ICO finds ‘areas for improvement’ after audit of eight charities

03 Sep 2018 News

Anulka Clarke, ICO head of assurance (audit and international transfers)

The Information Commissioner’s Office has called for improvements in incident reporting, consent and data sharing, and monitoring and reporting, as it publishes the findings of audits at eight charities that took part in voluntary risk reviews. 

The report identifies areas of good practice at the charities audited, as well as areas for improvement. The report followed the ICO’s enforcement against 13 charities in December 2016 and April 2017. 

The eight charities audited have not been named, but the ICO said that none were among the 13 previously fined. An ICO spokesperson said the eight charities were “organisations where concerns about data practices were identified during our investigation into the sector between 2015 and 2017” but that “these concerns were not sufficiently serious to warrant a financial penalty”.

The ICO said that as a demonstration of their commitment to improving their practices, the eight charities agreed to let the ICO come in and audit their practices around data protection and direct marketing. It said that this also helped demonstrate that the “ICO’s engagement with charities was not just about fines and enforcement but to encourage genuine, ongoing improvements in the wider sector”.

The audit report compared the findings with those from 25 advisory visits the ICO carried out at smaller charities during 2017/18.

The review was completed under the previous Data Protection Act 2018, which concerned eight principles of good information handling, but has been updated to include GDPR recommendations where “long term actions were appropriate”.

The ICO Assurance Department conducted audits at the charities’ head offices between December 2017 and February 2018.

Areas for improvement

The report outlined several areas for improvement. These included improvements in areas of monitoring and reporting, training, consent and incident reporting. 

It said that the majority of charities visited “did not undertake any routine data protection or direct marketing policy compliance checks” and “compliance checks on data processors were also inconsistent with only three carrying out routine checks”.

The report said that only two charities visited had a “consistent and co-ordinated approach to fair processing notices” and most did not have “any kind of sign-off process and as a result they varied in content and quality”.

It said that although there was mostly good awareness among staff of how to report an incident, “most charities visited did not have documented reporting procedures in place”.

It also found that the majority of charities we visited were retaining personal data for far longer than was necessary, in some cases indefinitely, and that some charities’ IT systems did not allow for permanent deletion of records.

Areas of good practice

The review also outlined areas of good practice, which included that “all charities had clear governance structures in place with delegated responsibility from the board down”.

It found that most charities had moved to an opt-in approach to consent for marketing. Of these, “most were also using opt-in for postal marketing with the rest relying on legitimate interests for postal marketing. Consent was granular, providing separate check-boxes for each type of communication, ie phone, email, SMS”.

Anulka Clarke, ICO head of assurance (audit and international transfers), said: “This project identified many areas of good practice at charities, along with some areas of concern. 

“We will continue to work with the sector to further increase public trust and confidence for the benefit of charities and their donors.”  

The ICO said it plans more work in the coming months to further encourage improvements in the charity sector. 

 

More on