The Information Commissioner’s Office has revealed why it fined the British Heart Foundation £18,000 for breaching data protection rules.
In a statement published yesterday afternoon, the regulator said the charity secretly screened millions of its donors so it could target them for more money.
The animal charity the RSPCA was also fined £25,000 by the ICO for committing similar breaches of the Data Protection Act, it emerged yesterday morning.
The BHF had declined to confirm the details of the regulator’s findings yesterday morning, which came to light when the Daily Mail newspaper broke the news before the ICO was ready to publish its findings.
Both charities said they were considering appealing against the regulator’s decisions.
In a statement published yesterday afternoon, the ICO said that so-called "wealth screening" was one of three different ways the BHF had breached the Data Protection Act and the charity had failed to handle donors’ personal data in a way that was consistent with the legislation.
It said the charity also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources and traded personal details with other charities to create a massive pool of donor data for sale.
The ICO said that donors were not informed of these practices and were therefore unable to consent or object.
The regulator said that Elizabeth Denham, who took up the role of Information Commissioner in July, exercised her discretion in significantly reducing the level of the fines against the two charities. In similar situations, it said, fines could be ten times as much.
The ICO said that, in reducing the amount charged, Denham had taken into account the risk of adding to any distress caused to donors by the charities’ actions, "particularly in the context of potential further penalties in the sector as a result of ongoing investigations".
The investigation into the RSPCA and BHF is one of a number carried out by the ICO into the fundraising practices of charities. The investigations were sparked by reports in the media about pressure being placed on supporters to donate.
Denham said in a statement: "Our investigations suggest that the activities we’ve fined the RSPCA and the BHF for today are also being carried out by some other charities.
"My exercise of discretion should not take away from how serious these breaches were, nor from how disappointed donors will be with the two charities we’ve fined today. The law exists to protect people’s rights and it applies irrespective of how altruistic the organisation’s motives might otherwise be."
The fines will be paid into the Treasury’s Consolidated Fund and not kept by the ICO.
Commenting on what the BHF did wrong, the ICO said the charity had been screening donors since at least 2009 and provided records to wealth management companies containing the personal data of several million people without their consent.
It said the BHF had also been tele-matching since 2005 and, between 2010 and 2015, provided records containing details of several hundred thousand people to a tele-matching company. In 2013 it provided tens of thousands of records for data-matching purposes.
Like the RSPCA, it was also part of the Reciprocate scheme, which allowed it to share or swap personal data with other charities to get details of prospective donors. The ICO found that it disclosed more than a million personal records through the scheme between 2012 and 2015.
The ICO noted that the RSPCA, which it said repeatedly wealth-screened all seven million of its supporters without consent, had during the investigation claimed the practice was common and it had no plans to stop. But a spokeswoman for the RSPCA said this was misleading because the charity stopped wealth screening at the start of last year.
Simon Gillespie, chief executive of the BHF, said in a statement yesterday that the charity was extremely disappointed by the ICO’s actions.
"We find the decision surprising because earlier this year, in June, the ICO praised our data handling and said it had no concerns about us as a data controller.
"Our trustees will consider whether it’s in the interests of our supporters and beneficiaries to challenge this decision."