ICO fines charities for fundraising data breaches

Posted by Jon Belcher, 7th December 2016
On 6 December 2016 the ICO announced that it had issued monetary penalties of £25,000 and £18,000 to two of the UK’s best known charities, the Royal Society for the Prevention of Cruelty to Animals and the British Heart Foundation.

This isn’t the first time that charities have been fined for data breaches, and the size of the fines are modest, particularly when compared to the £400,000 fine that TalkTalk received back in October following the major hacking incident that exposed data relating to thousands of its customers.  However, these fines are very significant because of why they were issued.  These weren’t cases of breaches of security leading to data losses, but as a result of deliberate actions taken by the two charities over a number of years in order to maximise their revenues from their fundraising activities.

The ICO found that the charities had breached the first data protection principle in three specific areas:

  1. They employed wealth management companies to conduct ‘wealth screening’ of their millions of supporters, to identify those likely to give the most. The charities had not obtained consent from individuals for their data to be used in this way.
  2. They hired companies to find out information about their supporters that those individuals had not disclosed to the charities.  This information was then used to target individuals with fundraising activities.
  3. They took part in a scheme called ‘Reciprocate’ which involved the widespread sharing of donor information between various charities.  Although individuals could opt out of this sharing, the ICO found the opt out wording was too vague to constitute valid consent.

These activities have previously been used widely in the charitable sector and so this is unlikely to be the last action taken by the ICO as part of its ongoing investigation into fundraising by charities.  Both the RSPCA and the BHF have publicly criticised the ICO’s decision to issue them with monetary penalties, and so the legality or otherwise of these activities could well be decided at the tribunal.

The ICO will publish the monetary penalties in full on 9 December 2016, and a comprehensive report on its investigations of the charity sector in the New Year.

Enjoy That? You Might Like These:


6 November - Tim Forer
The Charity Commission recently published its annual report into the whistleblowing disclosures it received between 1 April 2018 and 31 March 2019 and included a significant change to its whistleblowing... Read More


18 October - Kirsteen Hook
Our Charities team here at Blake Morgan publishes e-bulletins to keep you up-to-date with breaking news and topical issues affecting the sector. As well as our charities newsletter, we offer... Read More


16 October - Kirsteen Hook
As expectations grow for a general election, the CEO of the Charity Commission, Helen Stephenson, has issued a reminder to charities of their responsibilities surrounding political campaigning. The CEO notes... Read More