The Charity Commission opens compliance investigation after ICO fines

News by Max Metzger

After the round of Information Commissioner's Office fines, the Charity Commission are now looking into the 11 offenders.

The Charities Commission have opened compliance investigations against the 11 charities that were just this week fined by the Information Commissioner's Office (ICO).

On 5 April the ICO issued monetary penalties to 11 charities for contraventions of the Data Protection Act and the Privacy and Electronic Communications Act. Shortly after, the Charities Commission issued a statement saying that it too would be looking into the 11 culprits.

It said, simply, “The charity regulator is assessing whether the trustees of each charity have acted in accordance with their duties under charity law.” It added that the Commission has met with the bodies concerned.

“Charities must learn the lessons from these fines and breaches”, said David Holdsworth, chief operating officer at the Charity Commission, “the generous British public expect charities to safeguard their data and raise funds responsibly, and in return they donate in their millions. Sadly in these cases charities have not kept their side of the bargain.”

The charity regulator is assessing whether the trustees of each charity have acted in accordance with their duties under charity law. The Commission's guidance to trustees on fundraising makes it clear that trustees need to understand and comply with the relevant data protection laws and requirements.

The list of offenders includes some of the largest, most popular charities in the UK such as Cancer support UK, the Great Ormond Street Children's Hospital, The Royal British Legion and Oxfam. The Commission has also opened cases against the Royal Society for the Prevention of Cruelty to Animals (RSPCA) and the British Heart Foundation (BHF), who were fined in December 2016, for noncompliant data protection practices.

The charities were fined nearly £140,000 for three principle offences. A number of them used wealth screening services.

Others were fined for data matching, whereby external services would find data which donors had not provided and match it to data the charities already held, creating a fuller profile of donors.

Perhaps the most serious charge was the sharing of donor records between charities, in a scheme dubbed “reciprocate”, which ended in June 2016. For several years a collection of major charities shared millions of records among each other and created a vast pool of donor data from which they all could take.

While acknowledging the positive role of charities in society, the Information Commissioner Elizabeth Denham hit out at the offenders in a statement, saying, “Millions of people will have been affected by these charities' contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations.”

Though the ICO's recommendations have been taken on and apologies made, many claim that they were either engaged in what were then widely accepted fundraising practices or were not aware of their illegality.

The International Fund for Animal Welfare, which was fined £18,000, told SC in a statement that “the fundraising activities that IFAW carried out were considered acceptable practice throughout the charitable sector, and there was little to no guidance or concern about the practices from the ICO or other regulators.”

Morey J. Haber, vice president of technology at BeyondTrust told SC Media UK that, “the business practices of these charities operated much more like a business sharing data rather than a non-profit organisation performing fund raising.”

Essentially, added Haber, “the charities have been fined for data mining the private information of donors to help themselves and other charities with a higher contribution rate based on past donor performance.”

“The ICO has done them a favour,” Graham Mann, managing director of Encode Group UK, told SC, “because come GDPR the consequences could have been severe. The Charity Trustees and Executive Board have to be held to account for these activities, under GDPR, they will be.”

Coinciding with the fines was a statement by the industry body, the Institute of Fundraising, calling on the ICO to issue clearer guidance to charities on how to comply with incoming EU regulation.

Daniel Fluskey, head of policy and research said in a statement that charities “need clear guidance to be able to implement the legal requirements and give supporters the best experience of fundraising.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews