ADVISORY NOTE 03/2024 – charities, trustees & Data protection

ADVISORY NOTE 03/2024 – charities, trustees & Data protection

Background

The third sector is an integral part of the UK economy. With an annual income of £56bn and employment growing faster than other sectors, this is an opportune time for charities to look inwardly on themselves in terms of their compliance with data protection legislation.

Charities can be global or national or small and focused, providing support at a local level. No matter what their size, most, if not all, charities will process personal data whether in relation to their own staff, trustees and volunteers or sponsors and donors.

To that end, charities of all sizes will need to comply with the requirements of relevant data protection legislation including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA18) and the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR). Global charities will also need to comply with data protection legislation in the countries in which they are processing personal data.

Data protection overview

Charities have different legal structures including incorporated charities and unincorporated charities. Responsibility, and potential personal liability, will depend on the legal status of the charity, however, all charities that process personal data will be ‘controllers’ in terms of the UK GDPR, no matter what their status.

In the UK, there are some exemptions for not-for-profit organisations in terms of paying the notification fee to the ICO, but charities will still need to comply with the requirements of the relevant data protection legislation even if they are exempt from paying the fee. Limited exemptions also apply to some of the compliance requirements such as the need to maintain a full Record of Processing Activity (ROPA) in accordance with Article 30 of the UK GDPR.

Data protection legislation (specifically the UK GDPR) sets out the overriding principles which underpin the framework for compliance. These include ensuring that any processing of personal data is fair, lawful, and transparent, that personal data is only used for the purpose for which it was collected, that only relevant and necessary personal data is processed, that personal data is accurate and not kept for longer than necessary, and that there are adequate security measures in place to protect the personal data that is being processed.

Accountability

One of the fundamental principles of the data protection legislation is the accountability principle which requires organisations, including charities, to demonstrate how they comply with the requirements of the legislation. For example, a controller must embed a culture of privacy and compliance that pervades the whole organisation, instilled through a proactive training and awareness programme, and supported by various policies and procedures.

Governance and the role of trustees

Good governance is equally important in terms of data protection compliance. There must be senior level buy-in, and, in the context of charities, this means senior leadership teams, trustees, and committee/board members. Trustees are legally obliged to comply with charity law requirements, and other laws applicable to the charity, so compliance with relevant data protection legislation is a fundamental part of a trustees’ responsibilities.

To that end, there should also be senior level oversight of data protection risks and mitigations, including, but not limited to, the signing-off of data protection policies and procedures as appropriate. Many charities have boards and committees in place that oversee data protection matters and provide senior level oversight as there is significant reputational risk when things go wrong. Accordingly, accountability sits with the charities’ senior management i.e. the trustees.

Trustees may also be personally liable for any financial loss they cause or help to cause. Trustees therefore have significant responsibilities, and the Charity Commission (for England and Wales) has set out those responsibilities in detail.

Data protection risks for charities

The ICO carried out an investigation into charity fundraising practices between 2015 and 2017, and subsequently fined 13 charities for noncompliance with relevant data protection legislation. The main issues were to do with wealth screening (e.g. a lack of transparency), marketing practices and inappropriate data sharing.

There have also been significant fines and enforcement action taken more recently in relation to charities particularly in the context of marketing activities. Notwithstanding the regulatory action taken by the ICO, significant risks remain, and charities generally need to ensure that any processing activities which involve:

  • Wealth screening
  • Direct marketing
  • Fundraising
  • Data sharing
  • Day to day processing of special category data and criminal offence data are compliant with the requirements of the relevant data protection legislation.

Potential regulatory action

Trust and reputation are important and charities risk significant reputational damage if they infringe the relevant data protection legislation and become subject to regulatory action by the ICO, including, but not limited to the serving of any of the following notices:

  • Information Notice
  • Assessment Notice
  • Enforcement Notice
  • Monetary Penalty Notice

Charities are not exempt from regulatory action and numerous charities have been issued Monetary Penalty Notices [fines] for poor data protection practices. Clearly fines have a substantial impact on charities, but Enforcement Notices can be equally damaging as the Information Commissioner can mandate specific action to resolve an issue or halt processing altogether. A charity was recently stopped from undertaking direct marketing activities.

In any event, any regulatory action is likely to lead to reputational damage and a lack of trust in terms of the charity’s ability to process personal data. Other regulators can also take action when there is a data protection incident including the Charity Commission and the Fundraising Regulator.

Compliance

Many charities have worked hard to ensure compliance with relevant data protection legislation and, consequently, they will have an adequate data protection framework in place. Some charities will however be less mature and will need to address the following:

  • Ensure senior level responsibility for data protection within the charity;
  • Ensure that trustees are aware of their responsibilities and have been adequately trained on privacy and data protection related matters;
  • Consider whether a Data Protection Officer is required or, if not, whether there is sufficient knowledge of data protection legislation and practices within the charity to be confident that all processing activities e.g. fundraising, are compliant;
  • Undertake a data mapping exercise to understand and document what type of personal data is being processed, the purpose of the processing, the legal basis for the processing, who it is shared with and how long it is kept;
  • Ensure that all the relevant policies and procedures are in place and that staff/volunteers/ trustees are aware of them; and,
  • Ensure processes and procedures are in place to comply with data subject rights requests i.e. right to be informed and right to access personal data.

International data transfers

Global charities and charities that transfer personal data out of the UK and/or EEA will need to ensure their processing is compliant with the relevant data protection legislation. The UK’s position on applying ‘appropriate safeguards’ when transferring personal data to a country not deemed ‘adequate’ by the UK Government is set out in Article 46 of the UK GDPR. The revised mechanism includes the International Data Transfer Agreement (IDTA) and the requirement to use the UK Addendum when transferring personal data using EU Standard Contractual Clauses (2021 version).

Charities should review their transfer arrangements as the EU Standard Contractual Clauses are no longer valid in the UK unless supported by the UK Addendum. There are a number of other safeguards including the IDTA (above) or Binding Corporate Rules or, alternatively, there are a number of exceptions which may be valid for one-off transfers. Charities should review their transfer arrangements to ensure that they are compliant with the provisions contained in relevant data protection legislation.

Conclusion

Implementing appropriate technical and organisational measures helps to ensure the charity’s processing of personal data is compliant with the relevant data protection legislation. Doing so, increases trust, and donors will be more inclined to engage with the charity and support worthy causes. It also means the charity can work towards being an exemplar of best practice in what can be a competitive sector, particularly as garnering support may be difficult at this time due to increases in the cost of living and donors potentially being more limited in terms of donations. Reducing risks of incidents and breaches occurring is fundamental to this as any regulatory action will tarnish the reputation of the charity as well as potentially having a significant financial impact if a fine is issued.

DOWNLOAD AND READ OUR FULL ADVISORY NOTE HERE