What your charity needs to know about data protection

What your charity needs to know about data protection

The likelihood is that your charity holds a significant amount of data about individuals, even if your charity's purpose is for a non-humanitarian cause.

Data stored about these people in relation to your charity is extremely likely to be 'personal' data, as defined by the Data Protection Act. In order to comply with legalities, and avoid facing costly fines relating to the misuse or mishandling of confidential data, you must ensure that all information stored by your charity is kept accurate, secure and up-to-date.

What are the legalities?

If you process and hold information about people, such as donors and service users, you are legally obliged to protect that data. Under the Data Protection Act, you must:

  • Only collect information when you need it for a specific reason
  • Keep it private
  • Only hold as much information as you need
  • Keep it for only as long as you need it
  • Allow the subject of the data to see it whenever requested

The ICO provides further guidance for charities, including a free one day data protection review.

How can I enhance data protection?

  • Be transparent about what you intend to do with peoples' data: they should know who it is going to be shared with and how it will be used. They also have the right to correct any information if it's wrong. If you obtain information by saying it is for a specific purpose, this is the only purpose it can be used for. For example, you wouldn't be able to send a fundraising request to someone who has provided their email address solely to receive a newsletter.
  • Ensure all staff are fully trained. New employees should receive data protection training to explain how they should handle and store personal data. Existing staff should also be provided with refresher training every couple of years.
  • Make sure you have a strong password on files and portable devices: why go to efforts to protect personal information if you have a password that is easy to guess? Use symbols and lower and upper case letters.
  • Encrypt laptops, backup disks and any portable devices. Also consider installing a remote 'wiping' solution that will delete your hard drive in the event it is stolen.
  • Only keep data for as long as necessary. Make sure your charity has established retention periods and has put a process in place whereby personal information is deleted when it is no longer required.
  • Put a system in place for updating information. If possible, ask individuals on the database to take a moment to check and update their records. This can be done via email or by checking the person's details if they telephone your charity.
  • For larger organisations, it may be necessary to outsource data storage to specialists. Check their data protection policies and credentials to ensure they are trustworthy.

What are the benefits of an effective data handling policy?

Handling information safely makes good business sense, and can bring a range of benefits. You will protect your charity's reputation, increase donors' and volunteers' confidence in the running of your organisation, and - by making sure all information is kept accurate - save both time and money when marketing to your fundraising base.


Charity insurance from £3 a month