Search for Parts

Sales Hotline
+44 (0) 1786 870 967

Document & Media Support
01786 870967

Out of Hours Hotline
07000 358 358


Latest News

The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection. This is a living document and we are working to expand it in key ....[Read more]

Organizations don't have nearly as much confidence in their DR plans as you might think, and -- for many -- disaster recovery plan testing doesn't happen nearly as often as it should. The number and types of threats than can lead to a disaster are ....[Read more]

Telecoms company TalkTalk ha sbeen issued with a record 400,000 fine by the ICO for security failings that allowed a cyber attack to access customer data 'with ease'....[Read more]

ICO investigation reveals how charities have been exploiting supporters....[Read more]

Dataspace Scotland proudly announces that for the 3rd year running we have been accredited to ISO9001, ISO14001, PD5454 and BS4783....[Read more]

Imagine that your law firm's offices have just been destroyed by an overnight fire. Nobody was hurt but everything has been burned to a cinder. Can your law firm continue to operate after such a major disaster ?....[Read more]

Have you ever asked yourself??What if there is ever a fire or flood in the office, or we have a computer virus attack, what will happen to all of my data and records??....[Read more]

In today?s so-called paperless society we still use a great deal of paper..... We'll look here at the key issues that need addressed prior to taking a 'scan it all' approach....[Read more]

Data growth and technology innovations fuels a bright future for Tape....[Read more]

Back in 2011, Google had a bug which deleted all Gmail data for all users. It affected all servers & replication servers. They successfully restored it all from TAPE.....[Read more]

Dataspace Scotland has proudly achieved ISO certification for the Provision of Data Backup Solutions plus Professional Document Archive and Record Management Services.....[Read more]

Dataspace Scotland have joined the Stirling Chamber of Commerce, part of the Forth Valley Chamber of Commerce.....[Read more]

Dataspace Scotland have been accepted onto the Scottish Enterprise Business Growth Program....[Read more]

Formatting hard drives does not necessarily delete data stored on them, a security firm has warned.....[Read more]

What happens to your data when a cloud storage provider goes out of business?....[Read more]
<< | < | > | >>
Page 1 of 2

Webtrack Secure Login

Our Secure WebTrack System

ICO investigation reveals how charities have been exploiting supporters

The Royal Society for the Prevention of Cruelty to Animals (RSPCA) and British Heart Foundation (BHF) secretly screened millions of their donors so they could target them for more money, a comprehensive ICO investigation has found.

The ICO said so-called “wealth screening” was one of three different ways both charities breached the Data Protection Act by failing to handle donors’ personal data consistent with the legislation.

The charities also traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And they traded personal details with other charities creating a massive pool of donor data for sale. Donors were not informed of these practices, and so were unable to consent or object.

Information Commissioner Elizabeth Denham said:

“The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money.”

The investigation was one of a number into the fundraising practices of charities. The investigations were sparked by reports in the media about repeated and significant pressure on supporters to contribute.

Ms Denham said:

“Our investigations suggest that the activities we’ve fined the RSPCA and the British Heart Foundation for today are also being carried out by some other charities.

“This widespread disregard for people’s privacy will be a concern to donors, but so will the thought that the contributions people have made to good causes could now be used to pay a regulator’s fine for their charity’s misuse of personal information.”

Ms Denham has exercised her discretion in significantly reducing the level of today’s fines, taking into account the risk of adding to any distress caused to donors by the charities’ actions, particularly in the context of potential further penalties in the sector as a result of ongoing investigations. She has fined the RSPCA £25,000 and BHF £18,000.

She said: “My exercise of discretion should not take away from how serious these breaches were, nor from how disappointed donors will be with the two charities we’ve fined today. The law exists to protect people’s rights and it applies irrespective of how altruistic the organisation’s motives might otherwise be.”

In similar situations, fines could have been ten times as much. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO.

Below is a summary of the three ways the RSPCA and BHF breached the Data Protection Act.

Wealth screening

The charities employed wealth management companies to analyse the financial status of supporters to estimate how much more money they could be persuaded to give.

Information typically included supporters’ names and addresses, dates of birth and the value and date of the last donation.

The wealth management companies used other information from publically-available sources to investigate income, property values, lifestyle and even friendship circles. They were also able to identify donors most likely to leave money in their wills.

What the RSPCA did

The charity told the ICO that it repeatedly wealth screened all seven million of its supporters. It did not have their consent to do so.During the investigation, the RSPCA said the practice was common, it had been doing it since 2010 and it had no plans to stop.

The RSPCA later informed the ICO, in August 2016, that it had suspended wealth screening activities.

What BHF did

The charity told the ICO it had been screening donors since “at least” 2009. Between April 2010 and August 2014 it provided records to wealth management companies containing the personal data of several million people. It did not have their consent to do this. During the investigation, BHF told the ICO it had no plans to continue screening.

Data and tele-matching

When donors chose not to provide information, the charities hired companies to find it out. The companies used existing data or phone numbers to fill in the gaps. For example, they used an old phone number to trace a new one or use an email address to track down a postal address. Charities could then use the additional information, which the donor did not know they had, to contact them for donations.

What the RSPCA did

The charity had been data and tele-matching since “at least” 2009. It could not produce records of how many people’s personal data had been shared with data and tele-matching companies, but it is likely to exceed one million. The ICO investigation was informed the RSPCA had not stopped this practice.The RSPCA later informed the ICO, in August 2016, that it had ceased data-matching activities to obtain data that the data subject had not already provided.

What BHF did

The charity has been tele-matching since 2005. Between April 2010 and April 2015 it provided records containing details of several hundred thousand people to a tele-matching company. In 2013 it provided tens of thousands of records for data matching purposes.

Data sharing

The RSPCA and BHF were part of a scheme called Reciprocate where they could share or swap personal data with other charities to get details of prospective donors. Typically the data included names, addresses, last donation date and amount, Gift Aid status and whether they were a regular donor.

Both charities gave donors the chance to opt out of allowing their data to be shared with “similar organisations” but the ICO found this description to be vague. The ICO found the charities did not provide people with enough information to make a decision to opt out.

What the RSPCA did

The RSPCA admitted it did not know which charities were part of the scheme, so it could not say if personal data was only shared with charities involved in animal welfare as it had promised. Between 1998 and 2015, it disclosed hundreds of thousands of records each year.

The ICO also found that details of RSPCA supporters were shared via the Reciprocate scheme even though they had ticked the box to opt-out.

What BHF did

The charity maintained it had the consent required to share donors’ details. But the ICO ruled it did not, as the nature of the scheme meant the charities it shared personal data with were not necessarily similar or partner organisations. Between January 2012 and July 2015, it disclosed over one million personal records through the scheme.

Next steps

The ICO is committed to ensuring compliance within the sector. It will organise an educational event in partnership with the Charity Commission and the Fundraising Regulator. The ICO will also lay an in-depth report before Parliament in 2017. The penalty notices will be published on the ICO website on Friday 9 December.

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.

  4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

    • fairly and lawfully processed;

    • processed for limited purposes;

    • adequate, relevant and not excessive;

    • accurate and up to date;

    • not kept for longer than is necessary;

    • processed in line with your rights;

    • secure; and

    • not transferred to other countries without adequate protection.

  5. The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on:

    • marketing calls, emails, texts and faxes;

    • cookies (and similar technologies);

    • keeping communications services secure; and

    • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

      We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.

  6. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

  7. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

Article extracted from https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/12/ico-investigation-reveals-how-charities-have-been-exploiting-supporters/