ICO Set to Fine 11 Charities

ICO Set to Fine 11 Charities

The UK’s privacy watchdog is set to fine 11 charities for breaching the Data Protection Act, it revealed on Monday.

The Information Commissioner’s Office (ICO) said it will give the unnamed charities 28 days to respond to its findings before making a final decision on what kind of enforcement to take.

An ICO spokeswoman told Infosecurity that the 11 charities slated for financial penalties are in addition to the Royal Society for the Protection of Cruelty to Animals (RSPCA) and British Heart Foundation (BHF), which both had fines levied against them in December 2016.

“They were all – including the RSPCA and BHF – investigated following media reports about repeated and significant pressure on supporters to donate,” she explained.

Those two are said to have secretly screened millions of their donors to target them for money; used personal info pieced together from other sources to target new and lapsed members and traded personal details with other charities, according to the ICO.

The RSPCA was fined £25,000 and the BHF £18,000, although commissioner Elizabeth Denham claimed the figure could have been 10 times higher had she not exercised considerable discretion in the cases.

“The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money,” she said at the time.

“Our investigations suggest that the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.”

The watchdog is typically combining its enforcement action with education and outreach, in the form of the Fundraising and Regulatory Compliance Conference, to be held in Manchester on 21 February.

It’s set to help charities and their boards better understand the regulatory requirements and expectations of the Data Protection Act and the forthcoming GDPR.

Source: Information Security Magazine