A strong message from the ICO to charities

The ICO recently fined the RSPCA and the British Heart Foundation for breaches of the first and second data protection principles found in the Data Protection Act 1998. We look at what charity trustees should now be doing to protect their charities from similar penalties.

The comments of the Information Commissioner Elizabeth Denham on the subject of the use of data in certain fundraising practices by the RSPCA and the British Heart Foundation (BHF) send a strong message to the sector that the potential damage to the sector if the rights of donors are ignored when it comes to data protection is significant: “The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money”.

The ICO carried out its investigation as one of a number of investigations into the fundraising practices of charities in response to reports in the media about “repeated and significant pressure on supporters to contribute”. The investigation determined that the RSPCA and BHF had breached the Data Protection Act in three ways:

  1. The use of “wealth screening”, which involved the charities employing wealth management companies to analyse the financial status of supporters and estimate how much more money they could be persuaded to give.
  2. The putting together of personal information on supporters obtained from other sources.
  3. The trade in personal details with other charities.

None of the supporters of the charities were told about these uses of their personal data, and so the supporters were not given the opportunity to consent or object. These activities were therefore in breach of the first and second data protection principles set out in Schedule 1 of the Data Protection Act 1998, which state that personal data must be processed fairly and lawfully, and that personal data must be obtained only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with that purpose or those purposes.

The RSPCA has been fined £25,000 and the BHF has been fined £18,000 for their respective breaches of the Data Protection Act. These fines could have been ten times as much, but were significantly reduced at the discretion of the Information Commissioner. She made a point of saying, however, that “the law exists to protect people’s rights, and it applies irrespective of how altruistic the organisation’s motives might otherwise be”.

Helpfully, the Charity Commission and the Fundraising Regulator have responded to the publication of the outcome of the ICO’s investigation by issuing a joint alert about compliance with data protection law, including the key steps that they expect trustees and charities to take immediately:

  1. Cease any activity without explicit consent described and set out by the ICO notices of 5 December 2016 (published 9 December 2016) as being in breach of data protection law.
  2. Review and assess activities in the areas of data collection, storage and use to ensure it is compliant with data protection law, including reviewing fair processing statements to ensure they are “explicit, clear, transparent and highly visible”.
  3. Review and assess current data governance systems and processes to ensure they are “fit for purpose” and evidence sufficient oversight, control, are operating and effective, including ensuring there is a clear framework of ownership and accountability in place.
  4. Where breaches are identified, report these to the ICO as necessary, and if a report to the ICO is necessary for a breach also submit a notification to the Commission under the reporting a serious incident process.
  5. Where breaches have occurred consider the risk to those whose data has been breached and any action required to mitigate risks to those individuals and their data, including notification to those affected if appropriate following a risk assessment by the data controller.
  6. Submit a notification to the Commission about any investigation of their charity by the Information Commissioner under the reporting a serious incident process.

The Charity Commission has also opened compliance cases on the RSPCA and the BFH. It also plans to hold a joint educational event for charities early next year, together with the ICO and the Fundraising Regulator.

Both the RSPCA and the BFH have expressed disappointment with the outcome of the ICO investigation, and said that they disagree with some or all of the conclusions drawn by the ICO.

The ICO has said it may issue further penalties to the sector as a result of its continuing investigations and has also made a point of noting that the fundraising activities for which the RSPCA and BHF have been fined are also carried out by other charities.

This means that there will certainly be some charity trustees who should be thinking “There, but for the grace of God, go I…” in response to publication of the outcome of the ICO investigation. Such trustees should take this warning shot from the ICO as intended; as notice to put their own charities’ houses in order as soon as possible in respect of data protection.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.