The ICO fined both the RSPCA and the British Heart Foundation because of their wealth screening practices. This involved using third party companies to analyse the financial status of their supporters to estimate how much more money they could be persuaded to give. The charities also used third party companies to track down the contact details of potential donors who had chosen not to volunteer that information. In addition, the charities were part of a data sharing scheme called Reciprocate whereby they shared or swapped personal data with other charities to obtain details of prospective donors. As donors were not made aware of these practices, they were unable to either consent or indeed opt out.
The ICO fined the RSPCA £25,000 and the BHF £18,000 for using these practices. At the heart of the decision is the lack of transparency around what the charities were doing with donors’ data.
As part of the ICO’s ruling, it also held that these practices were likely to cause substantial distress and financial damage to the affected individuals. Accordingly, quite apart from the negative publicity generated, the charities may now also face damages claims from these individuals, particularly those who were not pre-existing donors to the RSPCA or BHF.The ICO placed a significant emphasis upon the welfare of the individuals who could be impacted by these practices, specifying that charities have a responsibility to their donors to protect their personal data. Ensuring compliance throughout the sector is of paramount importance to the ICO.
The consequences of using these practices is likely to become even more serious once the General Data Protection Regulation takes effect in May 2018. Under that regime, charities could be facing fines of up to Euro 20,000,000 or 4% of annual turnover, whichever is the greater, for engaging in these practices.
Please get in touch if you would like further information or advice on these or other data protection issues.