Commission reminds charities to identify and comply with data protection laws and regulations

The Charity Commission in conjunction with the Fundraising Regulator issued an alert on 9 December 2016 to all charities reminding trustees, that in addition to charity law requirements, they must ensure systems are in place to identify and comply with any data protection laws and regulations that apply to the charities activities.

Anyone, including charities or voluntary organisations, who processes personal information (including use and storage of donor data) must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with your rights;
  • secure; and
  • not transferred to other countries without adequate protection.

Trustees are responsible for having processes in place to ensure all charity fundraising is compliant with data protection legislation. This is clearly set out by the Commission’s guidance ‘Charity fundraising: a guide to trustee duties (CC20)’.
https://www.gov.uk/government/publications/charities-and-fundraising-cc20

The Information Commissioners Office (ICO) also has a range of resources available specifically for the voluntary sector which should be read alongside the Charity Commission’s guidance.
https://ico.org.uk/for-organisations/charity/

The alert was issued after two national charities, British Heart Foundation and RSPCA, were found to be in breach of the Data Protection Act at the start of December 2016 and were issued with monetary penalties by the Information Commissioner. A number of other charities are still under investigation for possible breaches.

If you are concerned about your organisations practices review and assess current data governance systems to ensure they are fit for purpose and ensure there is accountability in place. If you identify any breaches, seize that activity immediately and review reporting requirements of the ICO. You will also need to submit a serious incident report to the Charity Commission. Seek professional guidance if you are in any doubt.


View current news