Charities spend a lot of time having to strike balances; that is the nature of the sector. Whether that is deciding what services to cut at a time of financial pressure, or handling a tricky safeguarding issue, trustees and senior management are constantly balancing their charity’s obligations in difficult situations.
The same is true where requirements under the Charity Commission’s regulatory regime seem at odds with other areas of law, such as data protection. This is often apparent when a charity has to make a serious incident report to the Charity Commission.
If you’re faced with this scenario, the starting point is always one of the key data protection principles: data minimisation. Do you need to include that personal data in the report? Nine times out of ten the answer will be no. The Charity Commission can always request further information from you.
Remember that personal data is not just providing someone’s name; it is any information relating to an identified or identifiable natural person. The information you provide could indirectly identify an individual and may therefore still be personal data - someone’s job title, for example.
Wherever possible, try to give generic titles: “an employee”, “a trustee” or, even better, refer to them as “X”. However, there may be times where there is no choice but to reveal a specific role if the position they are in goes to the heart of the incident. This may be the case for a Chief Executive or a Chair of trustees and, if it really is necessary, the balance usually falls in favour of the charity reporting with the personal data.
In finding a legal basis to disclose personal data to the Charity Commission, we would perhaps consider that it is necessary to comply with a legal obligation; after all, the Charity Commission’s guidance on serious incident reporting states that it requires charities to report serious incidents. However, there are question marks over the statutory basis for this (outside of the annual return regime). But even if there is no specific statutory obligation, in the limited situations where the personal data cannot be removed, the legal obligation basis is likely to be broad enough to cover disclosure to the Charity Commission if the incident requires a report in line with their guidance. However, where criminal offence data or special category personal data is involved (information about a data subject’s health, race, religious beliefs etc.), you need to tread even more carefully as such information affords enhanced protection and an additional legal basis will need to be established.
You will always be on more solid ground if you wait for the Charity Commission to request the personal data under its information gathering powers so the starting point should always be to anonymise, and in particularly sensitive scenarios, perhaps even request the Commission invoke those powers so that you are able to make a full report. Failing that, give the Information Commissioner’s Office a call – even if they cannot advise one way or another, you can demonstrate that you have consulted the regulator for guidance.
Another factor that must not be missed is the data subject’s right to information. The charity’s privacy notices should flag the possibility that personal data may need to be shared with third parties as part of your charity’s regulation and reporting requirements.
Serious incident reporting is just one example where personal data may need to be disclosed; each time you communicate with the Charity Commission, you need consider what personal data you are disclosing and what legal basis you are relying on to do this.
And a final word of warning, the Charity Commission is a public body that is subject to the Freedom of Information Act (FOIA) so there is always a risk that content of your communication could be disclosed to a requestor. The Charity Commission, in considering a FOIA request, has to consider a number of exemptions and other factors including: any third-party data involved; issues around confidentiality; and specific prohibitions to prevent onward disclosure (e.g. in relation to statutory enquiries) but the possibility should be in the back of your mind in dealing with the Charity Commission.
Where there is a difficult decision to be made, a difficult balance to be struck, make use of the Charity Commission’s guidance on decision making and we would always recommend preparing a detailed minute of how the Board has reasoned and justified its decision.