The Information Commissioner’s Office has fined eleven charities that breached the Data Protection Act by misusing donors’ personal data.

ICO investigations found many of the charities secretly screened millions of donors so they could target them for additional funds. Some charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.

The action follows penalties issued to two charities in December 2016.

The charities fined were:

The International Fund for Animal Welfare - £18,000

Cancer Support UK (formerly Cancer Recovery Foundation UK) - £16,000

Cancer Research UK - £16,000

The Guide Dogs for the Blind Association - £15,000

Macmillan Cancer Support - £14,000

The Royal British Legion - £12,000

The National Society for the Prevention of Cruelty to Children - £12,000

Great Ormond Street Hospital Children’s Charity - £11,000

WWF-UK - £9,000

Battersea Dogs’ and Cats’ Home - £9,000

Oxfam - £6,000

A summary of how each charity breached the law can be found here.

The Information Commissioner has exercised her discretion in significantly reducing the level of today’s fines, taking into account the risk of adding to any distress caused to donors by the charities’ actions. The same approach was taken to fines issued to the Royal Society for the Prevention of Cruelty to Animals (£25,000) and British Heart Foundation (£18,000) in December.

Information Commissioner Elizabeth Denham said:

“Millions of people will have been affected by these charities’ contravention of the law. They will be upset to learn the way their personal information has been analysed and shared by charities they trusted with their details and their donations. “No charity wants to alienate their donors. And we acknowledge the role charities play in the fabric of British society. But charities must follow the law.”

The charities were investigated by the ICO as part of a wider operation sparked by reports in the media about repeated and significant pressure on supporters to contribute. There are no other outstanding investigations into charities as part of that operation.

Elizabeth Denham added:

“These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law.”

In February, the ICO, the Charity Commission and the Fundraising Regulator held a conference for charity trustees, aimed at informing, educating and providing clarity to the sector. The ICO website also has detailed guidance on the rules around data sharing and marketing.

Notes to Editors

The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is: fairly and lawfully processed;

processed for limited purposes;

adequate, relevant and not excessive;

accurate and up to date;

not kept for longer than is necessary;

processed in line with your rights;

secure; and

not transferred to other countries without adequate protection. The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on: marketing calls, emails, texts and faxes;

cookies (and similar technologies);

keeping communications services secure; and

customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.