Elizabeth Denham, the Information Commissioner, has revealed that she stepped in to reduce by 90 per cent the fines levied against the RSPCA and the British Heart Foundation for breaking data-protection law.
During an afternoon of often heated panel sessions at the Fundraising and Regulatory Compliance Conference in Manchester yesterday, Denham revealed she had substantially reduced the penalties. She also revealed that the Information Commissioner’s Office did not know about the practice of wealth screening before the Daily Mail newspaper reported on the practice in 2015.
The RSPCA and the BHF were handed fines of £25,000 and £18,000 respectively in December. Without the 90 per cent reduction, they would have had to pay £250,000 and £180,000. They both paid the fines levied against them, with a 20 per cent reduction for swift settlement.
"We’ve been criticised for the actions the ICO has taken, but I believe we have been lenient," said Denham. "I reduced the fines by 90 per cent because I was very concerned about the impact on donors and supporters: what would the impact be to have charitable money going to the Treasury?"
But she said the reductions had been applied in part because it was the first time charities had been fined under the Data Protection Act and charities could not expect such leniency in the future.
She said she would make a decision in the coming weeks on whether fines would be levied against the 11 charities that have received notifications that the ICO plans to fine them and what level those fines would be.
Denham said the regulator had not taken action against charities in the past because "we didn’t know about wealth screening" before the summer of 2015, when the Daily Mail newspaper ran a story about the practice of assessing how much money a potential donor has.
She said: "We don’t know and can’t know about the practices across all sectors. We have a broad remit, but once we did we needed to take action."
When asked by an audience member why there seemed to have been a change in the ICO’s view, even though there had been no change in legislation, she insisted the ICO’s view had remained constant, but it was the first time the law in relation to charity fundraising practices had been interpreted in an enforcement case.
Under the Data Protection Act, organisations must handle data in a way that is "fair", with fair defined as practices that people would "reasonably expect" to be carried out.
During the panel and seminar sessions at the conference, delegates repeatedly called for a more detailed explanation of "reasonable expectations", but Denham said that because of the nature of the underlying legislation the regulator could not offer definitive answers.
Gerald Oppenheim, policy manager of the Fundraising Regulator, said it was "aware that the definition of fair and reasonable is something we need to get to grips with".
In response to a question from the audience, Paula Sussex, chief executive of the Charity Commission, said the commission would work with the ICO and the Fundraising Regulator to create a guide to fundraising and data protection, although it would not be official commission guidance.
Audience members asked Denham what evidence she had that people did not reasonably expect wealth screening to take place. She replied that the ICO had received complaints, which prompted many delegates to ask how the complaints could have been received when the key issue was that people were unaware of the practice.
Richard Marbrow, group manager for corporate governance at the ICO, said that the data regulator’s guidance on the General Data Protection Regulation, due to come into force on 25 May 2018, was "a matter of two or three weeks away" from publication.
But Denham said she did not expect all organisations to be perfectly compliant from the first day, and if the regulator could see evidence of charities working to achieve change it "won’t get a stick out of the cupboard to beat them with".
Oppenheim said he appreciated that reviewing donor databases would not be pain-free and would lead to financial losses in the short to medium term, but complying with legal requirements was unavoidable.