Four tips for charities on handling personal data
Charities often capture a significant amount of data about individuals, including postal addresses, telephone numbers, email addresses and bank details. This information is usually collected with the individual’s consent, but occasionally it is not.
Breaching data protection law
In December 2016, two charities were fined significant amounts for breaching data protection law. Specifically, they were penalised for wealth screening: the process of hiring wealth management professionals to investigate the financial status of the charities’ donors in order to assess the extent of their potential generosity.
The charities were also penalised for hiring companies to engage in tele-matching, which is using one piece of data that may have been provided by the donor, to obtain further data which was not provided by the donor. This process enabled the charities to use additional means of communication to contact donors to invite further donations, despite not having permission from the donor.
What should trustees do?
It is the responsibility of a charity’s trustees to make sure their charity is acting in accordance with the data protection legislation. We would advise that trustees consider taking the following measures:
- Inform donors of what you intend to use their personal data for and only use it for that specified purpose
- When data is collected make sure that it is stored as privately and securely as possible, making full use of strong password protection systems, encryption, back up disks and portable hard drives where appropriate
- Implement an effective data handling policy and ensure that all members of staff are aware of it
- Regularly review the charity’s data collection systems and ensure they comply with data protection law
The hefty fines show that the Charity Commission is serious about penalising those charities who contravene the data protection laws. In addition, from 25 May 2018 the General Data Protection Regulation (GDPR) imposes further requirements organisations’ data processes.
Click here to read our series of briefings about what GDPR means for charities.
If you have any questions regarding this briefing, please contact:
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.