Lessons learnt from ICO audits of Charities

In late 2018 the Information Commissioner’s Office (ICO) announced the findings from several Charities they had audited voluntarily during 2017-18. The ICO also confirms that it has also added in some additional key findings from audits done on 25 visits completed on smaller charities during the same time. So, while this isn’t a sample of 100s of charities, it isn’t a bad number of charities to draw some conclusions and averages.

Let us start with the positives. The ICO outlines that of the Charities it audited it found good practice in the areas of;

  • Governance structures & Working Groups
  • DPO appointments
  • Data audits (either underway or completed)
  • Policies (with at least half having refreshed policies signed off by senior management)
  • Compliance reporting & monitoring
  • Training
  • Consent & Marketing consent management
  • Privacy statements
  • Data Sharing
  • Secure destruction
  • Rights management (focused on right to erasure)

Given the audits were timings of the audits, the findings would seem to agree with a conclusion that most of the Charities had completed the ‘low hanging fruit’ of a GDPR implementation programme. Updating policies and procedures, ensuring secure destruction, stopping the sharing of marketing data, appointing a DPO, training and governance are (based on the context of the organisation) relatively ‘easier’ things to implement.

The ICO then goes on to outline the areas of improvement they found based around the areas of Governance, Policies & Procedures, Monitoring & Reporting, Training, Consent, Fair Processing & Data Sharing, Business Continuity, Incident Reporting and Retention & Disposal.

In summary the ICO found the following key things;

  1. Key Performance Indicators were not in place for IG related tasks and obligations
  2. Policies and procedures were either missing, poorly managed, inconsistent and not communicated to staff
  3. Compliance checks on internal or external operations didn’t really take place
  4. Induction and ongoing training were poor or non-existent. 19 of the 25 charities had no induction or refresher training programmes in place
  5. Consent is not managed in a consistent way, neither are privacy notices
  6. Only 2 charities had deployed DPIAs with the others either having nothing or still developing a process
  7. Most charities had no or poor contracts in place with third party processors
  8. Several charities did not have effective business continuity controls in place
  9. Incidents were not logged, risk ranked or had a supporting documented incident management process/procedure

One of the biggest areas that the ICO raised comments on was the area of Retention and Disposal. As a direct quote from the paper the ICO made the following observations;

  • The majority of charities we visited were retaining personal data for far longer than was necessary, in some cases indefinitely. Some of this was due to poor records management, and some due to retaining data in case it may be useful in the future (for example, to trace a legacy gift to a previous supporter.)

  • Not all charities visited had retention and disposal documented in either a retention, confidential waste, or records management policy.

  • In most cases the retention and disposal of records was not being actively managed, and in nobody had been allocated specific responsibility for weeding and disposing of records.

  • In some cases IT systems did not allow for permanent deletion of records. As well as resulting in them keeping records for longer than is necessary, this also means these charities will not be able to comply with an individual’s ‘right to erasure’ under GDPR.

  • Where third party confidential waste companies were used, contracts were not always in place. Where contracts did exist, they did not always include the right for the charity to carry out compliance checks, and there was no record of any such checks being carried out on third party providers. This was mirrored by the findings of the charity AVs.

  • Most did not keep any kind of information disposal log to record what information had been deleted in line with the retention schedule.

The AVs show that 16/25 charities visited do not have retention schedules in place, or were not adhering to them.

Most charities audited were not, and had not been, doing effective records management. Indeed, based on the comments above, it would even appear they were not going basic records management.

The Information & Records Management Society (IRMS) has developed with Protecture Limited a Retention and Disposal Toolkit for use in the Third Sector. This outlines the basics of Records Management for Charities, as well as giving them templates and a template retention schedule for their various Charity related records. Many Charities, especially those of small or medium size/income struggle to get a handle on Information Governance (IG) as IG does take time and resources to get right. However, with the right guidance, and access to the right resources, Charities of all sizes can benefit from getting to grips with how they handle and manage their records and information.

If you work in a Charity, or not for profit organisation then there are a number of low cost things that can help you manage Data Protection and your wider Information Governance requirements. These include;

Charities in Essex can also utilise some local resources including;

Leave a Comment

Your email address will not be published. Required fields are marked *