What does Data Protection mean for the Third Sector?

Tim Creighton, Director

The Information Commissioner’s Office (ICO) can fine any organisation up to £500,000 for serious breaches of the Data Protection Act 1998. A data breach involves a failure to comply with the Data Protection Act. It is an incident in which sensitive or confidential data is stolen or viewed by an individual unauthorised to do so.

As charities often hold large amounts of data they are liable to be fined for data protection breaches just like any other organisation. Charities suffered 53 data breaches from October 2014 – March 2015, this is more than double the amount in the same period the previous year, according to figures published by the Information Commissioner’s Office. Charities are now the fourth most likely category of organisation to fail to properly protect others’ data, according to　quarterly ICO figures, below health services, local government and education services.

• Historically charities have avoided large fines, however this is changing: In October 2012, the ICO fined the charity Norwood Ravenswood Ltd £70,000 for a serious breach of data protection rules. An investigation found a social worker who worked at the Charity left documents containing highly sensitive information about four young children outside the home of prospective adoptive parents as the couple were not at home. When the couple returned the documents were gone and have not since been recovered.
• The ICO announced in March 2014 that it had fined the British Pregnancy Advice Service £200,000 for a serious breach of data protection rules. An ICO investigation found that the Charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website allowed the hacker to access the system and locate the information.

Do you know what your duties under the Data Protection Act are? What are you doing with personal data and why? Does your organisation know what personal data they hold and where they hold it? Has your organisation taken appropriate steps to ensure the security of all personal data held? Does your organisation have a data protection policy? Are your staff properly trained in data protection and do they use a privacy impact assessment before starting any new assessment?

For answers to any of these questions or for more information about any of our charities law solutions please give Tim Creighton a call on +44 (0) 28 9077 4500 (there is no charge for initial telephone discussions).