Charities, be very aware! You need to inform your supporters if you carry out wealth-screening, you need opted-in consent to share their data; clearly saying who you might share data with and you can’t update people’s records with personal information they haven’t provided to you themselves.
Following the British Heart Foundation and RSPCA fines late last year, the ICO has fined a further eleven charities for breaches of the Data Protection Act.
In a move that will hopefully bring a sigh of relief for charities who’ve long been under the spotlight, the Commissioner Elizabeth Denham has declared the latest rulings mark the end of the Regulator’s investigations, “these fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law.”
The latest fines focus on three key activities which the ICO has ruled break data protection law;
• Sharing data with other charities; no matter what the cause
• Ranking supporters based on wealth
• Finding information about supporters, that wasn’t provided by them
What’s wrong with wealth-screening?
Where fines were issued, the ICO says that donors were oblivious to this practice and if they didn’t know it was happening they couldn’t object.
What’s wrong with tele-matching and other data appending methods?
The ICO says people have the right to choose what personal information they provide to charities, and people don’t have to update their details with a charity if they don’t wish to. It is not acceptable for charities to use additional information they uncover, without people’s knowledge.
What do charities need to do when it comes to data sharing?
The ICO says supporters should be able to choose to let charities share their information with other organisations and charities must make it clear who these other organisations might are. The Regulator states: “for example an animal charity could ask you to let them share your details with other animal charities or it could name the specific other charities it wants to pass your details to.”
During its investigations the ICO said it found that often charities didn’t know who personal data was being shared with and says, “for example, supporters of animal charities could have their information shared with homeless, humanitarian or religious charities even though the supporters only expected their information to be shared with other animal charities. This is not acceptable data sharing. Some charities don’t know if the information has been shared one or one hundred times. This can result in lots of unwanted charity marketing.”
Data compliance and marketing permissions consultancy Opt-4 has provide a detailed review of the impact of the BHF and RSPCA rulings, which covers the same areas as the ICO recent fines.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.