Co-written by Jason Riley, Trainee Solicitor and Laura Trapnell, Partner and Head of Intellectual Property
The Charity Commission, the independent regulator of charities in England and Wales and the Fundraising Regulator, which maintains the Code of Fundraising Practice for the UK and practice standards, has issued a stern reminder to charities and trustees.
Charities and in particular the trustees running them, have been warned to comply with the law on data protection (as well as maintain compliance with charity law). Data protection law includes, but is not restricted to, the collection, use and storage of donors’ personal data which can include information such as email addresses, postal addresses, telephone numbers, financial information etc.
The Charity Commission has made it clear that trustees are responsible for ensuring that their charity is compliant with the legislation. Often this involves ensuring that there are systems and processes are fit for purpose and are in place to adhere to the above laws, such as ensuring that the charity always obtains the explicit consent of a donor for the use and storage of their personal data.
In December 2016, the ICO fined the RSPCA and the British Heart Foundation £25,000 and £18,000, respectively, for wealth screening. This involved the charities hiring wealth management companies to analyse the financial data and status of donors and supporters in order to quantify how much more money they could be potentially persuaded to give. The charities were also found to have used telematching. This is the method by which external companies are used to find additional information of an individual, in order to add further communication channels through which the charity can attempt to contact someone.
Considering the current law on data protection, the implementation of the General Data Protection Regulation next year and considering the potential punitive consequences of a breach, we advise our charity clients to consider the following steps:
Acting in breach of your legal obligations has been shown to result in substantial financial penalties. Failing to identify the risks and breaches could also attract public criticism, result in reputational damage and undermine donor confidence in charity fundraising and the industry as a whole.
At some stage this year, the Charity Commission, ICO and Fundraising Regulator intend to hold a joint educational event for charities on data protection requirements.
To keep up-to-date with the above event and any further announcements, or if you have any questions or enquiries as a result of the above article, please do not hesitate to contact me.