Risk reviews conducted by the Information Commissioners Office have revealed ‘areas of concern’ among eight different charities.
The ICO conducted the risk reviews for a random eight charities after its enforcement against 13 charities in the period between December 2016 and April 2016.
The watchdog has refused to identify the charities involved in the research, but has said it sought out charities where concerns about data were identified during its investigation into the sector between 2015 and 2017, but did not warrant a financial penalty.
Results from the ICO's findings highlighted a number of concerning areas among charities’ internal operations, including incident reporting, consent and data sharing and monitoring and reporting risk.
According to the ICO’s conclusive report, the majority of the eight charities “did not undertake any routine data protection or direct marketing policy compliance checks”, while compliance checks on data processors were “inconsistent”. Only three of the eight carried out any form of routine check.
The research also revealed only two of the charities had a “consistent and co-ordinated approach to fair processing notices” and most did not have any form of sign-off process, meaning they varied in both content and quality.
The risk reviews also shed light on a lack of overarching business continuity plans among charities, claiming the plans that were in place “did not necessarily identify critical systems and were not always routinely tested”.
Training also proved to be an area of concern among many of the organisations, with the majority failing to provide any annual refresher training. Furthermore, the ICO found staff and volunteers at said charities did not receive any data protection training before being allowed to access or process personal data.
Few provided specialist training or carried out a training needs analysis to assess training requirements of roles/individuals, the ICO added.
Commenting on the findings, ICO head of assurance, Anulka Clarke, said the project identified “many areas of good practice at charities, along with some areas of concern”.
“We will continue to work with the sector to further increase public trust and confidence for the benefit of charities and their donors.”
The eight charities agreed to let the regulator audit their practices around data protection and direct marketing, with the view to show the ICO’s engagement with charities “is not just about fines and enforcement, but to encourage genuine, ongoing improvements in the wider sector”.
“The ICO plans more work in the coming months to further encourage improvements in the sector, which we will share with key charity sector media stakeholders in due course,” an ICO spokesperson said.