This recent case report from the Information Commissioner's Office (ICO) makes grim reading for the charity involved. In essence the ICO found multiple breaches of UK Data Protection legislation by the charity following the ICO investigation. The ICO held that, despite a number of UK charities not being required to register with the ICO there remained an inherent requirement on all charities to comply with UK Data Protection laws from an internal standpoint.
In this particular case the charity involved, Mermaids, was criticised for inadequate policies, poor staff training and, that very modern challenge of, secure online information and emailing. It cannot be underestimated how damaging such a high profile formal reprimand from the ICO can be be for a charity and its ability to function effectively going forward. In the short term there is the ICO's fine to be paid from charity resources (£25,000 in this case and in itself perhaps galling to donors) and longer term both current and potential beneficiaries will need to be reassured that their most sensitive of personal data will be treated with the utmost level of confidentiality and security that it deserves.
It is pleasing to note that the charity involved has now made significant improvements to its data protection policies and that its trustees are treating this topic with the importance it warrants. However it may well be that the damage to Mermaids public profile will take longer to remedy.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”