The Information Commissioner’s Office has fined 11 charities for breaching data protection rules.

Fines have been issued to the International Fund for Animal Welfare, Cancer Support UK, Cancer Research UK, Guide Dogs, Macmillan Cancer Support, The Royal British Legion, NSPCC, Great Ormond Street Hospital Children’s Charity, WWF-UK, Battersea Dogs’ and Cats’ Home, and Oxfam.

The ICO said its investigations found many of the charities secretly screened millions of donors in order to target them for additional funds. Some traced and targeted new or lapsed donors by piecing together personal information obtained from other sources, and some traded data with other charities creating a large pool of information for sale.

The Charity Commission has announced it has opened compliance cases into the charities. The regulator is assessing whether the charities’ trustees have acted in accordance charity law.

International Fund for Animal Welfare was fined £18,000 for sharing almost 4.95 million donor records, wealth screening, and gathering information not provided by individuals. Cancer Support UK, formerly Cancer Recovery Foundation UK, was fined £16,000 for sharing almost 3.1 million donor records between 2010 and 2016.

Cancer Research UK was fined £16,000 for wealth screening more than 3.5 million supporters, and finding out information not provided by individuals. Guide Dogs was fined £15,000 for wealth screening nearly 1.8 million supporters, and finding out information not provided by individuals.

The ICO said the charity also called supporters who were registered with the Telephone Preference Service.

Macmillan Cancer Support was fined £14,000 for wealth screening supporters in 2009 and 2014, and gathering information not provided by individuals. The Royal British Legion was fined £12,000 for wealth screening records in 2010, 2012, and 2014. The ICO said the charity also matched phone numbers and email addresses not provided by supporters.

NSPCC was fined £12,000 for collecting data not provided by individuals and wealth screening. Great Ormand Street Hospital Children’s Charity was fined £11,000 for sharing over 910,000 records, wealth screening, and matching email addresses and dates of birth to supporters that had not been provided.

WWF-UK was fined £9,000 for sharing donor records, wealth screening, and finding out information not provided by supporters. Battersea Dogs’ and Cats’ Home was fined £9,000 for finding out information not provided by supporters.

Oxfam was fined £6,000 for finding out information not provided by supporters. The ICO said its investigation also raised concerns about marketing text messages sent by the charity.

The ICO said fines had been “significantly reduced” to take into account the risk of adding to any distress caused to donors by the charities’ actions. Commissioner Elizabeth Denham said millions of people will have been affected by the charities breaching data protection rules.

The ICO acknowledges the role charities play in the fabric of British society, Denham said, but the organisations must follow the law.

“These fines draw a line under what has been a complex investigation into the way some charities have handled personal information. While we will continue to educate and support charities, we have been clear that what we now want, and expect, is for charities to follow the law.”

Institute of Fundraising chief executive Peter Lewis said good fundraising is grounded in making connections between people and the causes they care about. Understanding donors and personalising approaches ensures a better fundraising experience for everyone, Lewis said.

Understanding donors is also important to ensure charities do not approach people who prefer not to hear from them, Lewis said. But the ICO rulings highlight the importance of ensuring people are informed of how charities use their data.

“No charity knowingly wants to breach the rules, and charities work hard to meet the highest standards. The charities involved have responded by taking important steps to improve their practices. Charities respect their supporters’ rights and privacy and want to ensure that they get this right. There are still some questions on exactly how charities can make sure that they comply with the rules and we are working with the ICO to address these so that charities can continue to raise vital funds safely and lawfully to help the most vulnerable in society.”

The fines announced today follow the ICO’s announcement in December of fines of £25,000 to RSPCA and £18,000 to British Heart Foundation. The fines announced today were part of a wider operation, the ICO said, sparked by reports in the media about repeated and significant pressure on supporters to contribute.

The ICO said there are no other outstanding investigations into charities as part of that operation.

Charity Commission chief operating officer David Holdsworth said it is regrettable that further charities have been found in contravention of data protection requirements.

“Charities must learn the lessons from these fines and breaches,” he said. “The generous British public expect charities to safeguard their data and raise funds responsibly, and in return they donate in their millions. Sadly in these cases charities have not kept their side of the bargain. We are working with the charities concerned, the Information Commissioner and the Fundraising Regulator to ensure that any necessary remedial action is taken.”

Share Story: