British Charities Hit By Hundreds of Data Breaches

British charities are failing to comply with laws designed to protect staff, supporters and resources from data security breaches.

Figures released by the Information Commissioner’s Office (ICO) have revealed that there have been more than 400 separate breaches over the course of the last 12 months.

Three-quarters were due to administrative errors as opposed to the deliberate efforts of criminals.

Since the introduction of a new and more rigorous data law – the General Data Protection Regulation (GDPR) – in 2018, organisations failing to provide adequate security for personal data can be hit with steep fines.

Yet Laura Wilkinson, an Associate Solicitor with JMW Solicitors, has described how the ICO figures suggest some charities are still not fully aware of their responsibilities.

“Ensuring that personal data is properly protected is a legal obligation not just an administrative courtesy.

“However, it would appear that many charities are still struggling to come to terms with their responsibilities under GDPR and the Data Protection Act.

“In the lead up to the introduction of the new law, there was an extensive campaign to educate organisations in the public, private and the charitable sectors about what was expected of them.

“There is arguably no excuse for failing to secure personal data against unauthorised, unlawful or accidental loss. Nor is there an excuse for failing to report whatever data breaches occur to the proper regulatory bodies.

“Data breaches can have a range of adverse effects on individuals, including distress and increasing the risk of fraud or financial loss.

“The fact that so many of the incidents logged by the Information Commissioner’s Office are due to the action or inaction of charities themselves, their employees or volunteers rather than down to malicious outsiders will be bitterly disappointing, particularly to those people whose data is entrusted to charities.”

The statistics made available by the ICO show that there were 447 data breaches involving UK charities in the 12 months to the end of March.

Twenty four per cent of those were classed as cyber security incidents with the rest due to administrative error.

They included 90 cases in which electronic devices or documents containing personal data were either lost or stolen or left in an unsecure location. A further 75 breaches saw data being sent to the wrong person by post, e-mail or fax.

Ms Wilkinson said that the ICO figures represented “a reason for some concern”, given that they follow an anonymised Government cyber crime survey in which charities themselves acknowledged that they were failing to follow the rules on data protection.

More than 300 charities were among a total of 1,348 organisations which took part in the Cyber Security Breaches Survey, the findings from which were published in late March.

Despite one-fifth (22 percent) of the charities involved admitting having been hacked or targeted by viruses and fraudulent e-mails at least once a week, less than half (42 percent) of the groups affected acknowledged having either kept a formal record of the “most disruptive” incidents or informing external authorities such as the police.

Even though the breaches often resulted in the loss of money and personal data as well as affecting the operation of essential computer systems, only two-thirds of charities stated that they had rules in place regarding the secure storage and movement of personal data.

That research in turn echoed the main points of a study conducted by the Charity Commission last year which founded that although 15 per cent of charities suffered data loss due to cyber attacks, only 13 per cent informed the regulator. Thirty-two per cent failed to report incidents to any external body at all.

All organisations, including charities, businesses and public sector bodies, are required to abide by the terms of GDPR and the Data Protection Act 2018.

Data protection law stipulates that personal data should be handled in a way which protects against “unauthorised or unlawful processing and against accidental loss, destruction or damage”.

Failure to do so leaves offenders open to what the ICO describes as “the highest tier of administrative fines”, totalling up to €20 million or four per cent of an organisation’s global annual turnover, “whichever is higher”.

Ms Wilkinson claimed that even the threat of stiff penalties appeared not to be working.

“As many other organisations have found to their cost, data breaches can have a significant impact on their revenues as well as their reputations.

“However, reputational damage should never be the priority when breaches occur. There are clear instructions about what needs to happen.

“If a data breach presents a risk to people’s rights or freedoms, then it has to be reported to the ICO within 72 hours of an organisation becoming aware of it. Even if that step isn’t thought necessary due to the individual circumstance of a breach, that decision has to be documented along with the facts relating to the breach itself.

“Furthermore, if it is thought likely to create a high risk to individuals’ rights or freedoms then an organisation’s data controller has an obligation to inform all those people affected without any undue delay.

“The Government’s research indicates that’s simply not being done on the ground. It’s impossible to say whether this is the result of charities not concentrating sufficiently on data protection now that GDPR is no longer in the news or whether those bodies whose cases are included in these figures believed that the breaches which they suffered did not affect the rights of others.

“Whatever the reason, failing to follow the rules can undermine public trust in charities, something which is a critical factor for organisations that rely so heavily on people’s goodwill and support.”

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Find Out More