An investigation by the Information Commissioner’s Office (ICO) has revealed that two national charities, the RSPCA and the British Heart Foundation, secretly screened millions of their donors so they could target them for more money. The ICO said that this practice breached the Data Protection Act as the charities failed to handle donors’ personal data in accordance with the legislation.
The charities also traced and targeted new or lapsed donors by piecing together personal information which was obtained from other sources. In addition, they traded data with other charities to create a pool of donor data which was available for sale. As the donors were not informed of these practices, they could not give their consent or object.
The investigation was one of a number by the ICO into the fundraising activities of charities sparked by media reports about pressure on donors to contribute. The Information Commissioner, Elizabeth Denham, fined the RSPCA £25,000 and the British Heart Foundation £18,000.
The ICO can take action, including penalties of up to £500,000, against organisations and individuals that collect, use and keep personal data. Anyone who processes personal information must comply with the eight principles of the Data Protection Act which make sure personal data is:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- accurate and up to date
- not kept for longer than is necessary
- processed in line with an individual’s rights
- secure and
- not transferred to other countries without adequate protection.