Last year, for the first time since the GDPR came into force, the Information Commissioner’s Office (ICO) fined a number of UK not-for profit organisations and charities for failures to comply with data protection law. Third Force News reported in October 2021 on a Scottish case where the ICO imposed a £10,000 fine following investigation into a data breach.
ICO enforcement action in recent cases shines a spotlight on what the regulator expects to find when investigating complaints in the sector. It also highlights risk areas where ‘quick fixes’ may be available to help protect against the risk of problems.
Data protection risks in the voluntary sector
Not-for-profit organisations and charities often process sensitive personal data about those they support. From a data protection perspective, there are several challenges and danger areas particular to the sector.
One is how the UK GDPR requires organisations to provide information about how it processes personal data. The information must be concise, transparent, intelligible, easily accessible and use clear and plain language. ICO guidance expects organisations to consider the audience provided with this legally required information.
Risk: Organisations supporting people who have learning difficulties, for example, need to be confident they can show how this was given proper consideration.
Organisations using volunteers are also exposed to additional risk. The ICO expects those whose work involves using personal information to receive training on data protection before they access and use it. This will apply to volunteers, as well as staff.
Quick Fix: Keeping records to show training was provided and what it covered will help show that an organisation has met those requirements.
Quick Fix: Internally, specific policies and practices to ensure the secure handling of personal data would also need to be in place as part of an organisation’s security measures.
HIV Scotland case - what happened?
There had been no previous data breaches at HIV Scotland, where the ICO took enforcement action because an email was sent without appropriate security to 105 recipients. The email disclosed the identity of 65 recipients whose names featured within their email address. Regrettably the message was not sent ‘bcc’ and from the email’s content, special category data could be inferred about HIV status.
What can be learned?
HIV Scotland could demonstrate awareness of its data protection security obligations. At the time of the breach, they were moving mailing lists to a more secure system. The ICO criticised how those lists with sensitive information were not prioritised, however – a clear indication that they will not be sympathetic to organisations who take no action to identify data protection risks.
Top Tip: All organisations should have an assessment and an action plan prioritising what steps need taken for data protection compliance, and a timeframe for completion.
Deleting dormant emails and security settings
In July 2021, enforcement action was taken against another charity, Mermaids. Its staff received mandatory annual data protection training, but from the ICO’s perspective, that training was evidently ineffective, shown by the organisation’s negligence by allowing a dormant email group to remain accessible. Emails within it had been created with the least secure settings available, and in the ICO’s view, given the nature of the services provided by that charity, more stringent safeguards should have been in place to protect sensitive personal data.
Quick Fix: Updating security settings are easy quick fixes and deleting information which is no longer needed - these are zero-cost quick fixes which can quickly and effectively reduce data security risks for an organisation.
BIO: Sean Morris (Solicitor) is a Legal Manager at Navigator Law. For information about upcoming free events or subscribe to their newsletter, visit Navigator Employment Law – The flexible employment, HR, health & safety and data protection advice service (navigatorlaw.co.uk)
