Data Protection For Charities

Rebecca Wells

Authored by Rebecca Wells, Data Protection and Information Governance Manager at Sustrans, a leading charity promoting sustainable travel. Rebecca brings her experience working within the charity sector to this insightful piece. She explores the unique challenges charities face in balancing data protection with supporting vulnerable individuals. Gain valuable insights from a data protection expert dedicated to making a positive social impact.

Data Protection For Charities

How Data Protection is Vital for Charities Working with Vulnerable Individuals 

Charities occupy a distinct and sometimes complex space within regulatory compliance.  They increasingly engage unique insights and expertise to support public service provisions for individuals and the community, whilst walking the tightrope of challenging funding landscapes and resource stretched environments.  

Many charities deliver essential support to vulnerable groups of people.   Processing personal data within these organisations takes careful consideration: including the sensitive nature of the information; the potential impacts to the individual; and the vulnerability of the data subjects themselves.  

Ryan Calo, in their publication ‘Privacy, Vulnerability and Affordance,’ explores the difference between making a person vulnerable and exploiting vulnerability – both within the context of processing personal data.  This subject can be afforded much in-depth analysis drawing on academic and legal disciplines.  But many charities do work with people who are at greater risk of becoming entrenched in those cycles of vulnerability.  They are often standing at this intersection, with a very direct relationship to the data subject.   

If we take for example, a charity working in the criminal justice system, or within mental health services: these organisations often provide specific skills to engage with people who historically may have had a fractured relationship with public services or authority. Here, it is common to receive not only very sensitive disclosures, but to also be managing a sometimes precarious environment of trust.  That takes time and work to build, and the data collected is an extension of not only that individual, but of the context of the relationship.   In that tentative first step, the service user may be thinking: 

  • Do you know what you’re doing?  
  • What will you use my information for?  
  • Who will you tell? 
  • Am I safe here?  
  • Can I trust you?

Why are we collecting this information?

These questions are reflected in the principles of data protection and how the potential impact of processing may be assessed.  Why are we collecting this information? What is our lawful basis? Who are we sharing it with and why? Do we have the appropriate technical and organisational measures in place? Will we keep it safe? Conversely, it can also be the case that in such environments, a vulnerable individual may disclose large amounts of sensitive information beyond what is relevant to the intended outcomes of the engagement.  Asking these questions plays an important role in navigating that interaction.  

However, we risk losing sight of this where data protection becomes something intangible, a dry set of complex regulations that are hard to translate to reality.  Is it an arm of IT that involves extra forms? Is it just about ensuring we secure that filing cabinet, or patch that software?  

Many data protection professionals quite rightly refer to the problem of the padlock. We’ve all seen examples of it, and many of us are likely guilty for having used it in that slide we needed to illustrate.  This image risks reducing data protection to a lock box: if the information is shut away safely enough, then we’ve pretty much done our jobs.  It brings to mind this idea of rules, shutting out, maybe even obstruction.   

Of course, managing access and security is an essential part of data protection, but it is by no means the only one.  

Data protection legislation is very human.  It keeps sight of the vulnerability we are all exposed to in this digital age and explores provisions for particularities within that where some people may be more vulnerable than others.  The Working Party 29 and the EU GDPR (for example, recital 38 discussing children) acknowledge how high-risk groups may present within these definitions.  They also identify power imbalance between controller and data subject as a way of assessing vulnerability, and that this should be considered within data protection practices.  

Data Protection therefore asks us to look at the individual. It is not enough to provide the padlock. 

As required by the UK GDPR, we should be adhering to the principles of:  
  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

 Supporting colleagues to do this within charities can be challenging, albeit essential.  The impact of unauthorised access to or use of data for vulnerable people can be particularly distressing, and any resulting material or non-material damage can compound existing complex trauma.  In some situations, there can also be a significant risk of physical harm. Protecting someone’s location, identity, disclosures or evidence of engagement can have a direct bearing on their safety.  This is not only applicable to external unauthorised access such as a cyber-attack, but incorrect internal controls too.   

Studying trends within a data protection incident log may highlight the impact of human error as the root cause of many data breaches. It is when we are tired that we risk using cc instead of bcc.  It is when we have been confronted with a harrowing disclosure that we may be distracted.  When a charity is resource constrained and roles are stretching, it is easier to miss important steps. Infrastructure can be behind, resources can be scarce, and the environment may be stressful.  It is also at these times that data protection can risk becoming a bureaucratic side note, when in fact it serves to manage these situations when it is properly embedded.  

 Understanding the space that data protection holds in that reciprocal fostering of trust, is a helpful way of disassociating it from a series of paper-pushing exercises.   

 What are examples of good practise?  

 This is by no means an exhaustive list, but some overarching considerations include:  

 Data minimisation and proportionality

Asking whether you really need to collect personal data about a vulnerable service user will help to manage what you are recording.  How could this new record impact the wellbeing of that person?  It can feel counter-intuitive to question the motives of data collection when the overall purpose feels well intentioned.  But it’s important not to overlook it within a charity setting.  Minimising the amount of personal data held reduces risk in other areas, such as data breaches.  But it also ensures we are consistently considering how the questions we ask, or information we record, may impact the privacy and agency of a vulnerable individual.  

