Charities that, for example, process personal data through fundraising campaigns are subject to the act like any other organisation, and must comply with the data protection principles set out in it when processing that data.
Charities and their trustees need to take compliance with these principles seriously, because a failure to do so could result in enforcement action being taken against them by the Information Commissioner's Office, the public body responsible for the protection of information. And a civil action could be brought about by anyone whose data was used.
Failure to comply could also result in charities being prevented from using any personal data that was processed in contravention of the act.
The act sets out the following eight principles to which charities controlling data must adhere when processing personal data: personal data must be processed fairly and lawfully; it should be obtained only for specified and lawful purposes and should not be processed in any manner incompatible with such purposes; personal data should be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed; personal data should be accurate and, when necessary, kept up to date; personal data should not be kept for longer than is necessary for the purpose it is processed; personal data should be processed in accordance with the rights of data subjects; appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data; and personal data should not be transferred to a country or territory outside the European Economic Area unless the country or territory involved ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Ros Harwood is a partner and head of charities at Dickinson Dees solicitors.