There is plenty charities can do to ensure they are practicing robust data privacy, from raising awareness of the threat to minimising data collection
The amount of data being kept by organisations digitally has proliferated in recent years, as an increasing number of services and day-to-day operations move online.
The voluntary sector is no exception, with charities already holding a vast array of data about donors, stakeholders, staff, and beneficiaries.
As a result, privacy and protecting the information held is more important than ever for charities. This includes protecting personal details, such as names, addresses, date of birth, as well as criminal or medical history.
A recent survey by regulator the Information Commissioner’s Office (ICO) found that most UK citizens don’t trust organisations with data. It found that only 20% of the public have trust and confidence in organisations’ ability to securely store their personal information.
Charities can face substantial fines for failing to keep data private. In 2021, for example, the ICO fined transgender charity Mermaids £25,000 after failing to protect confidential information related to the health and sexual orientation of people it is supporting.
The breach happened two years ago, relating to an internal email group that contained information that was viewable online for nearly three years.
Charities need to protect their communities. In this article, we look at some of the ways charities can ensure they are practicing robust data privacy.
One of the best ways charities can ensure information is private is to make robust data protection a whole organisation policy, which is prioritised by all staff and volunteers.
This should involve regular training on security and privacy issues and include updates on latest security risks that charities could face. Using work collaboration tools such as Slack or Microsoft Teams to discuss the importance of privacy and to raise any concerns is advisable.
This awareness raising should also be extended to beneficiaries and stakeholders, to ensure they are aware of the work the charity is undertaking to protect data. Information about data security can be built into online forms, which ask for consent when data is collected, under the UK’s General Data Protection Regulation (GDPR).
Education around data privacy should also focus on latest trends and how staff and volunteers can watch out for scams. This includes phishing email attacks, which look to trick staff into giving away bank details and other financial data.
Phishing often asks workers to click on a malicious link that installs malware on devices, or through requests for personal information or extortion. The threat of such attacks, which look to siphon data, can be reduced through some simple steps:
Staff and volunteers should be given a clear and simple way to report any email scams or other data threats they encounter. This can be through an IT department, governing body, or their line manager.
Reporting can also be through email providers, who often have built in systems to report an email scam or data threat. For example, platforms such as Outlook have a ‘report phishing’ button.
Charities are also advised to report email scams to Action Fraud, the National Fraud and Cyber Crime Reporting Centre.
Another simple way of practising robust data privacy is to minimise the amount of information that is collected. Charities should ask themselves questions. Do they need to know the date of birth of a donor, for example? Do they need other personal information? If the answer is no, stop collecting.
Perhaps, instead ask whether the donor is in a certain age range instead. This means stakeholders broad demographic information can be stored, but not data that can help directly identify them.
Practising minimal data collection also cuts down on the risk of personal information falling into the wrong hands as well as saving the charity money in data storage.
Other ways data collection can be slimmed down includes using a system whereby information is verified but not stored. This uses third-party data sources to check information, to verify details without storing the actual data.
One of the major threats to the security of IT systems is when public and unsecure wi-fi networks are used. Staff and volunteers should not use public networks as these are easier for scammers to use. Instead use the charity or homeworker’s secure, locked Wi-fi.
For added security a Virtual Private Network can be used to protect the transfer of data and further limit external tracking. This can be particularly useful to help charity staff work securely from home.