This is also relevant for avoiding situations where data protection is cited as an obstruction to collecting or sharing information which has resulted in a negative outcome for the individual. This is rarely a valid position, and risks both misuse of the legislation and harm to the data subject.    It will therefore prompt the right questions to ask during conversations with funders and commissioners.  Sometimes for charities, there is a power imbalance there for them as an organisation, too.  Understanding how to advocate correctly can facilitate helpful discussions with meaningful outcomes.  

 Encryption, access controls and infrastructure

Understanding the impacts of how you are storing and sharing personal data, and therefore what needs to be in place to mitigate those risks, is essential.  Regularly reviewing and updating procedures, technical measures and permissions are a part of this.  Charities will also need to understand what is expected of them by their funders.  If they are part of a statutory supply chain in particular, it is important to anticipate where investments may need to be applied.  

 Training and awareness

In reality, there aren’t always resources available to provide systems that will automate or manage processes that will reduce the margin for human error.  A charity may for example be working in a prison that still uses fax machines, or only be able to access a secure printer when a prison officer is able to log in for them.  It is not always obvious how these details interact with data protection until you come across them in conversation, but they can be very impactful to how you roll out a data protection programme that manages risk well in your charity.  In that scenario, asking if there was a secure printer available wouldn’t have been enough.  Therefore, it is essential to deliver lots of organisation specific training and raise awareness around data protection.

In some companies, paper records will largely be a thing of the past; but for many charities there are still lots of physical records stored and created.  Ensuring correct processes around this are understood may mean supplementing training modules, or creating visual office prompts.  Where possible, to offer a phone call for example, during the course of a Data Protection Impact Assessment (DPIA), can help to expediate the process and uncover nuance. To have strong allies in data protection across the charity can also greatly increase the effectiveness of embedding good practise.  

 Exercising rights and incident response

Knowing what to do if someone would like to exercise their rights under the UK GDPR, or if something goes wrong, is important.  It isn’t always straightforward for charities, and with lots of competing priorities might not feel pertinent until it happens and panic sets in.  That panic is what we want to avoid.  A charity may have 3 or 4 funding streams with specific requirements, or it may have 50-60. 

Where there are requirements in place, do you understand them? For example, for a case file, it is important to understand who the data controller is for that information, whether there is more than one controller, and what the contractual expectations are for that information.  And crucially, how that relates back to the wellbeing of the data subject, and whether they themselves are clear of their rights and who to contact.  

 Can I trust you?  

 That poignant question brings us back to the relationship between the charity and the vulnerable individual.  It is often an operational colleague who will be setting out in person the expectations of engagement and how support will be provided.  Transparency is a cornerstone of data protection, and providing a privacy notice is an essential part of this.  But in order to be clear with someone, it must be understood why personal information is being collected, what it is being used for, who it is being shared with, and how it will be managed. Charities sometimes perform an extension of a public service, but don’t have the same lawful bases to rely upon that government bodies do.  Therefore, considering the correct lawful basis will also be an important piece of information for the service user. 

If you are relying on consent, is that consent valid?  Is there a power imbalance to consider, and does the individual have capacity to meaningfully consent to the use of their information? Crucially, we must then be able to explain this to the individual in language and formatting that will best support their understanding of the process.   

 From the bidding stage to delivery and evaluation, charities should be positioning data protection as a fundamental part of their work with service users.  The principles they uphold as a charity, extend to personal data in this way.  Whether that is during the more tangible relationship of, for example, caseworker to client, or making decisions around which cookies to use on their website.  Charities have a duty of care to those most vulnerable, and not least in the way they manage their personal information.  

Data Protection in the Non-Profit Sector: Balancing Good Deeds with Good Practices – with Rebecca Wells

Join us on Friday, June 21st, from 12:30 PM to 1:30 PM BST for an insightful session on data protection in the charity sector. Our guest speaker, Rebecca Wells, Data Protection and Information Governance Manager at Sustrans, will share her expertise and address the unique challenges faced by non-profit organisations.

Key Discussion Points:

  • The Balancing Act for Charities: How to uphold data protection principles while effectively supporting vulnerable individuals.
  • Compliance Made Clear: Practical guidance for charities to meet evolving data protection regulations, even with limited resources.
  • Supporting DPO Wellbeing: Strategies to ensure Data Protection Officers (DPOs) working in the charity sector have the support they need.

This session is valuable for:

  • Data protection professionals working within charities
  • DPOs in the non-profit sector
  • Anyone interested in the human element of data protection and the challenges of balancing regulations with real-world needs.

Join the Conversation!

At Data Protection Made Easy, we’re passionate about empowering charities to leverage the power of data responsibly. We look forward to welcoming you to this upcoming session and continuing the conversation on data protection in the non-profit sector.