But the Information Commissioner's Office has taken action only against 10; Lawrence Simanowitz, a lawyer at Bates Wells & Braithwaite, says the number of complaints is acceptable
The Information Commissioner’s Office has handled more than 500 complaints against charities relating to data protection breaches over the past five years.
The figures from the ICO came to light after a request was made under the Freedom of Information Act by Lawrence Simanowitz, a lawyer at the law firm Bates Wells & Braithwaite. The figures show that 502 complaints were made against charities between April 2007 and March 2012. The ICO took action against 10 organisations during that period.
The ICO says 246 complaints were made against charities about ‘subject access’, which relates to individuals being denied their right to know what information organisations hold on them.
There were 96 complaints about the disclosure of data to others and 11 about the misuse of information, the figures show.
Simanowitz, who made the FoI request while researching a book he has co-authored called Data Protection for Charity Fundraisers, said he believed the number of complaints was acceptable.
"I think if anything, it is a vote of confidence," he said. "The charity sector is doing something right or at least not doing something so bad as to provoke a major amount of complaints, although it does not mean charities should be complacent."
Just one charity over the five-year period, Leonard Cheshire Disability, faced an enforcement notice, which was about a subject access complaint by a residential service user. The notice sets out specific actions the charity must take to meet its data protection obligations. The issue has been resolved by the charity.
The other charities were given ‘undertakings’, which commit them to improving their compliance with the act.
These included the Alzheimer’s Society, Rainforest Alliance, Wheelbase Motor Project, Asperger’s Children and Carers Together, Community Integrated Care, Enable Scotland, Fairbridge, Turning Point and Brecon Beacons National Park Authority.
The majority of these cases came about because of the theft of unencrypted laptops containing data such as financial details or health records of the charities’ employees or service users.
The ICO has been able to fine organisations up to £500,000 for the most serious breaches of the Data Protection Act since April 2010, but has not used this power on any charity.
A spokesman for the ICO said: "Where we’ve taken action, it is often against charities that have accidentally displaced information related to health or finance."
The other complaints were either closed down because the ICO was not provided with enough information or ended in an informal agreement that the charity would improve its data protection, the spokesman said.
Simanowitz said: "If you look at the education section, there have been between 250 and 400 complaints a year – the charity sector is hovering at around 100."
He said that organisations had become increasingly aware of data protection over the past 10 years."People can see the damage to an organisation’s reputation if you get it wrong, so it is much higher up the agenda now," he said. "If you are a charity you have got to take this seriously."