Matthew Biles Partner, Head of Department, Private Client & Tax
UK charities caught in the Information Commissioner’s crosshairs
A recent case highlights the importance of charities having adequate procedures and practices in place, in order to comply with data protection legislation. Such procedures will mitigate the risk of data breaches and potentially serious enforcement action being taken against a charity and/or its trustees. As well as being financially damaging, data breaches and enforcement action can also be very harmful for a charity’s reputation and future effective work.
Charity trustees have wide responsibilities for ensuring that their charity is properly governed. Such responsibilities include, for example: ensuring that the charity acts within its charitable purpose(s) (or “objects” as they are formally known) and files all relevant records with the Charity Commission, amongst others, as required by law.
An often forgotten, or disregarded, requirement is the legal requirement for charities to comply with UK Data Protection legislation. In the UK, the Information Commissioner’s Office (the ICO) is the body responsible for enforcing such legislation and the body with whom a number of entities, both corporate and charitable, need to register as handlers (“processors” and “controllers”) of personal data.
It should be noted that there is no simple blanket exemption from registration with the ICO for charities. Instead the legal requirement to register with the ICO depends on the size and activities of a charity. Trustees should ensure that this is assessed carefully in light of the financial and reputational ramifications of breaching these laws. However, it should also be noted that the responsibilities to protect personal data go far beyond the simply requirement to register and, even when a charity is exempt from registration with the ICO, this does not mean it is exempt from complying with the underlying Data Protection legislation. Indeed, a case recently published by the ICO relating to the Mermaids charity reinforces this point.
The Mermaids decision
The recent enforcement action taken against the charity Mermaids highlights that the ICO will take action against charities just as readily as other organisations. In brief summary, insufficient care and attention was paid by the charity in respect of the privacy settings of an internal email group. Subsequently, it came to light that sensitive and personal details relating to beneficiaries of the charity’s services had been inadvertently made publicaly available as a result of the inadequate privacy settings. On becoming aware of the data breach, Mermaids swiftly followed protocols to report the breach to the ICO (as is required where any data breach which risks the rights of data subjects occurs). This led to a more wide-ranging investigation by the ICO, in which it was found that Mermaids had entirely insufficient policies and procedures in place to protect personal information. Despite the failings that were uncovered Mermaids took a cooperative approach to the investigation and subsequently have implemented more thorough policies. As a result of Mermaids’ compliant stance, the enforcement action and reputational damage was perhaps less severe and damaging than they might otherwise have been.
It remains to be seen whether the Mermaids case will prompt the ICO to take a closer look at the charity sector and whether that may lead to further investigations and enforcement action. However, we have heard anecdotal evidence that there has been a rise in correspondence to charities from the ICO in the recent months in which trustees are asked for explicit confirmations that all appropriate Data Protection legislation is being adhered to. If such confirmations are not provided or indeed they turn out to be inaccurate it is likely that the ICO will seek to take action against the charities involved. This could in turn potentially lead to action being taken by the ICO and/or the Charities Commission against the trustees personally if their actions were found wanting.
Key data protection principles
Under UK legislation, there are six data protection principles laid down by the legislation which provide a helpful, but very generalist, data protection framework:
- Data must be processed lawfully, fairly and transparently - examples of when charities’ personal data may be processed within the scope the law include with consent, in the pursuit of legitimate interests and in accordance with a legal obligation.
- Purpose - there must be a specific purpose for the data to be processed and a charity (or any organisation) must be careful not to overstep that purpose when processing personal information. For charities, a specific purpose might be assisting beneficiaries, employee records, market research or indeed for keeping accounting records in respect of donations received.
- Data minimisation - the data collected and processed must be proportionate and limited to that which is necessary for the specific purpose.
- Data must be accurate and up-to-date - if data is held about individuals, then that data should not be inaccurate or misleading about the individuals. Holding misleading information about individuals can be damaging to them, and enhance the detrimental impact of administrative errors, for example.
- Limitation on time - data must only be kept for the time necessary to fulfill the purpose for which it has been collected. Clearly, if personal data has been processed on the legal basis that the individual has consented, then consent must be re-obtained if a different purpose is then envisaged.
- Integrity and confidentiality - data must be stored and processed securely, including to mitigate against it being accidentally lost, stolen, damaged or destroyed. It goes without saying that data must be held securely. Security of data is often the main source of investigations by the ICO and the Mermaids case is a salutary lesson as to the importance of both secure systems and periodic review of such systems by proficient IT specialists.
In many circumstances, once a data breach has occurred or come to an organisation’s attention it must be formally reported to the ICO within no more than 72 hours and appropriate steps of mitigation taken. In many cases, it will also be necessary to report the data breach to the data subjects who have been, or are likely to be, impacted.
Personal data and information is regularly processed by charities in relation to matters such as fundraising and raising awareness of the charity. Often charities might also collect much more in-depth market research and conduct donor screening beyond the ambit of simple passive marketing. In addition, the data on beneficiaries, volunteers, trustees, employees and other third parties might be collected, stored and processed. All of the above are instances were charities, and their trustees, are required to have taken steps to safeguard data under Data Protection legislation.
Charity law and data protection experts at Ince can assist in undertaking a data protection audit of your charity and help prepare relevant documentation to assist in mitigating the chances of a data breach. Additionally, our data dispute resolution and reputation management experts can assist in the event that now or in the future you have any concerns that such a data breach may have occurred.
How we can help
For more information and advice on any of the issues raised above, please get in touch with a member of our team: Matthew Biles, Partner and Head of Private Client, who acts on behalf of a wide range of charities; Melanie Hart, Dispute Resolution Partner, who can be contacted in the event of concerns surrounding data protection; or Edward Knox, Private Client Associate.