ICO Fines Charity £100,000 for Data Protection Breaches

The Information Commissioner’s Office has fined the British and Foreign Bible Society £100,000 after the personal data of over 400,000 of the charity’s supporters were obtained by hackers exploiting a weakness in the charity’s computer systems.

The ICO’s ruling on the Bible Society follows an investigation into the use of ransomware in December 2016 which saw hackers hold key data on the charity’s donors hostage. While the data was eventually recovered, it was discovered that the charity’s internal network was insecure and that some files had been transferred out of the network. This breach was eventually traced to the use of a service account, with an easy-to-guess password. This account, once obtained by the hackers, allowed remote access to the network where donors’ credit card and bank account details were stored, putting them at risk.

Steven Eckersley, Head of Enforcement for the ICO commented that:

“Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.“

In response to the attack, the Bible Society took immediate remedial action and has, since the release of the report, paid the fine with a 20% discount for early payment. While the Bible Society is not expected to appeal the fine, it is important to consider the ICO’s approach to the investigation, to determine how charities can best avoid such fines themselves.

The ICO’s decision – A change of approach?

The ICO’s decision may come as a shock to many charities, particularly given that in December 2016, the ICO fined the RSPCA and British Heart Foundation £25,000 and £18,000 respectively for data protection breaches. Despite the considerable difference in the size of the fines, Information Commissioner, Elizabeth Denham stated at the time that:

“…[the ICO] have been lenient. I reduced the fines by 90 per cent because I was very concerned about the impact on donors and supporters: what would the impact be to have charitable money going to the Treasury?”

The Information Commissioner’s comments were certainly not unique to the circumstances of the investigation. In April 2017, the ICO fined a further eleven charities between £6,000 and £18,000 for breaching data protection and, once again, the fines were heavily reduced from their original amount. Why then does the ICO’s most recent decision appear to have been less lenient?

It cannot be denied that the overall number of data security incidents reported to the ICO has increased. In the year to March 2018, charities reported a total of 152 data security incidents to the ICO with a 69% increase in reports from January to March 2018. With the implementation of the GDPR and Data Protection Act 2018 in May, this number will only increase further as organisations get to grips with the new provisions.

There is also evidence to suggest that the fines levied against the RSPCA and British Heart Foundation alerted other charities to the importance of updating their privacy policies. This was acknowledged by John Mitchison, Head of Preference Services for the Direct Marketing Association, who stated that the fines “gave a lot of charities…a head start on preparing for the GDPR because they were already putting their processes in a better position before everybody else was“. With the GDPR now in place however, what can we learn from the Bible Society investigation and sanctions?

Both the GDPR and the Data Protection Act 2018 provide the ICO with the option to levy higher fines, with fines for data protection breaches now capped at €20,000,000 or 4% of annual worldwide turnover (whichever is greater) as opposed to £500,000 as they were previously. While the Bible Society investigation concerned breaches relating to the historic Data Protection Act 1998, the ICO’s decision to issue a substantial fine may reflect the sanctions that charities can expect to receive should they fail to implement proper data security measures under the new law.

As a result, it is vital that charities ensure that they have sufficient data security processes, procedures and policies in place in respect of their donors’, employees’ and other personal data as soon as possible.

Taking steps to protect data

The GDPR and Data Protection Act 2018 mirror the Data Protection Act 1998 in requiring charities to have “appropriate technical and organisational measures” in place to ensure that personal data is processed securely. This does not just extend to cybersecurity but also includes physical and organisational security measures.

While the GDPR does not therefore change the law on data security or prescribe what specific security measures need to be in place, we would encourage charities to use the GDPR as an opportunity to re-evaluate how they approach data security. This may allow improved technical and organisational security measures to be implemented both to prevent data breaches and to minimise their impact. This is recommended in view of the new requirement to report data breaches; the ICO’s increased set of sanctions, including higher fines; the increased threat of cyber-attacks; and the growing potential for reputational and business damage flowing from an attack.

By way of example of the broad range of matters covered by data security, charities should take practical steps to improve their data security (if not yet in place) including:

• ensuring that data can only be accessed, altered, disclosed or deleted by individuals who have authority to do so;
• rendering data unintelligible to persons not authorised to access it, such as by encryption and pseudonymisation (so it can no longer be attributed to a specific person without the use of additional information);
• physical measures such as restricted access to relevant areas;
• undertaking an information risk assessment to identify the various ways in which data is processed within the charity and the potential risks that may arise when processing is taking place;
• preparing an information security policy outlining the rules the charity’s employees and volunteers must follow to ensure that data is held securely;
• issuing simple ‘Dos and Don’ts for employees’, for example to use strong and creative passwords; to change passwords regularly; and not to use automatic log-in features that save user names and passwords once logged off (and enforcing these requirements through your IT systems); and
• carrying out regular checks as to the physical and cybersecurity measures in place to ensure they are suitable and up to date.

Contact us for advice on the GDPR

While the GDPR came into force on the 25^th May 2018, it is not too late to work towards compliance with the latest data protection requirements. GDPR compliance is not a fixed or static exercise but an ongoing and risk-based process. We can support you by examining how the GDPR will affect your charity and can assist you in ensuring appropriate policies and processes are put in place.

If you would like to learn more about data protection for charities, please contact our charity law solicitors on 01895 207862 or email charities@ibblaw.co.uk.