Solicitor Jennifer Scott (pictured), in the Thames Valley law firm Blandy & Blandy Charities & Education team, explains below why charities need to pay close attention to data protection.
Although data protection may feel like old news with the EU derived General Data Protection Regulation (GDPR) having come into effect in the UK on 25 May 2018, it is now again a hot topic for charitable organisations.
Headlines recently referred to the Information Commissioner’s Office (ICO) issuing a fine to a small Scottish charity, HIV Scotland. The charity sent an email to 105 individuals in which all recipients were visible. This included email addresses that identified people by name, including patient advocates diagnosed with HIV. It was found by the ICO that this created a substantial risk that assumptions could be made about the individuals’ HIV status.
The ICO investigated the incident and found a variety of issues with the charity’s data protection procedures. We have taken each issue in turn below and provided suggestions on how these pitfalls can be avoided:
Staff and volunteers are most organisations’ biggest asset and are intrinsic to charitable work being carried out. We recommend that meaningful staff training about data protection is provided and kept up to date on an annual basis. It is important that staff understand the data protection principles and how these apply to their respective roles. For example, staff who handle enquiries at a helpline will be dealing with a higher volume of data that need protection than volunteers assisting in clearing litter from a local beach.
Charities should ensure that procedures are in place letting staff and volunteers know how personal data should be dealt with. This is especially the case if the charity is dealing with sensitive data, which often involves “special category data” (defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life and sexual orientation). Criminal offence data should also be treated sensitively and in accordance with guidance from the ICO.
We would suggest (and we think these suggestions would meet with the ICO’s approval) that you provide all staff and volunteers with:
If you are part of an organisation that handles personal data electronically or issues bulk email correspondence you must ensure that adequate procedures and measures are in place. The ICO specifically found that HIxV Scotland had used an inadequate blind carbon copy “bcc” method of sending emails to a large number of recipients.
Head of ICO Regions, Ken Macdonald, has recommended that “all organisations revisit their bulk email policies to ensure they have robust procedures in place.” Charities should put in place a bulk email policy detailing the correct procedures that should be used when sending such correspondence and for those charities that have an existing policy in place, it should review it to ensure it is “robust” and meets the ICO’s expectations.
Data protection policies are more than just a “tick-box” exercise and should be created giving genuine consideration to what types of personal data an organisation will process and how. Charities should ask themselves how they can show that they handle personal data in a way that complies with data protection principles by considering the following:
Complying with data protection laws is a matter that organisations need constantly to keep under review and should not stay stagnant with outdated policies or procedures. If you are unsure as to whether or not your organisation is complying, please get in contact with us and we can carry out a data protection audit for you to let you know if there are any gaps in your processes and procedures that could leave your charity vulnerable and we can tell you the
best way to remedy any issues and prevent any data protection breaches.