Charities were treated more leniently than other sectors by the Information Commissioner’s Office during its recent investigation, according to Richard Marbrow, the ICO’s group manager for compliance.
Speaking in London yesterday at Third Sector’s Annual Fundraising Conference, part of Fundraising Week, Marbrow said the ICO was often accused of treating the charity sector more harshly than other sectors.
"We get asked a lot ‘do you treat the charity sector differently?’" he said.
"Yes we did. We cut a zero off the end of every fine. If you actually look at how much enforcement we do, the charity sector has not received a disproportionate share of attention. But, yes, when something is brought to our attention, we have to look at it because we’re a risk-based regulator.
"We can’t enforce against every single breach, so we have to look to see where the risk is coming from."
Between December 2016 and March 2017, the ICO fined a total of 13 charities for failing to comply with the Data Protection Act for misusing donors’ data through practices such as wealth screening and data matching.
The charities were fined between £6,000 and £25,000. Elizabeth Denham, the Information Commissioner, revealed in February that she had used her discretion to reduce the original fines by 90 per cent.
Marbrow said certain practices, such as data sharing, had spread throughout the charity sector and were creating a "gigantic problem" for people who were being contacted by charities, particularly those who were vulnerable.
But he said that deciding to investigate charities had been "really, really uncomfortable" for those at the ICO.
"Do not think for a second that we took this lightly," he said. "Every single person involved in this had a lot of soul searching, thinking ‘these are charities: is this the right thing to do?’"
Marbrow said the decision to reduce the fines had been made because "charities are different; charities are special". He said the decision had "helped a lot with the soul searching" and added: "I have no problems justifying what we did."
He reiterated reassurances made by Denham that all investigations into charities had now finished.
"We feel like we have reduced the risk from the charity sector," Marbrow said. "We see practices changing, but this doesn’t mean that if we see something worrying in the future we won’t go back in."
The ICO is due to lay a report of its findings before parliament this year. Marbrow said this would include a summary of what the ICO believed was the current situation in the charity sector.
He also dismissed calls for clarity on the Data Protection Act and the General Data Protection Regulation, due to come into effect from May next year. He said: "When people are asking for clarity, what they often mean is ‘I don’t like that answer; give me a better one’."
Marbrow said he was unable to confirm when the ICO would publish guidance on the situations in which organisations could justify contacting someone on the basis of having a legitimate interest under that GDPR, rather than having to gain opt-in consent.