Hefty fines for charities breaching data protection law

On 6 December 2016 the Information Commissioner’s Office confirmed that it will be issuing fines to the RSPCA and the British Heart Foundation for breaching data protection laws.

On 6 December 2016 the Information Commissioner’s Office confirmed that it will be issuing fines to the RSPCA and the British Heart Foundation for breaching data protection laws.

The RSPCA will be fined £25,000 and the British Heart Foundation will be fined £18,000 for so-called ‘wealth screening’ and selling donor data, and these fines could have been ten times as much if the organisations were not charities given the serious nature of the breaches. The ICO report states that the charities “traced and targeted new or lapsed donors by piecing together personal information obtained from other sources” and “traded personal details with other charities creating a massive pool of donor data for sale”. The donors were not informed that these activities were taking place, so there was no opportunity for them to either consent or object.

The investigations into these two charities (alongside several other investigations into fundraising practices of charities) were launched in the wake of the Daily Mail exposé last July into cold calling by charities. The Daily Mail published a series of damning articles, naming and shaming several large National well-known charities for their fundraising activities, which were described by the Mail in incendiary terms. Charities were accused by the Mail of “ruthlessly hounding the vulnerable and elderly for cash” and were described as “sharks” and “vultures”. The exposé followed the Mail’s coverage of the death of Olive Cooke in May 2015, in which it was suggested that she had been “hounded to death by cold callers”.

The barrage of negative publicity put charities and their fundraising activities directly in the spotlight and has had a significantly detrimental effect on public trust and confidence in charities. The public reaction led to governmental demands to reform charity fundraising and improve the self-regulatory structure to better safeguard vulnerable members of the public, and there have since been a number of significant changes in fundraising law and regulation, some of which we have discussed in our previous articles (on new fundraising rules for charities and on the new Fundraising Preference Service due to be launched next year).

The announcement by the ICO yesterday demonstrates that fundraising activities by charities are still very much in the spotlight, and charities need to take care to ensure compliance with all applicable law and regulation when engaging with donors or potential donors. Any serious breaches of the rules might result in charities finding themselves under very public scrutiny and potentially being fined by the ICO.

In addition to ensuring compliance with current law and regulations relevant to any fundraising activities, charities need to ensure that they take any necessary steps to prepare for compliance with the new data protection laws coming into force in 2018. These new laws will replace our current data protection laws in their entirety and organisations breaching the new laws will face fines up to 20m euro. The new laws will (among other things) be much more prescriptive about information that must be provided to individuals about how their data will be used, and will also include more onerous consent requirements.

The content of this article is for general information only. If you require advice on any aspect of your fundraising activities, or communications to donors or data protection obligations, please get in touch with Liz Brownsell or another member of Birketts’ Charities Team.