Fundraising Regulator & Charity Commission issue joint data protection alert
Melanie May | 13 December 2016 | News
The Fundraising Regulator and the Charity Commission have issued a joint alert to charity trustees on data protection law compliance, following the ICO’s recent investigation into the RSPCA and the British Heart Foundation.
The alert is to remind trustees that they must not only follow charity law requirements, but also ensure that there are systems in place at their charity to identify and comply with any data protection laws and regulations that apply to its activities.
According to the regulators, it should be read in conjunction with the published guidance on data protection by both the Fundraising Regulator, the Charity Commission (including its Charity fundraising: a guide to trustee duties CC20), and the ICO, and sets out a number of key steps that the regulators expect trustees to take:
- Immediately cease any activity without explicit consent described and set out by the ICO notices of 5 December 2016 as being in breach of data protection law
- Review and assess activities in the areas of data collection, storage and use to ensure it is compliant with data protection law – this should include reviewing fair processing statements to ensure they are explicit, clear, transparent and highly visible
- Review and assess current data governance systems and processes to ensure they are fit for purpose and evidence sufficient oversight, control, are operating and effective – this includes ensuring there is a clear framework of ownership and accountability in place
- Where breaches are identified ensure you review the requirements for reporting to the ICO and comply – where a notification of breach is required to also submit a notification to the Charity Commission under the reporting a serious incident process
- Where breaches have occurred consider the risk to those whose data has been breached and any action required to mitigate risks to those individuals and their data – this should include notification to those affected if appropriate following a risk assessment by the data controller
- Notify the Charity Commission about any investigation of their charity by the Information Commissioner by reporting a serious incident.
The full alert is available on the Fundraising Regulator’s site.
The Commission, ICO and the Fundraising Regulator have also announced that they plan to host a joint event for charities early next year on data protection requirements. At the event, the Fundraising Regulator is also planning to launch practical guidance for the charity sector on data protection and consent issues, following on from the NCVO’s recommendations in September 2016.
Stephen Dunmore, chief executive of the Fundraising Regulator, said:
“The ICO’s monetary penalty notices for these two charities should be a wake-up call for the whole sector. Charities must meet their legal obligations to ensure that they always have the proper consents in place for the use of personal data, both by purpose and communication channel.”
“Achieving compliance with data protection law is now an urgent priority, if charities are to avoid further reputational risk and re-establish public and donor confidence in fundraising.”Advertisement
Related posts
About Melanie May
Melanie May is a journalist and copywriter specialising in writing both for and about the charity and marketing services sectors since 2001. She can be reached via thepurplepim.com.