ICO investigating charity data sharing

By Christopher Graham, Information Commissioner

junk-mailThe reports in the Daily Mail about data sharing in the charity sector are clearly concerning. We’ve launched an investigation to work out exactly what has happened, and if the law’s been broken then we will take action.

The Data Protection Act is very clear: the very first principle is that your data should only be processed fairly and lawfully. What has been described in the papers this week doesn’t look like that. If Samuel Rae is still being plagued with unwanted mail and unwanted approaches, then it is really beside the point whether or not he ticked a box in 1994.

The law expects you to bear in mind people’s interests and people’s expectations. If people say ‘I never gave you permission to do that’ and you respond ‘well, yes you did actually, because in 1994 you forgot to tick a box’, then that isn’t consent. That doesn’t give you the right to trade in people’s personal information years after the event

There is a danger here of blackening a whole sector. Charities seem to be becoming the new dirty word, and that clearly isn’t fair. But the rules on data protection and the rules about privacy and electronic communications apply to all who are processing data, whether businesses or charities. Everyone’s got to stick to the law, and if the law’s been broken then we will act.

We’ve got the power to issue civil monetary penalties where there have been serious breaches of the Data Protection Act – of up to £500,000. If there’s been criminal activity then we’ll prosecute in the magistrates court.

Our work is part of three investigations going on into the charity sector at the moment. As well as my enforcement team’s investigation, there’s Sir Stuart Etherington’s work, sponsored by the Cabinet Office, looking at the regulation of charity fundraising, and there’s also a parliamentary select committee looking at this. I think when all that work’s been done we’ll see if any changes to the law are necessary. My job is to enforce the law as it stands.

Over the last five years we’ve been working with the police and Trading Standards on a project called Think Jessica, which is all about vulnerable people being placed on what are called ‘suckers lists’ and being targeted again and again and again by scam merchants. If there’s any connection between the good work that charities do and the scam merchants, that’s very concerning and we’ve got to get to the bottom of how that information has been passed on.

A very interesting development in this story is the use of the right of subject access, which everyone has under the Data Protection Act. It means you can ask organisations to show you what they hold on you, which could help you track down how your information may be being misused. There’s more details about this on our website.

Note: this blog is based on Christopher Graham’s comments on the Today programme on 1 September. You can hear those comments in full via the BBC’s iplayer service (starts 1:34:10).

Christopher GrahamChristopher Graham, Information Commissioner, has a range of responsibilities under the Freedom of Information Act 2000, the Data Protection Act 1998 and related laws.

Last updated 02/09/2015 15:25

This entry was posted in Christopher Graham and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply