ICO risk reviews reveal ‘areas of concern’ among eight charities

Written by Lauren Weymouth

Risk reviews conducted by the Information Commissioners Office have revealed ‘areas of concern’ among eight different charities.

The ICO conducted the risk reviews for a random eight charities after its enforcement against 13 charities in the period between December 2016 and April 2016.

The watchdog has refused to identify the charities involved in the research, but has said it sought out charities where concerns about data were identified during its investigation into the sector between 2015 and 2017, but did not warrant a financial penalty.

Results from the ICO's findings highlighted a number of concerning areas among charities’ internal operations, including incident reporting, consent and data sharing and monitoring and reporting risk.

According to the ICO’s conclusive report, the majority of the eight charities “did not undertake any routine data protection or direct marketing policy compliance checks”, while compliance checks on data processors were “inconsistent”. Only three of the eight carried out any form of routine check.

The research also revealed only two of the charities had a “consistent and co-ordinated approach to fair processing notices” and most did not have any form of sign-off process, meaning they varied in both content and quality.

The risk reviews also shed light on a lack of overarching business continuity plans among charities, claiming the plans that were in place “did not necessarily identify critical systems and were not always routinely tested”.

Training also proved to be an area of concern among many of the organisations, with the majority failing to provide any annual refresher training. Furthermore, the ICO found staff and volunteers at said charities did not receive any data protection training before being allowed to access or process personal data.

Few provided specialist training or carried out a training needs analysis to assess training requirements of roles/individuals, the ICO added.

Commenting on the findings, ICO head of assurance, Anulka Clarke, said the project identified “many areas of good practice at charities, along with some areas of concern”.

“We will continue to work with the sector to further increase public trust and confidence for the benefit of charities and their donors.”

The eight charities agreed to let the regulator audit their practices around data protection and direct marketing, with the view to show the ICO’s engagement with charities “is not just about fines and enforcement, but to encourage genuine, ongoing improvements in the wider sector”.

“The ICO plans more work in the coming months to further encourage improvements in the sector, which we will share with key charity sector media stakeholders in due course,” an ICO spokesperson said.

Related Articles

  • Charity Times Awards Event Date: 2nd October 2019 Event Deadline: Park Plaza, Westminster Bridge, London For booking and enquiries email linda.libetta@charitytimes.com
  • Charity Times Pensions Roundtable Event Date: 10th October 2019 Event Deadline: Barnett Waddingham, 2 London Wall Place, London For booking and enquiries email linda.libetta@charitytimes.com
  • Investors Forum – Climate Change Event Date: 22nd October 2019 Event Deadline: 1 Birdcage Walk Westminster, London SW1H 9JJ For booking and enquiries email linda.libetta@charitytimes.com
  • Charity Times Annual Conference Event Date: 6th May 2020 Event Deadline: The Waldorf Hilton, London
  • Property Roundtable Event Date: 2020 TBC Event Deadline: Searcy’s at the Gherkin For booking and enquiries email linda.libetta@charitytimes.com
  • Better Society Awards Event Date: 23rd May 2019 Event Deadline: 25th January 2019 London Marriott Hotel, Grosvenor Square, London
Most read stories...