The Data Protection Act 1998 (the “DPA”) regulates the collection and use of personal information relating to individuals and it is particularly relevant to charities as they often maintain sizeable databases and record the details of donors.
What is personal data?
The DPA applies to personal information which is stored on a computer or in some manual records. Charities may, for example, hold personal information including names, addresses, telephone numbers, job titles, dates of birth of employees, volunteers, donors and beneficiaries (“Personal Data”).
This article does not deal with the processing of “Sensitive Personal Data” (e.g. information on an individual’s: race; political opinions; health; sexual life; religious and other similar beliefs; trade union membership; criminal records). It is worth noting, however, that there are stricter requirements when an organisation deals with such information.
Who is the data controller?
The DPA applies to all persons (including companies) who determine the purposes and manner for which any Personal Data is processed (the “Data Controller”). “Processing” is defined very broadly and includes obtaining, recording, holding, using, disclosing or erasing that information.
Obligations of a data controller
1. You must notify the ICO (unless exempt); and
2. You must comply with the data protection principles.
Before carrying out any processing, a Data Controller must register with the Information Commissioners Office (the “ICO”). There is a simple online search facility on the ICO website to check whether a Data Controller is on the register.
The details to be provided on registration include: the name and address of the Data Controller (and any representative); a description of the type of data that is to be processed, the individuals to which that data relates and the purposes for which the data is to be processed; a description of any recipient to whom the Data Controller intends to disclose the data; the names of any countries or territories outside the EEA to which the Data Controller intends to transfer the data; and a general description of the Data Controller’s security measures.
Currently, the initial and annual renewal fee is £500 for large Data Controllers and £35 for all other Data Controllers. Registered charities, however, will always be deemed to fall into the lower tier regardless of their size or turnover.
There is no such thing as a “parent company notification”, which means that each Data Controller within a corporate group must notify. It is also a criminal offence to fail to update register entries within 28 days of any changes occurring to the notified details.
Exemptions to duty to notify
There are a few exemptions to the duty to register with the ICO, however, an exempt Data Controller must still comply with the data protection principles.
Two relevant exemptions are in relation to:
1. Processing Personal Data only for staff administration, advertising, marketing, public relations, accounts and records.
These purposes are seen as the ‘core business purposes’ and with the exemption typically being used by small businesses or charities which process Personal Data only for these purposes.
2. Not-for-profit organisations
Such organisations are able to carry out processing for further purposes. To remain exempt, in addition to the purposes noted above, they must only process Personal Data for the purposes of: establishing or maintaining membership; supporting a not-for-profit body or association; or, providing or administering activities for either members or those who have regular contact with it.
This exemption may be useful to some smaller charities who can meet the strict criteria but larger charities with direct marketing campaigns and merchandising operations may be unable to rely on it.
Data Controllers, thinking of using an exemption, should consult the ICO website and/or their solicitor to ensure that they fall within an exemption. As previously stated, where a Data Controller is exempt from the duty to notify it will still have to comply with the data protection principles set out below.
Data protection principles
The eight data protection principles are summarised as follows:
Personal Data must:
- Be fairly and lawfully processed;
- Be processed for limited purposes;
- Be adequate and not excessive;
- Be accurate and up to date;
- Not be kept longer than necessary;
- Be processed in line with the data subjects’ rights;
- Be secure; and
- Not be transferred to countries outside the EEA with out adequate protection.
As regards “fair and lawful processing”, it is generally advisable to obtain informed consent from the individual (about whom the data relates) in respect of the specific purposes for which their Personal Data is to be used.
An individual has the right to request to be informed whether his Personal Data is being processed by a Data Controller. If it is, the individual also has further rights to:
- A description of the Personal Data held, the purposes for which it is being processed and the recipients or classes of recipients to whom the data may be disclosed.
- Any information available to the Data Controller as to the source of the data (subject to certain stated confidentiality and related protections for individual sources).
The DPA provides that a copy of the data in permanent form must be provided. Data controllers must comply with requests promptly and, in any event, within 40 days from receipt of the request. An administration fee (up to £10) may be charged for responding to such requests.
There are some exceptions to an individual’s right to information, these can include:confidentialreferences, privileged information, and information in relation to third party sources.
Further guidance on this subject can be found on the Information Commissioner’s Office website (www.ico.gov.uk) and the Charity Commission website (www.charity-commission.gov.uk). Or please do not hesitate to contact us if you have any specific queries.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.