ICO fines high profile charities for data protection breaches
The Information Commissioner’s Office has confirmed that it is to fine the RSPCA and British Heart Foundation for breaking data protection law
The Information Commissioner’s Office (ICO) has confirmed that it is to fine the RSPCA and British Heart Foundation for breaking data protection laws.
The ICO investigation was prompted by a Daily Mail article exposing malpractice in the fundraising practices of the two charities. The RSPCA will be fined £25,000 and the British Heart Foundation £18,000 for ‘wealth screening’ and selling of donor data.
The ICO statement said that so-called “wealth screening” was one of three different ways both charities breached the Data Protection Act by failing to handle donors’ personal data consistent with the legislation.
The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.
Both charities have strongly condemned the ICO’s findings.
Simon Gillespie, chief executive of the British Heart foundation, said: “We are extremely disappointed in the action the ICO has taken. The trust our supporters put in us demands high standards of fundraising and we take the data protection responsibilities that come with this very seriously.
“The British Heart Foundation has endeavoured to ensure our practices follow ICO and Institute of Fundraising guidelines and we are committed to constantly evolving and improving our approach.
“We find the decision surprising as earlier this year in June the ICO praised our data handling and said that they had no concerns about us as a data controller.
“In June 2015, we took the decision never to share our supporters’ data with other fundraisers and we have made it clear to our supporters that this is the case.
“We believe that key aspects of the ICO’s decision and findings are wrong, disproportionate and inconsistent. Our trustees will therefore consider whether it’s in the interests of our supporters and beneficiaries to challenge this decision.”
RSPCA chief executive, Jeremy Cooper, said: “You may have seen it reported today that the Information Commissioner’s Office (ICO) has fined the RSPCA £25,000 for contravening the Data Protection Act 1998. This is obviously a very serious matter and I wanted to take the earliest possible opportunity to explain the situation and hopefully put your mind at rest.
“For over a year now, the ICO, which is responsible for the enforcement of the Act, has been investigating the data protection practices of a number of well-known charities, including the RSPCA.
“As a result of that activity the ICO has found that we have contravened the Act and issued a monetary fine. There is no suggestion that we lost or sold any personal data, but rather the ICO considers the information we gave to supporters on how their personal data would be used was inadequate. We are very disappointed with the ICO’s decision and disagree with many of their findings and conclusions.
“However, there has been one acknowledged contravention which we ourselves brought to the ICO’s attention. Whilst an inadvertent error was made in that instance, we do not agree it was so serious or had such harmful consequences to justify a fine. We did ask for the ICO’s guidance when this error occurred but they they did not reply to our request.
“The way the Data Protection Act is interpreted – and the regulation that covers privacy and electronic marketing – has been under intense scrutiny in the past year. We have always sought to ensure that our data protection practices followed the letter of the law and were applied only in the best interests of our supporters. The practices criticised by the ICO in this decision were commonplace in the charitable sector. Despite this, we no longer undertake these practices.
“We respect and value all of our supporters and would never intentionally do anything to place your trust in jeopardy.
“Here at the RSPCA we are constantly looking at how we engage and correspond with you, our supporters and members, so that your needs and expectations are met and exceeded. We hold ourselves to the highest standards and work hard to give our supporters the best experience possible. Without you we couldn’t continue to carry out the important work rescuing and caring for animals that is unique to the RSPCA.
“On behalf of everybody here at the RSPCA, I want to say that we are deeply sorry for any concern that this issue may cause you and want to assure you that we have been working tirelessly to improve our processes and data management to make it all as efficient, compliant and effective as possible.