Both charities are disputing many of the regulator’s findings and are considering whether to appeal.
The ICO launched an investigation into the RSPCA and other charities in September 2015 after the Daily Mail newspaper ran a critical story about the case of Samuel Rae, an elderly man with dementia who was allegedly contacted more than 700 times by charities after filling in a survey in 1994. It also ran an article claiming the RSPCA was paying a private company to secretly assess how much supporters might leave in their wills.
According to a spokeswoman for the RSPCA, the ICO’s investigation concluded that the RSPCA made four contraventions of the Data Protection Act 1998.
Specifically, the ICO found that the RSPCA did not provide people with enough information through its fair processing notice about how their details could be shared with other charities as part of a scheme called Reciprocate, and it didn’t adequately inform supporters that their details would be shared with a third party that would analyse their data to determine what products, information and offers might be marketed to supporters.
The ICO also found that the RSPCA did not adequately inform supporters that their details might be used for data-matching and tele-matching, the charity’s spokeswoman said, and that the details of some of the charity’s supporters were mistakenly shared with other charities despite these people having opted out of receiving marketing communications from other organisations.
According to today’s Daily Mail, the ICO found that the BHF, which was not mentioned in the Mail’s stories last year, also breached data protection rules. The newspaper said the ICO’s penalties could open the floodgates for thousands of donors to sue the charities for misuse of their private information.
Today’s Mail story came before the ICO was intending to disclose its findings and took the regulator by surprise.
A spokesman for the ICO said it had been forced to come up with a new approach and planned to publish a report and statement on the matter, but could not confirm when this would be.
A spokeswoman for the RSPCA told Third Sector: "We contest the ICO’s interpretation and disagree with its conclusions. We believe we did provide appropriate information in a manner that was common practice across the charity sector."
She said the case did not involve any loss of data or a security failing, which are the most common malpractices that resulted in fines. "Our case is very different and represents a radical departure by the ICO from its previous practice," she said.
The RSPCA’s spokeswoman said the charity tried to meet the ICO to discuss its concerns, but the regulator declined to meet it and other charities.
"Part of the fine concerns a data breach we reported to the ICO ourselves," she said. "While we accept an error was made in that instance, we do not agree it was so serious or had such harmful consequences as to justify a fine. We are currently considering whether to appeal against the decision."
David Bowles, head of public affairs at the RSPCA, told Third Sector he believed the fines would be the first of several levied on charities that will emerge in the next few weeks.
Simon Gillespie, chief executive of the BHF, said in a statement: "We are extremely disappointed in the action the ICO has taken.
"We find the decision surprising because earlier this year, in June, the ICO praised our data handling and said it had no concerns about us as a data controller.
"Our trustees will consider whether it’s in the interests of our supporters and beneficiaries to challenge this decision."