Many charities are struggling to look after sensitive data held on clients
The Information Commissioner’s Office has issued five top tips to charities to help them avoid breaching data protection legislation.
The ICO warned that serious breaches of data protection could result in fines of up to £500,000 for any organisation.
Charities are more susceptible to data protection issues than some organisations because they often handle sensitive personal information such as medical records, the ICO said.
Last month, Contact NI, a counselling charity, was forced to issue an apology after papers containing transcripts of sensitive discussions with clients blew out of a window.
The ICO has given three warnings to charities this year for breaches of data protection, although none incurred a fine. The breaches involved loss of data on memory sticks and laptops.
The regulator also said that 34 charities breached data legislation in the previous financial year.
The Fundraising Standards Board, the self-regulatory body for fundraising, said it received nearly 3,000 data protection complaints in 2011, of which 59 per cent related to direct mail.
The ICO said it would provide free advisory visits to charities that wanted advice on handling their personal data correctly.
Louise Byers, head of good practice at the ICO, said: "We are aware that charities are often handling extremely sensitive information relating to the health and wellbeing of vulnerable people and, with these organisations often lacking the money to employ dedicated information governance staff, there’s a danger that many charities might be struggling to look after people’s data."
The ICO’s five top tips
- Tell people what you are doing with their data and who it will be shared with. This is a legal requirement.
- Give staff the correct training on how to store and handle personal data.
- Use strong passwords to protect data, including upper and lower-case letters, one digit and, ideally, a symbol.
- Encrypt all portable devices such as laptops and memory sticks.
- Keep personal data only for as long as it is needed and then delete or destroy it.