Religious organisations at heightened risk of enforcement action under data protection legislation

The Information Commissioner’s Office (“ICO”) issued the £100,000 penalty notice to the British and Foreign Bible Society (the “charity”) for contravening the seventh data protection principle under the Data Protection Act 1998. The seventh principle is all about keeping personal data safe by implementing appropriate technical and organisational measures against unauthorised or unlawful processing of personal data. The ICO established that the charity did not have these necessary security measures in place.

The charity fell victim to a cyber-attack in 2016. Their computer network was compromised which allowed the hackers access to the personal data of 417,000 of the charity’s supporters, including financial data.

The very nature of the charity and the nature of the personal data meant that the religion of those individuals whose personal data was compromised could be inferred. Personal data relating to an individual’s religion is in the defined list of sensitive (or special category) personal data under data protection legislation. Sensitive personal data affords special protection under the data protection regime and this includes heightened security when handling such data. This is food for thought for organisations with a religious base because the outcome of the investigation demonstrates that organisations dealing with sensitive personal data need to be especially conscientious when it comes to compliance. The same principle will apply across the board and those dealing with other categories of sensitive personal data (e.g. health data) will also need to have a heightened awareness. However, the difference with religion is that the very nature of the organisation concerned (in this case a bible society) means that the religion of the individuals could easily be deduced. From a very quick internet search of the organisation, it is clear that the Bible Society it is a Christian charity.

When assessing the seriousness of the contravention of the principle to keep personal data safe, as well as determining the harm to the individuals, the ICO took into account the nature of the personal data, including the fact that the religion of individuals could be inferred from the personal data compromised. The fact that the charity was subject to a criminal attack was of course a mitigating factor in the ICO’s assessment. Although there was no deliberate intent to ignore the data protection regime, the ICO commented that the charity ought to have understood the heightened risks associated with the sensitive nature of the personal data. Consequently, the ICO found that the inadequacies in the charity’s security measures were a serious oversight, thus substantiating the issuing of a penalty notice. The full penalty notice can be found here: https://ico.org.uk/media/action-weve-taken/mpns/2259142/bible-society-mpn-20180531.pdf

This penalty has been issued under the old Data Protection Act 1998 because of the date of the breach but the principle relating to security of personal data has flowed through as a principle under the new Data Protection Act 2018 (DPA 2018) and is also a common theme through many other provisions of the DPA 2018. Not only that, but there is of course a risk of even higher fines under the new regime.

The key lesson from this case is that security of personal data is really important and security of sensitive data is even more important. For charities with a religious base, the outcome of this investigation and the risks associated with a data breach will be a concern. The ICO’s guidance on security, including the practical guide to IT security to IT will be helpful.  It is also important to have appropriate policies in place, reviewed on a regular basis, which set out your organisation’s security measures to keep personal data safe. They should also be a useful tool for staff to use on a day to basis so that they are aware what the organisation’s expectations are in relation to information security and also how to recognise a data breach. These policies should be living documents which are a practical tool to be used on a daily basis in the organisation.