Here are the questions you need to ask to ensure you're handling your supporters’ data securely, says Russell Hargrave
UK charities have had a tricky few months, to say the least.
They have endured a succession of front page headlines and accusations. The voluntary sector has been quick—possibly too quick—to dismiss much of it as innuendo or inaccurate. But along the way some pretty unsavoury practices have been exposed. The way charities fundraise has come under sustained scrutiny, along with the amount some pay their staff and, more recently, the way they use the data of their supporters.
As the sector looks works out the best way to put right what has gone wrong and reassure their supporters, NPC has a word of warning. As we emphasised in a new paper last month, charities shouldn’t retreat from collecting and using data.
Now is not the time to run scared. Data is central to everything we do—you may as well try and withdraw from modern life.
The Data Protection Act (DPA), enshrined in British law since 1998, can help charities understand how to handle personal information securely. Based on these guidelines, there are some simple questions on data that charities should be able to answer:
Where is your data held?
Charities have access to tonnes of data, some of it quite sensitive. They need to know where that data is stored and how securely.
Can you tell people what you’re going to do with their data?
Under the DPA, the subjects of data are entitled to know who controls it and for what purposes. If a charity collects data as part of service delivery, for example, it will need consent before using it as part of fundraising.
Do you really need this data?
Hoarding is a bad idea, and can get your charity into trouble. If you don’t need it, delete it.
Are you holding the data too long?
The DPA doesn’t say how long you should keep personal data, but charities can make a sensible judgment call. If in any doubt, the Information Commissioner’s Office (ICO) outlines lots of ways to delete data appropriately.
Are your records up to date?
It is essential to update your records as and when changes occur. And if a client disputes the information you hold, you can’t ignore it—either delete the record or add a note making this dispute clear.
How would people feel about what you’re doing?
The use of individual data in direct marketing is strongly protected under the Privacy in Electronic Communications Regulations. Above all, people who trust your charity need to know it is transparent about its intentions and will respect consent given or refused.
Do your staff know what to do?
If staff mishandle private data, they risk getting the charity into serious trouble. For example, no one should take large amounts of personal data out of the office. It is a recipe for disaster.
Is your data even in the country?
With the advent of cloud computing, data isn’t necessarily stored in the country as the charity. Data can only be transferred outside the European Economic Area if it is to a country with adequate levels of data protection.
Where is there more information?
There is absolutely no substitute for understanding the DPA in full. The Small Charities Coalition provides a list of organisations that can help navigate these questions, as does the ICO website. Charities should use them.
Russell Hargrave is media manager at NPC