- This story has been corrected; please see final paragraph
The Information Commissioner’s Office has still not completed either of the investigations it launched last summer into charities’ use of data.
A year has passed since the ICO launched Operation Cinnabar, which is looking into the Daily Mail’s claims that charities including Oxfam were involved in the exploitation of loopholes in the Telephone Preference Service – on 7 July 2015.
A second investigation, called Operation Linden, was launched last September after the same newspaper claimed that data sharing among charities led to a man with dementia being tricked out of £35,000 by unscrupulous companies.
Richard Marbrow, a senior policy officer in the government and society team at the ICO, told Third Sector last week that the regulator was aiming to finish the investigations by September.
The charities that were originally the focus of Operation Cinnabar included Macmillan Cancer Support, the NSPCC, Oxfam, the Red Cross, and Age International, but the inquiries into the Red Cross and Age International concluded earlier this year after the charities signed agreements that committed them to renewing their phone fundraising consents every two years.
The Fundraising Standards Board decided in December to wait for the conclusion of Operation Linden before it carried out its own investigation into data sharing among charities.
But a spokeswoman for the FRSB said today that it would be down to the Fundraising Regulator, which was officially launched last week, to decide whether it wanted to pursue the matter.
Asked why the inquiries had taken so long to complete, Marbrow said that investigations took time and indicated that the ICO had only limited resources.
Speaking at the Institute of Fundraising Convention on 5 July about the ICO’s agreements – known as voluntary undertakings – with the Red Cross and Age International, Marbrow said that the ICO used them instead of taking enforcement action in cases where it had uncovered probable breaches of the Data Protection Act that were not likely to cause serious harm and distress.
They could also be used in cases where it came across organisations that wished to put in place particularly scrupulous practices, he said.
Marbrow said organisations could refuse to sign up to these undertakings, but this could result in the regulator taking enforcement action instead.
"You won’t find undertakings anywhere in the Data Protection Act because they are essentially a voluntary way of us trying to be a proportionate regulator and not always slapping down massive fines," he said. "It helps with the reputational damage caused by problems being found."
Marbrow said he would not rule out drawing up agreements with certain charities in the future requiring them to renew their consents for phone fundraising every year "because of the nature and the frequency of the contact", whereas others might have to agree to do this only every three years. He said that a charity running Christmas appeal every year, for example, would probably not need to refresh its consents as frequently as a charity that called its donors every fortnight.
The Fundraising Standards Board, which last week handed over its responsibility for regulating fundraising to the Fundraising Regulator, launched investigations on the same day as the ICO, which ran in parallel with Operations Cinnabar and Linden.
It concluded in May that the Red Cross, Macmillan, the NSPCC and Oxfam had all flouted the Code of Fundraising Practice through their work with the now defunct fundraising agency GoGen and pointed out that the Red Cross and Macmillan had also broken guidelines by failing to make it clear to supporters how their contact data would be used.
- The story originally said that Save the Children and Cancer Research UK were under investigation as part of Operation Cinnabar but the charities said this was not the case.