The Charity Commission has opened compliance cases into the RSPCA and the British Heart Foundation after it emerged yesterday that the Information Commissioner’s Office had fined the charities for breaches of data protection law.
In a statement issued yesterday afternoon, after the ICO’s announcement that it was fining the RSPCA £25,000 and the BHF £18,000, the commission said it was assessing whether the trustees of each charity had acted in accordance with their duties under charity law.
It said the charities had reported the ICO investigations and the fines to the commission.
Sarah Atkinson, director of policy and communications at the commission, said: "The fact that charities have been found in contravention of data protection requirements in this way is very serious and highly regrettable.
"We are working with the charities concerned, the Information Commissioner and the new Fundraising Regulator to ensure that any necessary remedial action is taken."
She added that the wider lessons for charities about their responsibility to protect donors’ personal data needed to be shared and acted on.
The commission’s statement noted that the RSPCA and the BHF had "acted properly" in reporting their situations to the commission and that the charities’ trustees were cooperating fully.
The commission said it also planned to look into the other charities the ICO was investigating, which might have similarly contravened the Data Protection Act, and in each case seek to establish whether the trustees had acted in accordance with their legal duties.
It said it planned to host a joint educational event for charities early next year on data protection requirements, alongside the ICO and the Fundraising Regulator.
A spokeswoman for the RSPCA said the commission had made it clear that when a regulator takes action against a charity it would always open a compliance case to satisfy itself no action needed to be taken. She said the charity had therefore expected the case to be opened.
Simon Gillespie, chief executive of the BHF, said yesterday that key aspects of the ICO’s decision and findings were "wrong, disproportionate and inconsistent".
Elizabeth Denham, the Information Commissioner, said yesterday that the ICO might issue further penalties in the sector as a result of its continuing investigations .
It currently has inquiries open into the PDSA, the Diabetes Research and Wellness Foundation and the Cancer Recovery Foundation, which, like the RSPCA, were accused by the Daily Mail in September 2015 of sharing supporters’ data without consent.
The ICO is also yet to report the findings of its investigation into Oxfam, the NSPCC and Macmillan Cancer Support, which was launched in July 2015 after the Mail alleged that an agency working on their behalf was exploiting loopholes in the Telephone Preference Service.