In December 2016 the RSPCA and British Heart Foundation were fined by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act 1998. Millions of donors’ personal data was misused in three ways:
1. Wealth screening: both charities employed wealth management companies to gather information from their donors’ publicly available information to assess their income, property ownership, lifestyles, and friendship circles. These companies advised on how much donors might be persuaded to give in the future, and who might be most likely to leave money in their will.
2. Obtaining information: When donors opted-out of providing certain information, the charities hired companies to collect this information anyway, through processes of data and tele-matching (for example, by tracing a current phone number from an old one, or using an email address to obtain a postal address). The data was then used to contact people for further donations.
3. Data sharing: The charities were part of a data sharing scheme with other charities, through which personal data was swapped in order to target individuals who had donated to other causes. The ICO found that the charities’ opt out provisions were not clear enough to cover these practices.
The Information Commissioner, Elizabeth Denham, said: “The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough. And they will be upset to discover that charities abused their trust to target them for even more money… Our investigations suggest that the activities… are also being carried out by some other charities.”
The RSPCA and the British Heart Foundation were fined £25,000 and £18,000 respectively, though these fines could have been up to ten times higher. The Information Commissioner exercised her discretion in significantly reducing the fines because, amongst other things: (i) there was a risk of causing further distress to donors (whose monies would inevitably be used to pay the fines), (ii) ongoing investigations in the charity sector may lead to further fines, and (iii) the charities are likely to be ‘punished’ through the likely reputational damage.
The two cases serve as an example of how data protection laws seek to protect the public, as well as the real (and potentially much more costly) consequences for data controllers who break those laws.