ICO Issues Warning to Charities About Data Protection

Nick Burrows, in our Charities & Education team, explains why charities need to play close attention to data protection.

Although data protection may feel like old news with the EU derived General Data Protection Regulation (GDPR) having come into effect in the UK on 25 May 2018, it is now again a hot topic for charitable organisations.

Headlines recently referred to the Information Commissioner’s Office (ICO) issuing a fine to small Scottish charity, HIV Scotland. The charity sent an email to 105 individuals in which all recipients were visible. This included email addresses that identified people by name, including patient advocates diagnosed with HIV. It was found by the ICO that this created a substantial risk that assumptions could be made about the individuals’ HIV status.

The ICO investigated the incident and found a variety of issues with the charity’s data protection procedures. We have taken each issue in turn below and provided suggestions on how these pitfalls can be avoided:

1. Inadequate staff training

Staff and volunteers are most organisations’ biggest asset and are intrinsic to charitable work being carried out. We recommend that meaningful staff training about data protection is provided and kept up to date on an annual basis. It is important that staff understand the data protection principles and how these apply to their respective roles. For example, staff who handle enquiries at a helpline will be dealing with a higher volume of data that need protection than volunteers assisting in clearing litter from a local beach.

Charities should ensure that procedures are in place letting staff and volunteers know how personal data should be dealt with. This is especially the case if the charity is dealing with sensitive data, which often involves “special category data” (defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life and sexual orientation). Criminal offence data should also be treated sensitively and in accordance with guidance from the ICO.

We would suggest (and we think these suggestions would meet with the ICO’s approval) that you provide all staff and volunteers with:

• Induction training before they handle personal data and that refresher training is given at appropriate intervals;
• Information on who to ask if they have any questions about data protection or have to report a data breach. For example, your staff should be made aware of any Data Protection Officers you have appointed or Compliance Managers;
• Data protection training that includes industry specific, and role specific, aspects; and
• Information on how to access data protection policies and resources which should be easily accessible and be regularly reviewed and updated by senior management.

2. Incorrect methods of sending bulk emails

As part of the ICO’s warning regarding HIV Scotland, it has issued a reminder that “under data protection law, organisations responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.”

If you are part of an organisation that handles personal data electronically or issues bulk email correspondence you must ensure that adequate procedures and measures are in place. The ICO specifically found that HIV Scotland had used an inadequate blind carbon copy “bcc” method of sending emails to a large number of recipients.

Head of ICO Regions, Ken Macdonald, has recommended that “all organisations revisit their bulk email policies to ensure they have robust procedures in place.” Charities should put in place a bulk email policy detailing the correct procedures that should be used when sending such correspondence and for those charities that have an existing policy in place, it should review it to ensure it is “robust” and meets the ICO’s expectations.

3. Inadequate data protection policy

Data protection policies are more than just a “tick-box” exercise and should be created giving genuine consideration to what types of personal data an organisation will process and how. Charities should ask themselves how they can show that they handle personal data in a way that complies with data protection principles by considering the following:

• Is an individual’s personal data being processed in a fair way?
• Are we transparent about why and how we are processing their data (e.g. is our data protection policy jargon free, up-to-date and easy to find)?
• Are we limiting the personal data we are processing and ensuring that information we do not need is not processed?
• Are the personal data up to date and correct?
• How long do we need to process the personal data for?
• Are the personal data we are processing safe and secure?

What now?

Complying with data protection laws is a matter that organisations need constantly to keep under review and should not stay stagnant with outdated policies or procedures. If you are unsure as to whether or not your organisation is complying, please get in contact with us and we can carry out a data protection audit for you to let you know if there are any gaps in your processes and procedures that could leave your charity vulnerable and we can tell you the best way to remedy any issues and prevent any data protection breaches.

Our specialist Charities & Education team can advise on data protection and other matters relating to charities.

For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.