Some senior figures in the charity sector have sought to deal with the Information Commissioner’s recent enforcement against the RSPCA and the British Heart Foundation by suggesting that the ICO’s action is disproportionate and unfair. The
fundraiser sorry, academic, Ian MacQuillin has written two blogs which touch on the theme, while a few days ago, Robert Meadowcroft, the Chief Executive of Muscular Dystrophy UK tweeted:
As 2016 is now disappearing over the horizon, I thought it was worth testing the hypothesis that the ICO is taking disproportionate action against charities, and the fines and other enforcement against charities are unrepresentative. TL:DR – it’s complete nonsense.
In 2016, the ICO issued 34 civil monetary penalties – 11 under the Data Protection Act, and 23 under the Privacy and Electronic Communications Regulations (PECR). There are a number of different ways of looking at the figures, and none of them show any evidence of disproportionality.
1) Charity CMPs as a proportion of the total in 2016
Of the 34 penalties, 2 were against charities, so 6% of the ICO’s CMPs in 2016 were against charities.
2) Amount charities were fined, as a proportion of the total in 2016
The CMP total was £3,225,500. The total of CMPs issued against charities was £43,000. This is 1.3% of the total.
3) Proportion of Data Protection CMPs issued to charities in 2016
If you look only at the CMPs issued under Data Protection, the charity proportion is not insignificant – there were 11 DP CMPs, so the 2 charity CMPs are 18% of the total – the same as the police, 1 more than councils, but less than the private sector or the NHS (3 each). However, this is the only comparison where charities feature significantly, and they are not the dominant sector. The next two comparisons are also instructive.
4) Proportion of PECR CMPs issued to charities in 2016
None. This is despite widespread breaches of PECR by charities, including phoning donors who are on TPS and sending texts and emails without consent (for example, the vast majority of mobile numbers gathered via charity posters in 2016 were obtained in breach of PECR).
5) Proportion of CMPs issued for marketing related activities in 2o16
There were 21 PECR CMPs related to marketing, and 2 DP CMPs related to marketing, making 23 marketing CMPs in all. 2 were against charities, which is 9.5% of the total. Given the big charities’ disastrous approach to marketing, this relatively small number is astonishing.
6) Level of CMPs in 2016
The average DP CMP was £108,500; the average charity DP CMP was £21,500.
The average PECR CMP was £84,666.75; there were no charity PECR CMPs.
The highest DP CMP was £400,000; the highest charity DP CMP was £25,000.
7) Other enforcement in 2016
There were 22 enforcement notices issued by the ICO in 2016, 8 under DP and 14 under PECR. 1 of the 8 DP enforcement notices was against a charity, which is 4.5% of the total, or 12.5% of the total DP enforcement notices. Either way, it is a small percentage of the total. Again, if you count the number of marketing related enforcement notices, there were 15, of which 1 was against a charity. This is 6.6% of the total.
8) CMPs since 2010
There have been 69 DP CMPs since 2010 that I can find (they drop off the ICO’s website after a few years); 4 were issued against registered charities, which is 5.8% of the total. The average DP CMP was £114, 163, whereas the average charity was £78,250. It is worth noting that these figures are slightly skewed by the £200,000 penalty against the British Pregnancy Advisory Service, which is a registered charity but receives most of its funding from the NHS.
The CMP against the British Heart Foundation was the 8th lowest CMP overall, while the CMP against the RSPCA was the 9th lowest. The only organisations to receive lower penalties than the charities were small businesses, unincorporated associations, and a bankrupt lawyer.
There have been 47 PECR CMPs that I can find since 2012; none have been issued on charities, which is 0% of the total.
These figures will likely be different in 2017. The ICO has signalled that more DP enforcement against charities is coming, and so the proportion of DP penalties may rise when the totals are in, but that depends on a variety of different factors including the number of other penalties and the ICO’s general approach. However, when you look at the facts for 2016, MacQuillin and Meadowcroft are wrong. Despite years of ignoring the Data Protection and PECR requirements in favour of a flawed, fundraiser-driven approach, the ICO has not taken disproportionate action against the charities. The action taken is a small percentage of the overall total. Special pleading and blame-shifting will not help the sector. Compliance with the law will.