report, it had been alleged that the RSPCA had contracted with a company to carry out a covert assessment of what the charity might stand to receive in the way of legacies from its supporters. It had also been reported that Samuel Rae, an elderly man with dementia, had been contacted on 700 occasions by charities using data that he had provided when completing a survey in 1994.
While the ICO has not yet published its full report on its findings (it will be publishing the formal penalty notices on 9 December) the RSPCA has disclosed that the ICO’s investigation had found that the charity had contravened the Data Protection Act 1998 by failing to provide its supporters with enough information through its fair processing notice about how their personal data would be used and shared. Specifically, it had been found that the RSPCA did not adequately inform its supporters that their details:
- could be shared with other charities as part of a scheme called Reciprocate;
- would be shared with a third party that would analyse their data to determine which products, information and offers might be marketed to them; and
- might be used for data-matching and tele-matching.
It has also emerged that the RSPCA was found to have shared supporters’ details with other charities despite their having opted out of receiving marketing communications from other organisations.
The fine imposed on the BHF relates to the screening of donors from 2009 through to August 2014; the charity had, it emerged, shared personal data relating to “several million people” with wealth management companies so that they could analyse their financial standing, combining the data provided by the charity with details from other sources to put together information about lifestyles, property ownership and social connections. All this had happened, it seems, without donors having given effective consent to this use of their personal data.
BHF had also been involved in passing records over to tele-matching and data-matching companies; it seems that the charity had requested consent to share data with “similar organisations” but the ICO was not convinced that this consent covered what was then done with the data.
The Information Commissioner, Elizabeth Denham, has confirmed that other charities are currently under investigation for similar breaches. Commenting on the impact of these fundraising practices on donors, she said:
“The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money.”
“This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information.”
Both charities are set to contest the ICO’s findings and penalties, and are considering whether it might be in the interests of their supporters and beneficiaries to challenge the decisions.
The announcement of these fines is particularly striking because, as pointed out by the RSPCA spokesperson, the RSPCA’s case is “very different and represents a radical departure by the ICO from its previous practice.” The charity does have a point here: the RSPCA’s case relates to the slightly less clear-cut issues surrounding ‘wealth screening’ and the sale of donor data and the sufficiency of consent, rather than the more obvious data security concerns that have been the subject of previous substantial fines imposed on charities. Readers may recall the cases of:
- Norwood Ravenscroft Limited, a social care charity, fined £70,000 after confidential reports about four children went missing when left outside a house in London in 2012; and
- the British Pregnancy Advice Service, fined £200,000 for exposing thousands of people’s personal details to a malicious hacker in 2014.
The Charity Commission has responded swiftly to the breaking news with an announcement that it has opened compliance cases into both the RSPCA and the BHF. The Commission has said that it will assess whether the trustees of each charity have acted in accordance with their duties under charity law, in particular, whether they have understood the legal requirements of the DPA and ensured that their fundraising practices comply with these. The Charity Commission has also confirmed that it is aware that the ICO is investigating a number of other charities which may have similarly contravened the DPA, and so will be checking whether the trustees of these charities have acted in accordance with their legal duties too.
So what can we learn from the news of these fines? It is interesting to note the emphasis that the ICO had placed on the fact that the level of the fines has been moderated in view of the potential additional impact on donors and beneficiaries. And, given the extent to which the Charity Commission has endorsed the Etherington report’s conclusion that control of fundraising practices is something for which trustees are responsible, one might be tempted to wonder at what point trustees might be personally liable for the financial penalties incurred by their charities.
On a more positive note, the Charity Commission, the ICO and new Fundraising Regulator will be hosting a joint educational event for charities early next year on data protection requirements. This is bound to be an increasingly challenging area for charities as they get to grips not only with the existing data protection rules but also with the new rules which will apply in the UK from 25 May 2018 when the General Data Protection Regulations will come into force across the EU (when the UK will still be a member state).
