Most charities reviewed by ICO do not carry out routine data law compliance checks

Eight charities took part in information risk reviews by the Information Commissioner's Office

The majority of charities reviewed by the Information Commissioner’s Office as part of a voluntary programme did not carry out routine data-protection compliance checks, the regulator has found.

Eight charities took part in voluntary information risk reviews carried out by the ICO between December and February, which found both areas of good practice and areas of concern.

An ICO spokesman declined to name the charities reviewed, but said they were not among the 13 charities that were fined by the ICO in December 2016 and April 2017 for breaches of data regulations.

But all of the eight were organisations at which the ICO had identified concerns during its investigation of the sector between 2015 and 2017, but not serious enough to warrant fines.

"As a demonstration of their commitment to improving their practices, the eight charities agreed to let us come in and audit their practices around data protection and direct marketing," the spokesman said.

"This also helped to demonstrate that the ICO’s engagement with charities was not just about fines and enforcement, but to encourage genuine, ongoing improvements in the wider sector."

The report, released this week, says all the charities had clear governance structures in place and had either appointed data protection officers or were in the process of appointing them.

It said most charities had moved to an opt-in approach to marketing consent and, where they were relying on consent to process data, the consent was sufficiently explicit, as required by the General Data Protection Regulation, providing separate check boxes for each type of communication.

But it also says the ICO found areas that could be improved. The majority did not carry out routine data-compliance checks and did not include them in their internal audit programmes. Not all of them had key information governance policies in place and many did not effectively communicate data protection responsibilities to staff.

The ICO spokesman said: "The ICO plans more work in the coming months to further encourage improvements in the sector."

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in