The Fundraising Regulator and the Charity Commission have issued a joint alert to all charities, reminding trustees that they must, in addition to following charity law requirements, ensure that there are systems in place at their charity to identify and comply with any data protection laws and regulations that apply to its activities.
Following data protection law is a critical compliance area for any charity that handles personal information. It includes, but is not restricted to, collection, use and storage of donors’ personal data. The Commission’s guidance – Charity fundraising: a guide to trustee duties (CC20) is clear that trustees are responsible for having systems and processes in place at their charity to ensure that its fundraising is compliant with this legislation.
This week, two charities have been found to be in breach of the Data Protection Act and have been issued with monetary penalties by the Information Commissioner. Further charities are also under investigation.
The Commission and the Fundraising Regulator are therefore issuing this alert to support trustees as well as remind them of their legal duties and responsibilities in this area. This alert should be read in conjunction with our published guidance, the published guidance of the ICO and Fundraising Regulator alongside seeking professional advice where necessary. Below we also set out key steps as regulators we expect trustees and charities to immediately take;
- Immediately cease any activity without explicit consent described and set out by the ICO notices of 5 December 2016 as being in breach of data protection law
- Review and assess activities in the areas of data collection, storage and use to ensure it is compliant with data protection law – this should include reviewing fair processing statements to ensure they are explicit, clear, transparent and highly visible
- Review and assess current data governance systems and processes to ensure they are fit for purpose and evidence sufficient oversight, control, are operating and effective – this includes ensuring there is a clear framework of ownership and accountability in place
- Where breaches are identified ensure you review the requirements for reporting to the ICO and comply – where a notification of breach is required to also submit a notification to the Charity Commission under the reporting a serious incident process
- Where breaches have occurred consider the risk to those whose data has been breached and any action required to mitigate risks to those individuals and their data – this should include notification to those affected if appropriate following a risk assessment by the data controller
- Notify the Charity Commission about any investigation of their charity by the Information Commissioner by reporting a serious incident