New ICO report identifies common areas for improvement
Recently the UK’s data protection regulator, the Information Commissioner’s Office (ICO), published its findings following a targeted review of eight charitable organisations’ data processing activities. In its report, the ICO identified areas of good practice as well as common opportunities for improvement. The ICO noted that the findings in its report correlated with smaller charities’ areas of non-compliance which it had identified during routine advisory visits.
Article 5(2) of the GDPR requires that all data controllers demonstrate their compliance with the core data processing principles listed in Article 5(1). This is known as the ‘accountability’ principle. Writing and maintaining appropriate data protection policies and documentation is a key means of demonstrating accountability. The ICO’s investigations therefore focused on the existence and content of the charities’ written data protection policies.
As a result, the ICO identified that charities could generally improve in a number of areas, which included the following:
Governance, policies and procedures
- Not all charities had key data protection policies in place. Where they were in place, often the policies were not reviewed regularly. Only a few charities had a documented review schedule in place.
- Information governance arrangements were not always included within a charity’s overall governance framework.
- Information governance, unlike other areas of governance, often lacked key performance indicators (KPIs). Where these KPIs were present, they were relatively limited.
- Communication of policies to staff and volunteers was inconsistent. At least half of the charities had no requirement for staff to read the information governance polices as part of their induction. Staff were often not required to sign a record saying they had read and understood the policies.
- There was often no strategy or formal approach to disseminating or raising awareness of new/revised policies and procedures.
Monitoring and reporting
- The majority of charities reviewed did not perform routine data protection or direct marketing compliance checks. Such checks were often not included in the charity’s internal audit programme.
- Charities often were not routinely conducting compliance checks on their external data processors.
Training
- Most charities did not provide annual data protection refresher training for staff and volunteers. Volunteers often did not receive any data protection training before being allowed to access or process personal data.
- It was uncommon for charities to carry out a training needs analysis to assess the training requirements of different roles/individuals within the organisation.
- Where training was given, it was not always monitored effectively.
Consent, fair processing and data sharing
- Few charities had a consistent and coordinated approach to fair processing notices (i.e. privacy policies). Without a sign-off process the policies varied in content and quality.
- Some consent forms did not contain any fair processing statement at all meaning any consent obtained would not be valid as the individual was not fully informed. Not all consent forms were linked to the charity’s main privacy policy and none required an individual to confirm they had read the policy prior to giving consent.
- Most charities used external data processors (which is not a problem in itself) but there were not always contracts in place with those data processors. Where contracts had been entered into, they often did not contain necessary data protection clauses.
Incident reporting
- Whilst there was mostly good awareness amongst staff of how to report an incident and who to report it to, most charities visited did not have documented reporting procedures in place.
- Many charities did not maintain an incident log and those that were in place were not always comprehensive or used consistently.
- The majority of charities did not rate the risk associated with a data breach as part of their investigation process. This meant that there was no considered way of knowing when to escalate risks or to report them to the ICO.
Retention and disposal of personal data
- The majority of charities retained personal data for far longer than was necessary, in some cases indefinitely. Some of this was due to poor records management and some due to retaining data in case it ‘may be useful in the future’.
- Some charities did not have formal data retention and disposal policies in place. Most charities did not keep a disposal log to record what information had been deleted in accordance with the retention policy.
- In most cases the retention and disposal of records was not actively managed. Specific responsibility for doing so had not been allocated to any one individual or group of individuals.
- In some cases, IT systems did not allow for permanent deletion of records. This meant those charities could not comply with the ‘right to erasure’ under the GDPR.
- Where external confidential waste companies were used, contracts were not always in place. Where the contracts did exist, they did not always include a right for the charity to carry out compliance checks and there was no record of these checks being carried out by the service provider.
Three months clear of the GDPR implementation date, now would be a good opportunity for charities to review their compliance. The above points can be used as a check-list for your Data Protection Officer, Data Protection Committee and/or board of trustees to run through as part of this exercise. It is worth remembering that, despite their not-for-profit objectives, charities are not exempt from the ICO’s enforcement powers.
I am a solicitor in Paris Smith’s Data Protection Team. If you have any questions about this article, including if you operate or work for a charity and would like advice on your data protection compliance, then you can contact me either by email or telephone 023 8048 2316.