The Information Commissioner’s Office has said that the RSPCA wrongly disclosed between 100,000 and almost 800,000 records of personal data on an annual basis over a 17-year period.
In its final report on its investigation of the charity, published today, the ICO says the RSPCA disclosed between 105,697 and 794,768 details between 1998 and 2015, including names, addresses, Gift-Aid statuses and the amounts of their last donations, through swapping data via the Reciprocate programme, which is run by the list broker ResponseOne.
It first emerged in the Daily Mail newspaper on Tuesday that the ICO planned to fine the RSPCA and the British Heart Foundation £25,000 and £18,000 respectively for breaching data protection rules. The story ran under the headline "Shaming of the charity vultures: RSPCA and British Heart Foundation fined for snooping on donors' wealth after Mail exposé".
In its final report on its BHF investigation, also published today, the ICO says that between January 2012 and July 2015, the charity used the Reciprocate scheme to share with about 40 charities more than a million data records relating to 552,092 people. The BHF told the ICO that the sharing was confined to similar or partner organisations.
According to the ICO, the RSPCA told the regulator in November 2015 that it had shared the data of 15,028 supporters with third parties through the scheme, despite the supporters having expressly opted out of having their data shared.
Between April 2014 and June 2015, the ICO says, groups of such records were shared on 12 occasions. The RSPCA subsequently informed the ICO that this had occurred due to the "wrong dataset being made available".
The regulator says it was told by the RSPCA that it provided its entire database of supporters to wealth management companies to analyse the probability of them providing financial support, sharing the personal details of more than seven million people.
The BHF was also found to have passed on between 800,000 and 2.6 million records annually for wealth screening between 2010 and 2014. In total, the BHF disclosed records containing the personal data of more than five million subjects, the ICO said.
Additionally, between 2010 and 2015 the BHF disclosed records containing the personal data of more than 700,000 people for the purposes of tele-matching and data-matching, the regulator says, estimating that the RSPCA’s tele and data-matching activities involved more than a million people.
The ICO says both charities were in contravention of Data Protection Principles 1 and 2 and that the contraventions were of a kind likely to cause "substantial damage or substantial distress".
The watchdog says a charity of the RSPCA’s size and with its resources should have checked whether or not opt-outs were being respected as regards the personal data it shared through the Reciprocate scheme.
The ICO has itself come under criticism from some in the sector for the way it has communicated its investigation findings.
Not only were its findings first revealed by the Daily Mail before the ICO said it was ready to publish them – which the regulator said it was not responsible for – but the ICO then formally released its findings on two separate days: Tuesday and today.
Commenting on its process, a spokeswoman for the ICO told Third Sector: "Typically, we issue a press release alongside a penalty notice. We took the decision to press release our findings about the RSPCA and the BHF on Tuesday, after the Daily Mail ran its story. But there are policies and processes involved in publishing a penalty notice that meant we could not publish them until today."
She added that the charities and other relevant stakeholders were aware of this.