The Information Commissioner’s Office and the Fundraising Standards Board have both launched investigations into allegations in the Daily Mail newspaper today that data sharing among charities led to a man with dementia being tricked out of £35,000 by unscrupulous companies.
The Mail’s article alleged that the sale of the contact details of Samuel Rae by charities led to the 87-year-old being conned out of large sums of money by companies that bought his details.
Rae was also reportedly contacted a total of 731 times and his details shared up to 200 times by at least 15 charities since he filled in a survey in 1994 and did not tick the box stating that he did not want his details shared.
The ICO said the newspaper’s findings were concerning and it would be investigating them further. It is already investigating allegations printed in the Mail in July that the now defunct fundraising agency GoGen had been exploiting loopholes in the Telephone Preference Service rules.
The FRSB said it would also investigate the allegations about charities’ data-sharing practices, having called in June for the Institute of Fundraising to bring greater clarity to its rules concering consent for contacting people and the way in which charities store and share data.
According to the Mail, the veterinary charity the PDSA was one of the first charities to access Rae’s details after he completed the survey 21 years ago. It said the charity sold his details 10 times to various organisations, including a list broker who in turn sold the details to a company that is said to have carried out scams against older people.
The PDSA also allegedly sold the details to the Diabetes Research and Wellness Foundation, which in turn reportedly sold lists containing the details 107 times, resulting in a further 12 scam companies gaining access to them. Two of these companies reportedly bought the details from the Cancer Recovery Foundation, which allegedly obtained the details from the DRWF.
The total Rae is alleged to have lost through scams since the onset of his dementia is £35,000, apparently including being tricked into ordering products to claim prizes that never materialise.
Steve Eckersley, head of enforcement at the ICO, said in a statement: "We have been presented with some clearly concerning findings about data sharing and sale in the charity sector, and we will be investigating them further. The law applies to charities as it does to any other company."
Eckersley told Third Sector that the charities featured in the investigation might have broken the Data Protection Act and the Privacy and Electronic Communication Regulations. "The DPA says that organisations need to treat data fairly and lawfully," he said. "So if they are sharing data with other organisations without getting the clear and current consent of individuals, this could be a breach of the DPA."
He said organisations that use donors’ contact details to contact people without checking they have the correct consent could be in breach of the PECR.
Alistair McLean, chief executive of the FRSB, said: "It is deeply concerning that anyone, not least someone who might be vulnerable, is said to have had their contact details exploited in this way. We intend to fully investigate these allegations.
"It is critical that the public clearly understands how their contact details may be used, and that data-sharing practices within the sector are thoroughly reviewed."
A spokesman for the PDSA said the charity was saddened to find that one of its supporters had apparently been the victim of fraudulent behaviour. "PDSA takes data protection extremely seriously and we are very careful to respect supporters’ wishes about how we interact with them and use their details," he said.
When the charity first contacted Rae in 1994, he said, he did not opt out of any third party communications. When, in 2004, Rae asked the charity not to share his details with third parties, the charity complied immediately, the spokesman said.
He said the charity decided to stop trading or swapping supporters’ personal details more than two years ago, and any data sharing before this was done in good faith, working with recognised agencies. He said the charity would fully cooperate with the ICO if an investigation followed.
Sarah Bone, chief executive of the DRWF, told the Mail she did not recognise the evidence presented by it but that the charity took the issue very seriously. She said the charity dealt with recognised list brokers or directly with charities that complied with the Data Protection Act. She said the charity would take action if it found there was a cause for concern about the way it traded data.
A statement from the Cancer Recovery Foundation said the charity was disappointed to read the Mail’s allegations and it had not shared Rae’s details with the alleged scam organisations.
It said: "CRF UK firmly believes that our current fundraising practices are compliant with data-protection legislation and related regulation to ensure our donors are protected, which is something we take very seriously."