One of the major risks faced by UK charities is loss of data. “Loss” includes wrongful transfer, disclosure, corruption, or deletion of data, or wrongful access to data. Charities often hold large amounts of personal data, some of which is particularly sensitive. It may relate to donors or supporters, beneficiaries or service users (including children and vulnerable adults) and their families, carers, staff, or volunteers of the charity. The range of personal data held by charities is often very broad. For example, it often includes bank details, details of donations made, contact details (home or email addresses, phone numbers), dates of birth, information about mental or physical health, or care needs.
How Does Loss of Data Occur?
There are numerous ways in which data may be lost. For example:
- ● loss or theft of a laptop or memory stick containing unencrypted personal details;
- ● hacking into IT systems to obtain such details;
- ● hacking or a virus attack which corrupts or erases data, e.g. ransomware which in effect locks up data until a ransom is paid;
- ● leaving paper documents in places accessible to thieves;
- ● unauthorised disclosure by staff or volunteers;
- ● IT system breakdown or destruction where there is no data backup or disaster recovery facility;
- ● staff responding to forged emails purporting to come from a legitimate source.
There have been some high-profile cases of personal data loss. A break-in took place at the premises of the children’s charity Plan UK in November 2015, when five servers containing data including supporters’ contact and bank information were stolen, although in this case it would have been very difficult for the thieves to extract that data. In March 2012, a hacker broke into the IT systems of the British Pregnancy Advisory Service and obtained sensitive personal data about their clients. In January 2016, volunteers at The Alzheimer’s Society used personal email addresses to receive and share sensitive information about clients of the charity, stored unencrypted data on their home computers, and failed to keep paper records locked away. The Society’s volunteers had not been trained in data protection, did not understand charity policies and procedures, and had little supervision. The Society also suffered a hacking incident in 2015, and in 2010 unencrypted laptops were stolen from its premises. In 2011, a social worker at the charity Norwood Ravenswood left a detailed paper report about four children at the side of a house in London after attempting to deliver them to the children’s prospective adoptive parents, and the report was stolen.
What Are the Consequences of Data Loss?
Loss may impact the charity’s own activities, for example, where a database of individuals’ details is deleted or corrupted, and the charity has no other record of them to use as a backup. Alternatively, loss may adversely impact the individuals who are the subject of data held by the charity, for example, where an unauthorized third party gains possession of the data. Apart from the direct financial cost (and other effects) of recovering from its data security being compromised, a charity is likely to suffer damage to its reputation and that may have an adverse impact on the level of donations and trust of donors, supporters, volunteers, and beneficiaries. Indirect possible effects include substantial fines being imposed by the Information Commissioner’s Office (ICO) where the charity is in breach of data protection legislation – the ICO is no longer reluctant to issue substantial fines to charities just because they are charities.
Increasing Risk of Data Security Breaches
It is clear that the risk of data falling into the wrong hands is prevalent and has been rising significantly over the past few years, both for charities as well as other organisations. Although the ransomware attacks in 2017 did not appear to target charities, experts think they could well be prime targets in future because of the large amount of sensitive stakeholder data that they hold – they often hold more sensitive data than other organisations, and personal data is often a saleable commodity. Charities are often seen as easy targets partly because they, more than larger commercial organisations, often lack the resources and expertise to guard against security breaches.
The new requirements of the General Data Protection Regulation (GDPR), which comes into force in May 2018, reflect the degree to which a data breach is now regarded as a very serious issue. In particular the GDPR will require any organisation suffering a breach of personal data to report it to the ICO without undue delay unless it is unlikely to result in a risk to the rights of individuals.
How Can My Charity Prevent Data Loss?
It appears from a Third Sector Insight survey, conducted in 2016, that the majority of charities are not sufficiently well protected against loss of personal data. So, what steps do charity trustees need to take to improve the security of personal data? Here are some measures that might be implemented:
- ● Review (“audit”) the activities of your organisation, identify weak spots, assess the risks and take steps to mitigate them.
- ● Adopt a data protection and handling policy. Not only will this assist your charity to comply with the law, it will also confer a range of other benefits: adopting and implementing an effective data policy within a charity will protect your charity’s reputation, while also increasing donor, supporter, and volunteer confidence in the running of the charity. It will also, by making sure all information is kept accurate, save your charity time and money when you market to your fundraising base.
- ● Appoint a Data Protection Officer to take responsibility for GDPR compliance.
- ● Have procedures to detect, report, and investigate a personal data breach.
- ● Make sure that all charity staff and volunteers are fully trained so that they understand their legal obligations (i.e. under the Data Protection Act (DPA), and, when the GDPR comes into force, both the GDPR and the parts of the DPA not repealed at that time). Training should be appropriate to ensure that they know in practical terms what they must do to comply with the law. For this purpose, you should adopt and implement procedures and organisational measures designed to meet the requirements of the legislation. New employees and volunteers should receive data protection training to explain how they should handle, store and transfer personal data. Existing employees and volunteers should be provided with refresher training every couple of years.
- ● Make sure you use strong passwords on files and portable devices: a weak password, easily guessable, is very poor protection for personal information. Use combinations of upper and lower-case letters, numbers and (where possible) symbols in passwords (If you want to see how long it would take a computer to crack your password, try it out at How Secure Is My Password?).
- ● Encrypt laptops, backup discs, USB memory sticks, and any other portable devices or media. Also consider installing a remote ‘wiping’ solution that will delete your hard drive in the event it is stolen.
- ● Consider whether your IT servers (including email) and connected devices (on or off site) are as secure from unauthorised access as they reasonably can be.
- ● Look at what data (in electronic or hard copy form) might be lost in transit or when staff and volunteers work remotely (e.g. at home), and ensure that your data policy and procedures extend to how they should deal with data not kept at all times within the charity’s office.
- ● Ensure that when data leaves your charity, the most secure means is used (for example, use VPNs for electronic data and couriers for hard copies).
- ● Only keep data for as long as necessary. Make sure your charity has established retention periods and has put a process in place whereby personal information is deleted when it is no longer required.
- ● Implement a system to update information. If you can, ask those whose details are on your database to check and update those details. You can do this via email or by checking their details if they telephone you.
- ● Make sure that your premises (and physical records and IT equipment there) are secure, that there are proper controls over who comes into the building, and that you know who (including staff, volunteers, cleaners, visitors) is able to and does enter your premises.
- ● If you outsource data storage to specialists (larger charities may need to do so) then first check their data protection policies and credentials to ensure that they are trustworthy.
- ● If you store personal or other data on your own systems (i.e. you do not use third party systems), then you would be well advised to frequently backup your data on separate media or secure cloud storage.
- ● Adopt a data and/or disaster recovery plan, and consider including, as part of that plan, arranging for third party backup data centre facilities to be available so that you can recover data if you suffer an IT failure, data corruption, or a hacking incident.
What Are Your Experiences?
Are you a trustee or employee of a UK charity? Do you think your charity is well protected from a potential data breach? Does your charity follow the recommendations we have set out above? Has your organization suffered a loss of data, and what was the result? What should have been done to prevent that loss?
We are, as always, keen to hear your views.