ICO issues fines totalling £138,000 to charities for data breaches

A total of 11 charities have been fined between £6,000 and £18,000 for misusing donors' personal data

Eleven charities have been fined a total of £138,000 by the Information Commissioner’s Office for misusing donors’ personal data through activities such as data sharing, wealth screening and data matching.

The ICO said it had concluded that the 11 charities had breached the Data Protection Act: many had "secretly screened" millions of donors to assess their wealth and ability to donate, some had pieced together personal information that donors had not supplied, and some had traded personal details with other charities.

The largest single fine of £18,000 was issued to the International Fund for Animal Welfare, which the ICO found had shared 4,948,633 donor records with other charities, had conducted wealth screening and had been data matching since at least 1995.

Cancer Support UK (formerly the Cancer Recovery Foundation UK) was fined £16,000 for sharing 3,075,550 donor records with a range of organisations, including lottery and prize promotion companies and a health supplements company. Cancer Research UK was fined the same amount for wealth screening 3,523,566 people and data matching.

Guide Dogs UK was fined £15,000 for wealth screening and data matching, and Macmillan Cancer Support received a fine of £14,000 for the same practices.

The Royal British Legion and the NSPCC were both fined £12,000 for data matching and wealth screening. The ICO also ruled that the NSPCC had failed to explain to 22,608 people that their information would be used for telephone and mail marketing.

The Great Ormond Street Hospital Children’s Charity was handed an £11,000 fine for data matching and wealth screening, and WWF-UK received a £9,000 fine for the same offences.

Battersea Dogs & Cats Home and Oxfam were issued penalties of £9,000 and £6,000 respectively for data matching.

The fines must be paid by 4 May, but if a charity pays before 3 May its fine will be reduced by 20 per cent.

In a statement announcing the fines, the ICO said Elizabeth Denham, the Information Commissioner, had used her discretion to significantly reduce the amounts.

The penalties are the second batch of fines to be issued against charities after an investigation sparked by media reports that raised concerns about fundraising practices. The ICO said no more charities were being investigated.

In December, the ICO issued fines totalling £43,000 to the RSPCA and the British Heart Foundation as part of the same investigation. In February, Denham revealed she had used her discretion to reduce the original fines by 90 per cent, but said she would not do so for any charities caught breaking data protection rules in future investigations.

In a statement published today, Denham said millions of people had been affected by the charities’ contravention of the law. "No charity wants to alienate its donors," she said. "And we acknowledge the role charities play in the fabric of British society. But charities must follow the law."

The Charity Commission said this morning it had met each of the charities and was assessing whether their trustees had complied with charity law. It added that it was working with the ICO and the Fundraising Regulator to take any necessary remedial action

Peter Lewis, chief executive of the Institute of Fundraising, said good fundraising should involve charities attempting to find out what their donors are interested in and identifying new supporters, but all the charities involved had responded to the investigation by improving their practices.

The charities’ reactions

Only one charity, Cancer Support UK, said it was considering appealing against the fine.

Gemma Holding, chief executive of CSUK, said the fine was "ill-founded, excessive and disproportionate", and the charity had already voluntarily stopped data sharing before the ICO investigation. She said the ICO’s penalty decision has contained a number of legal and factual inaccuracies that the charity had clarified with the ICO.

The IFAW said it did not agree with many of the ICO’s findings and was "extremely disappointed" by the fine, but planned to pay it from investment income because it did not believe it was in the best interests of its supporters to fight the fine.

"The fundraising activities that IFAW carried out were considered acceptable practice throughout the charitable sector, and there was little to no guidance or concern about the practices from the ICO or other regulators," it said in a statement.

Steve Vaid, acting chief executive of Guide Dogs, said the organisation apologised sincerely for the breaches and said it had believed it was following the Data Protection Act.

Lynda Thomas, chief executive of Macmillan Cancer Support, said the charity took the fine very seriously and would like to apologise to supporters for its mistake. She said the charity would not use any public donations to pay the fine.

A WWF-UK spokesperson apologised to supporters and said the charity had fully implemented the ICO recommendations.

Sir Harpal Kumar, chief executive of Cancer Research UK, said the charity had not shared data for many years and apologised for not being clear enough with supporters about how data was used.

Battersea Dogs & Cats Home said in a statement that it was very disappointed by the fine, but it planned to pay it early out of investment income. 

Tim Johnson, chief executive of GOSH Children’s Charity, said the practices identified by the ICO had been undertaken in good faith. He said a small group of supporters had come forward and offered to pay the fine.

Mark Goldring, chief executive of Oxfam, said the charity had acted in good faith, but accepted that its privacy notices had not adequately explained the issue of data matching.

A Royal British Legion spokesperson said it accepted the fine and no such contraventions would happen in the future.

An NSPCC spokesperson said: "The NSPCC is disappointed by the ICO's decision to issue what we regard as an unjustified fine."

But it apologised to anyone affected by its "unintentional failings" and said a group of supporters had agreed to pay the fine.

If you’re interested in fundraising, you can’t miss Third Sector’s Annual Fundraising Conference on 23 and 24 May. Click here for more information and how to book

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in
RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners