The Data Protection Act for Charities

7 March 2013

‘Data Protection’ is a scary term for many charity professionals. Thoughts of laptops left on trains full of sensitive client information send chills down the spine. No one wants to be at the helm of tomorrow’s epic data protection failure.

This short blog sets out a few pointers to help you avoid common pitfalls and it also explains a few of the core concepts.

Does my charity have to worry about data protection issues?

I’m afraid to say that, almost certainly, the answer is ‘yes’!

Charities are about people. Even if you operate for the benefit of the environment or animals, your funders and supporters are likely to be people. Data you store about the people that relate to your charity is very likely to be ‘personal data’ under the definition found in the Data Protection Act 1998. If so, this means that you do have to worry about data protection issue.

You must follow rules on data protection if your business stores or uses personal information. This applies to information kept on staff, customers and account holders, eg when you:

  • recruit staff
  • manage staff records
  • market your products or services
  • use CCTV

This could include:

  • keeping customers’ addresses on file
  • recording staff working hours
  • giving delivery information to a delivery company

GOV.UK guidance

Keep your data secure, accurate and up to date

In order to comply with your legal obligations and avoid costly mistakes, you must make sure the information you store is kept secure, accurate and up to date.

Data Security

Security covers a number of areas:

Staff policies

  • Is all your electronically stored data protected by a password?
  • Do you change passwords periodically? How regularly?
  • Do you ensure that access accounts are linked to individuals and that people don’t share accounts?
  • Do you restrict access to personal data on a need-to-know basis?
  • Do you require sensible passwords (see Crispin’s post on this)


  • Have you put in place robust back-up procedures that cover serious hardware errors, fires, etc?
  • Have you put in place roll-back procedures for data corruption caused by user error?

Third parties

  • It often makes sense to outsource data storage to specialists, but have you checked their credentials and data protection policies?

Ensure your data is accurate and up to date

You should keep data for no longer than is necessary to pursue the purpose for which it was collected. You should also put in place some system or process for updating data. If it’s possible, a great way to do this is to get people to update their own records. This is not always easy but you will also have more success as an organisation if you have up-to-date information so it is often worth the effort.

Tell people how you will use their data

Whenever you collect personal data you must also make it clear to people:

  • Who you are
  • How you’ll use their personal information
  • That they have the right to see the information and correct it if it’s wrong

You must also say if the information will be used in other ways - e.g. if it may be passed to other organisations.

What you can use data for is determined by how it was gathered. If you obtain data by saying it is for a particular purpose this is the only purpose it can be used for.

Specific obligations

Two specific things you must do are:

Data protection for your charity website and CRM

We support a wide range of charities with the management of their website and CRM systems. These systems are a often a key part of charities’ interactions with different stakeholders and as a result they often store a large amount of personal data. For CRMs in particular, personal data is the foundation of the whole system.
Here are a few data protection tips we have picked up over the years:

1) Get good data

Think through the different ways people can engage with you online and ensure that you have a system that tracks where they come from. This allows you to ensure you don’t start using data for a purpose that wasn’t initially communicated to the individual in question.

2) Avoid data duplication

One of the best ways to get your data in a mess (and thereby make it harder to follow data protection best practice) is by running multiple databases. Custom integrations are very costly so it pays to think carefully about the whole system before diving into one particular system.

3) Let users manage their own data

Wherever possible, you should empower your users to update their own data. Lots of systems have some capacity to do this so if you haven’t explored it then ask your supplier for guidance.

If you have other specific questions on just ask them at the bottom of this page.

Data protection best practices for charities

This article is only an introduction and there are lots of common charity activities that are affected by the data protection act and other legislation.

Two other posts with helpful information are:

For more specific guidance on data protection you should also check out the charity resources on the Information Commissioner’s Office website.