Charities Bulletin – March 2010

Fines could now be imposed for serious Data Protection Act (DPA) breaches

The Ministry of Justice (MoJ) recently introduced legislation which gives the Information Commissioner the power to impose fines of up to £500,000 for serious breaches of the Data Protection Act (DPA). We ask how this affects charities in the UK.

Before sanctioning a financial penalty, the Information Commissioner must be satisfied that the data controller contravened the DPA deliberately or knew that there was a risk the contravention would occur and that it would be likely to cause substantial damage, yet failed to act accordingly to prevent this from happening.

Can your charity be fined?

There is no general exemption for charities. The need for charities to store data securely was highlighted earlier this year when the Information Commissioner took enforcement action against the Alzheimer's Society following the loss of data held on laptops which were stolen in a burglary.

A charity could face a significant financial penalty if it does not implement appropriate policies on data protection and information security, accompanied by appropriate procedures if sensitive data is subsequently revealed to the public. There are a number of steps you can take to reduce the risk of breaching the DPA and therefore facing a fine.

How can you prevent your charity from breaching the Data Protection Act?

It is important to ask yourself three questions to begin with:

Are you aware of what data the charity holds, what form it is in, where it is held and who has access to such data?
Does your charity need and use all the data it holds?
How is the data transported?

Having established the answers to these three questions, you will be able to identify the steps your charity can take to comply with the rules on data protection and confidentiality. Those steps may include the following:

Encryption: ensure encryption is utilised on all devices and documents by introducing a secure password (this should be changed frequently).
Induction and Training: ensure that all employees and volunteers have received an induction with regard to the data security program and that they understand the requirements of the Data Protection Act and associated policies and procedures.
Identify problem areas: review the organisation's procedures, with professional support where necessary, and identify areas where there is a particular risk which could result in unauthorised access, use or disclosure of personal information.
Testing: test the data security program regularly to ensure that unauthorised users cannot gain access to such information and, if any problems are identified, update the systems accordingly.

For more information on data protection:

See the plain English guide issued by the Information Commissioner's Office
Contact Shivaji Shiva or your usual contact at Michelmores

Shivaji Shiva is Head of Charities & Social Enterprise at Michelmores. For more information on the issues raised in this article, please contact Shivaji at shivaji.shiva@michelmores.com or on 01392 688688.

Connect with Michelmores:

Footer with further navigational links

Michelmores LLP is a Limited Liability Partnership, authorised and regulated by the Solicitors Regulation Authority and registered in England and Wales under Partnership No. OC326242. The registered office is Woodwater House, Pynes Hill, Exeter, EX2 5WR. A list of the members (all of whom are solicitors or barristers) is available for inspection at the registered office and at www.michelmores.com.

End of Michelmores Solicitors Exeter - Quality Legal Services - UK & International homepage - Return to Page Content Navigation