Charities and voluntary organisations are third sector, not-for-profit organisations and whilst they benefit from numerous exemptions, they are not overlooked when it comes to data protection regulation. The Data Protection Act 2018 (the UK's implementation of GDPR) applies to any individual/company that handles personal data. Personal data can be defined as any information on a living identified or identifiable person. Volunteers have the same responsibilities as any other employees when it comes to upholding high data protection standards and, as such, they require thorough data protection training in order to mitigate the risk of a breach.
When to Appoint a Data Protection Officer (DPO)
A Data Protection Officer (DPO) is an external, independent expert in data protection that reports to the highest level of management. The DPO can be an existing employee or an externally appointed individual. All companies are allowed to appoint a DPO, but only companies that fall into one of the following categories are required to do so:
- Public authorities
- Companies whose core activities include large scale systematic monitoring of individuals
- Companies whose core activities include large scale processing of special categories of data or data regarding criminal convictions/offences
The Issue of Consent
The new data protection legislation requires that organisations, including charities and voluntary organisations, obtain valid consent when collecting and processing personal data. Consequently, any consent you have obtained in the past must be checked for validity under the new legislation and re-obtained if deemed unsatisfactory. In order for consent to be valid it must fulfil the following criteria:
- It must be freely given
- Requires an affirmative action
- Consent must be specific and cover the controllers name, purpose of processing and types of processing activity that will be undertaken
- Explicitly expressed in words
Privacy Notices and SAR's
Data subjects (individuals who have personal data held about them) have the right to be informed about the way in which their data will be processed. Companies are required to issue a privacy notice detailing how they intend to use a subject's data. The privacy notice must be concise, transparent, easily accessible, easy to understand, and free of charge.
Data subjects also have the right to view precisely what data that is held about them by various organisations, also known as a data subject access request (DSAR). In order to access this data they must submit a Subject Access Request (SAR) to the data controller. The data controller is then obliged to respond to the request within one month. Data subjects are entitled to the following information:
- Confirmation that you are processing their data
- A copy of their personal data
- Other supplementary information, most of which will feature in your privacy notice
High Profile Charity Data Protection Breaches
- Late in 2017, Age UK leaked thousands of staff files in two data breaches. Information included names, addresses, dates of birth and national insurance numbers of past and present employees. The data disclosed because of the breach was everything criminals needed in order to commit identify fraud, and left Age UK with no choice but to pay £100,000 to fraud prevention services to protect those affected. This is £100,000 that the organisation would not be able to use to support the elderly.
- In November 2017 the charity Change, Grow, Live changed premises. Over 100 files were left behind in the move, some of which contained highly sensitive information. Included in the forgotten files were details of beneficiaries' experience of abuse and addiction. Public trust in the charity dropped significantly as the press caught wind of the breach and its reputation has been irreversibly damaged.
Data breaches could mean big trouble for charities and other voluntary organisations, as they rely so heavily on public interest and branding for support/donations. Whilst complying with the DPA 2018 and GDPR can seem overwhelming, particularly for smaller organisations, the data protection principles are not merely a box-ticking exercise. Good data protection signifies to your donors that you respect their privacy and the work you do.