ICO fines charities for fundraising data breaches

On 6 December 2016 the ICO announced that it had issued monetary penalties of £25,000 and £18,000 to two of the UK’s best known charities, the Royal Society for the Prevention of Cruelty to Animals and the British Heart Foundation.

This isn’t the first time that charities have been fined for data breaches, and the size of the fines are modest, particularly when compared to the £400,000 fine that TalkTalk received back in October following the major hacking incident that exposed data relating to thousands of its customers.  However, these fines are very significant because of why they were issued.  These weren’t cases of breaches of security leading to data losses, but as a result of deliberate actions taken by the two charities over a number of years in order to maximise their revenues from their fundraising activities.

The ICO found that the charities had breached the first data protection principle in three specific areas:

1. They employed wealth management companies to conduct ‘wealth screening’ of their millions of supporters, to identify those likely to give the most. The charities had not obtained consent from individuals for their data to be used in this way.
2. They hired companies to find out information about their supporters that those individuals had not disclosed to the charities.  This information was then used to target individuals with fundraising activities.
3. They took part in a scheme called ‘Reciprocate’ which involved the widespread sharing of donor information between various charities.  Although individuals could opt out of this sharing, the ICO found the opt out wording was too vague to constitute valid consent.

These activities have previously been used widely in the charitable sector and so this is unlikely to be the last action taken by the ICO as part of its ongoing investigation into fundraising by charities.  Both the RSPCA and the BHF have publicly criticised the ICO’s decision to issue them with monetary penalties, and so the legality or otherwise of these activities could well be decided at the tribunal.

The ICO will publish the monetary penalties in full on 9 December 2016, and a comprehensive report on its investigations of the charity sector in the New Year.