Charity Commission and ICO guidance on data protection for charities
Charities frequently hold sensitive information about the individuals they help. Charities are rightly conscious of the damage that could be done to individuals if the sensitive information was misused. Charities must also comply with their obligations under the Data Protection Act 1998. The Charity Commission published operational guidance on data protection in 2002, although there have been changes in law and practice since then. The Information Commissioner, the regulator with responsibility for data protection, has recently published its own tips and guidance to help charities comply.
The Information Commissioner's Office ("ICO") top tips for improvement are:
1. Tell people what you are doing with their information: You should be open and honest with people about how their information will be used - people should know what you are doing with their personal information and who their information will be shared with.
2. Make sure your staff are adequately trained: New employees should receive data protection training to explain how they should handle personal information; existing staff should receive regular refresher training.
3. Use strong passwords: All passwords should contain upper and lower case letters, a number and ideally a symbol. This helps to protect information from data thieves.
4. Encrypt all portable devices: All portable devices such as memory sticks and laptops which are used to hold and store personal information should be encrypted.
5. Only keep people's information for as long as necessary: Your organisation should establish data retention periods and there should be a process for securely deleting personal information once it is no longer required.
As well as highlighting the top tips, the ICO is also offering charities the opportunity to sign up to a free one day advisory visit from the ICO (contact the ICO on firstname.lastname@example.org). The advisory visit will act as a 'check up' to allow the ICO to review the charity's data handling practices and to offer practical advice to help with compliance. The ICO has also created a TH!NK PRIVACY toolkit specifically for the charity sector to help with awareness raising.
Organisations that commit serious breaches of data protection can receive a fine of up to £500,000 from the ICO. The ICO has indicated that he will take account of the nature of the organisation (e.g. voluntary/ charitable) and the organisation's available resources before determining the amount of the fine. However, trustees of a charity could be ultimately liable for paying the fine.
If you have any questions about data protection matters, please contact the Field Fisher Waterhouse LLP Privacy and Information Team.