ICO audit of eight charities uncovers data concerns

Charities are urged by the Information Commissioner’s Office to ensure staff and volunteers have access to effective data protection training and that information breaches are properly reported and recorded.

Joe Lepper | 4th Sep 18
Image shows Whitehall street sign.

A review of eight charities by the Information Commissioner’s Office (ICO) has unearthed a number of concerns around data monitoring, reporting and training.

The charities involved have not been named and took part voluntarily in risk reviews by the ICO between December 2017 and February 2018.

Even though the reviews pre-date this May’s introduction of the General Data Protection Regulation (GDPR) the ICO believes the findings offer valuable advice to all charities on improving their data operations.

Problems uncovered included a lack of information governance proceedures, with not all charities visited having policies in place. For those with such policies the ICO found that communicating them with staff was “inconsistent”.

Most charities visited did not have regular data protection or direct marketing policy compliance checks. Just three charities carried out routine checks on data processors.

The ICO is also concerned by a lack of annual refresher training among staff and volunteers around data protection. Training was not always monitored effectively, the regulator also found.

Half the charities visited did not have an incident log for reporting information breaches and most were retaining personal data for far longer than was necessary.

“Some of this was due to poor records management and some due to retaining data in case it may be useful in the future (for example, to trace a legacy gift to a previous supporter),” states the report.

Good practice also revealed

Despite concerns the ICO also details a number of areas of good practice among charities visited. This included all of them appointing a data protection officer ahead of the introduction of GDPR.

There was also good work in establishing data audits and most had already moved to an opt-in approach for consent for marketing, in line with GDPR. Two charities had a specific consent requirement for children.

The ICO was also impressed that none of the charities shared personal data with other organistions for marketing purposes.