Charities claim ignorance as ICO penalises 11 for abusing donor data

News by Max Metzger

Nearly a dozen charities have been fined by the Information Commissioner's Office for a variety of contraventions of data protection law.

The Information Commissioner's Office (ICO) has smacked 11 charities with fines amounting to tens of thousands of pounds in a recent crackdown on offending philanthropic organisations.

The breaches of the data protection act were numerous, varied and some organisations were employing such practices since as far back as the mid 1990s.

Many of the offenders “secretly screened” millions of donors to raise additional funds, others pieced together the personal information of lapsed donors and some even traded personal details with other charities to, according to the ICO, create “large pools of donor data for sale”.

Information commissioner Elizabeth Denham said, “These fines draw a line under what has been a complex investigation into the way some charities have handled personal information.”

Many have claimed that their actions were previously considered acceptable by the regulator and others have plead ignorance.

While acknowledging the positive role of charities in society, Denham hit out at the offenders in a statement, saying, “Millions of people will have been affected by these charities' contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations.”

The International Fund for Animal Welfare (IFAW) was hit with the heaviest fine,  £18,000, for a variety of offences. IFAW handed over the data of 466,206 individual supporters to wealth screening companies to identify high value donors in 2012 and 2013.

IFAW has taken issue with the ICO's conclusion, saying that it told the ICO the wealth screening had been a short-lived activity which stopped after 2013. A spokesperson told SC, “IFAW has considered whether to appeal, as we do not agree with many of the ICO findings. We are extremely disappointed that the ICO has chosen to impose a fine.”

The spokesperson added, “The fundraising activities that IFAW carried out were considered acceptable practice throughout the charitable sector, and there was little to no guidance or concern about the practices from the ICO or other regulators.”

Oxfam was fined £6000 for, among other things, the practice of tele-matching. As the ICO defines it, tele-matching is “data-matching by which telephone numbers which data subjects have chosen not to provide are obtained and used”.

Using data which customers didn't provide, Oxfam used an external service to match 267,521 records of individual donors and then used the phone numbers from those records to call the donors.

While accepting the fine, Oxfam has taken issue with the legality of the practice. Mark Goldring, Oxfam GB Chief Executive said in a statement that, “While tele-matching was recognised as a legitimate activity by the ICO, we accept that our privacy notice did not adequately address the issue and we say sorry to our supporters for that. We would stress that all people called were given the chance to terminate calls immediately and we did not use tele-matched data to call people registered with the telephone preference service.”

IFAW, Cancer Support UK, Great Ormond Street Hospital Children's Charity and WWF-UK were fined for sharing data with other charities. Great Ormond Street Hospital was fined  £11,000 for sharing more than 910,000 records with other charities. Under the Reciprocate scheme, the charity shared personal data, including names and addresses, with around 40 other charities. The hospital stopped participating in the scheme in September 2015, and confirmed that it no longer shared supporter data with third parties.

The fines have been met with a variety of reactions from the accused. Many have taken the ICO recommendations on and humbly accepted the fines.

A WWF-UK spokesperson reacted to the groups £9000 fine in a statement: "We sincerely apologise for any instances where we have failed to meet the high standards our supporters expect of us. We have fully implemented the ICO recommendations.”

The Royal British Legion, which was fined £12000, said, “We have accepted a fine from the Information Commissioner's Office  for contraventions of aspects of the Data Protection Act. No donor's data was lost, sold or compromised in any way and we have invested heavily in our data operations since and are confident that no such contraventions will happen in the future.”

Peter Lewis, the chief executive of charity Industry body, the Institute of Fundraising said as the ruling highlights, “It is important that people are informed about how charities use their personal data for fundraising purposes. No charity knowingly wants to breach the rules, and charities work hard to meet the highest standards.”

He added that there is still some uncertainty over how charities can comply with the rules. The statement coincides with the Institute of Fundraising calling on the ICO for clearer guidelines as to how charities can comply with the incoming General Data Protection Regulation (GDPR) consent requirements.

The last couple of years have witnessed the ICO use a heavier hand with those who don't comply with regulation or flout data protection laws. Emblematic of such a stance was the fining of telecoms provider TalkTalk £400,000 for failure to protects its customers in its 2015 breach.

Even in recent months, the ICO has indicated a more serious stance on charities. In December, the office fined the Royal Society for the Prevention of Cruelty to Animals £25,000 and the British Heart Foundation £18,000 for their role in the Reciprocate scheme, which was eventually shut down in June 2016.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews