The charity sector’s data governance record has once again been found wanting after a voluntary audit carried out by the Information Commissioner’s Office on eight organisations revealed most did not carry out routine data protection compliance checks and were keeping records for far too long – in some cases indefinitely.
The ICO has refused to name the charities which took part in the reviews but confirmed they were not among the 13 charities which were fined last year for breaches of data regulations.
However, the ICO had identified concerns about them during its investigation of the sector published in 2017, but they were not serious enough to warrant fines.
An ICO spokesman said: “As a demonstration of their commitment to improving their practices, the eight charities agreed to let us come in and audit their practices around data protection and direct marketing.
“This also helped to demonstrate that the ICO’s engagement with charities was not just about fines and enforcement, but to encourage genuine, ongoing improvements in the wider sector.”
The report outlined several areas for improvement, including monitoring and reporting, training, consent and incident reporting. It said that the majority of charities visited “did not undertake any routine data protection or direct marketing policy compliance checks” and “compliance checks on data processors were also inconsistent with only three carrying out routine checks”.
The report said that only two charities visited had a “consistent and co-ordinated approach to fair processing notices” and most did not have “any kind of sign-off process and as a result they varied in content and quality”.
It also found that the majority of charities it visited were retaining personal data for far longer than was necessary, in some cases indefinitely, and that some charities’ IT systems did not allow for permanent deletion of records.
However, it was not all bad news; all the charities had clear governance structures in place and had either appointed data protection officers or were in the process of appointing them.
The ICO said most charities had moved to an opt-in approach to marketing consent and, where they were relying on consent to process data, the consent was sufficiently explicit, as required by GDPR, providing separate check boxes for each type of communication.
The ICO said that it was planning more work in the coming months to further encourage improvements in the sector.
Privacy chief accused of sucking up to the Daily Mail
ICO data abuse probe to trigger fines for 11 charities
24 firms under investigation for charity data failings
ICO donor data abuse inquiry probes Response One