Charities are not as immune as some people think from data protection regulation. Data protection legislation requires that most organisations that hold or process personal data must notify the Information Commissioner’s Office. Failure to notify is a criminal offence. There is an exemption from this for charities, but it by no means applies to all charities: it is a relatively narrow exemption.
For a charity to qualify for the exemption:- ·
- The data processing must be only for the purposes of establishing or maintaining membership, providing or administering activities for either the members or those in regular contact with the organisation, or supporting another not-for-profit body;
- The data processed must only relate to those people necessary for this purpose; past, existing or prospective members, or those who have regular contact with the organisation (regular contact does not have to mean frequent);
- There are also specific and narrow conditions concerning the type of data you can hold, and how long you can hold it for, allowing only that which is necessary for the exempt purpose.
So, for example, the following situations would mean a charity must notify for data protection purposes:
- A charity which holds data of beneficiaries of one-off grants, if it does not have regular contact with the beneficiaries;
- A charity which holds data of supporters of an event, if it does not then have regular contact with those people.
Also note that if a charity has situations which come within the exemption, such as holding data regarding beneficiaries of the services it provides, and also situations which do not come within the exemptions, such as the examples given above, then the exemption will not apply and the charity must notify.
For a clear picture of whether you qualify for the exemption, take the ICO’s Self-Assessment online questionnaire here.
The notification process is relatively simple, and costs only £35 per year, unless you are either an organisation with a turn over of more than £29.5 million and more than 250 staff or a public organisation with more than 250 staff (the fee then rises to £500pa).
Those charities who currently do not notify, and are still unsure whether they are exempt, would be well advised to balance the risk of criminal sanctions, namely fines imposed by the ICO, against the relatively easy and cheap process of notifying the ICO.
If you have any questions as regards data protection matters, please contact Chris Knight on 01604 463103 or ChrisKnight@hewitsons.com