Regulators issue joint alert about compliance with data protection law
Commission reminds charities that they must identify and comply with data protection laws and regulations
The Charity Commission and the Fundraising Regulator are issuing an alert to all charities reminding trustees that they must, in addition to following charity law requirements, ensure that there are systems in place at their charity to identify and comply with any data protection laws and regulations that apply to its activities.
The news follows last week’s news that two high-profile charities breached regulations – and received hefty fines accordingly.
The Commission’s guidance, Charity fundraising: a guide to trustee duties (CC20), is clear that trustees are responsible for having systems and processes in place at their charity to ensure that its fundraising is compliant with this legislation.
The Commission and the Fundraising Regulator are issuing the alert to support trustees as well as remind them of their legal duties and responsibilities in this area.
Below are the key steps regulators expect trustees and charities to immediately take:
- immediately cease any activity without explicit consent described and set out by the ICO notices of 5 December 2016 (published 9 December 2016) as being in breach of data protection law
- review and assess activities in the areas of data collection, storage and use to ensure it is compliant with data protection law – this should include reviewing fair processing statements to ensure they are explicit, clear, transparent and highly visible
- review and assess current data governance systems and processes to ensure they are fit for purpose and evidence sufficient oversight, control, are operating and effective – this includes ensuring there is a clear framework of ownership and accountability in place
- where breaches are identified ensure you review the requirements for reporting to the ICO and comply – where a notification of breach is required to also submit a notification to the Commission under the reporting a serious incident process
- where breaches have occurred consider the risk to those whose data has been breached and any action required to mitigate risks to those individuals and their data – this should include notification to those affected if appropriate following a risk assessment by the data controller
- notify the Commission about any investigation of their charity by the Information Commissioner by reporting a serious incident
David Holdsworth, Chief Operating Officer and Registrar of Charities for England and Wales, said: “Charities must learn the lessons from this week and do so quickly. Practices that some charities consider ‘common practice’ are in breach of the data protection requirements and should be ceased immediately. Charities are subject to the same legal requirements as all other organisations and must properly safeguard personal information according to the law. Acting in breach of their legal obligations under data protection law has and will incur substantial financial penalties and generate damaging public criticism about charity fundraising.
“Our expectation is that trustees have systems in place so that, at their charity, there is the right level of knowledge and awareness about the rules and that, crucially, they are adhered to.”