The charity sector’s incompetent data practices have now engulfed St Ives-owned data business Response One, after it emerged that both the RSPCA and British Heart Foundation shared hundreds of thousands of donor records through the Reciprocate database without gaining adequate permission.
The Information Commissioner’s Office published two separate reports late last week on both the RSPCA and the BHF, which have led to nominal fines of £25,000 and £18,000 respectively.
The ICO insists it could have fined both charities “ten times” as much but Commissioner Elizabeth Denham “has exercised her discretion in significantly reducing the level of today’s fines, taking into account the risk of adding to any distress caused to donors by the charities’ actions”.
In its report into the RSPCA, the regulator says the charity disclosed up to 794,768 details over nearly two decades – between 1998 and 2015 – through Reciprocate, including names, addresses, Gift-Aid statuses and the amounts of their last donations.
The RSPCA had confessed in November 2015 that it had shared the data of 15,028 opted-out supporters through the scheme, but insisted this had occurred due to the “wrong dataset being made available”.
The RSPCA also provided its entire database of supporters to wealth management companies to analyse the probability of them providing financial support, sharing the personal details of more than 7 million people.
Meanwhile, the ICO’s final report on the BHF showed that between January 2012 and July 2015, the charity used the Reciprocate scheme to share with about 40 charities more than a million data records relating to 552,092 people.
The BHF was also found to have passed on between 800,000 and 2.6 million records annually for wealth screening between 2010 and 2014. In total, the BHF disclosed records containing the personal data of more than 5 million supporters, the ICO said.
Additionally, between 2010 and 2015 the BHF disclosed records containing the personal data of more than 700,000 people for the purposes of tele-matching and data-matching, the regulator says, estimating that the RSPCA’s tele and data-matching activities involved more than 1 million people.
However, the ICO ruled that the terms of both the RSPCA and BHF fair processing notices were “unduly vague and ambiguous” and did not provide supporters with adequate information about how their data was being shared via the Reciprocate scheme or with wealth management firms.
The ICO therefore ruled that both charities did not have permission to share any of this data and found them in contravention of Data Protection Principles 1 and 2. It added that the contraventions were of a kind likely to cause “substantial damage or substantial distress”.
Elizabeth Denham added: “The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money.
“Our investigations suggest that the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.
“This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information.”
‘Money grabbing’ charities flayed over brutal agency
Action for Children takes £100k hit from bust agency
‘Aggressive’ charity agency goes into liquidation
Charities hit by new claims of aggressive fundraising
Oxfam and agencies savaged by charity watchdog
Charity rules ludicrous, say agencies
Response One revamps charity file
30m donor file gets major overhaul