Charity Essentials - January 2019

Welcome to the January edition of Essentials. In this edition we look at NCVO’s newly published Code of Ethics, we have a guest article from Yoke and Co on financial governance for charities and the usual round-up of developments that may be of interest to charities.

NCVO

Charity Ethical Principles code published

NCVO has published the final version of the Code which is based on four key principles: beneficiaries first, integrity, openness and right to be safe. Charities should use the Code alongside the Charity Code of Governance as a framework for working towards better governance and ensuring that as a charity you are true to the charity’s purpose and the way you interact with staff, volunteers and beneficiaries is ethically sound. Endorsement of the principles is voluntary, but all charities are encouraged to reflect on the principles in their work and decision-making.

NCVO published a summary of feedback from the consultation. A working party from Stone King responded to the consultation. The feedback notes that whilst the reception to the draft was positive, the proposed title of "Charity Code of Ethics" has been changed to make it clear that the principles are intended to complement existing codes such as the Charity Governance Code, which already sets out various requirements around ethics and behaviour and charities are required to apply the Code or explain why they have failed to apply the Code’s requirements. Our working party had suggested that the two Codes should be combined so as to avoid confusion.

Financial governance for charities

We all know that it is only by spending that charities can fulfil their charitable purpose and that retaining it deprives current beneficiaries of support. This is a product of the ‘never sell the family silver’ mindset. There is always a time and a place for that, but charities have made so much money over the last ten years (often doubling their portfolios) that now is a good time to loosen the purse strings and fund their purposes after so many years of austerity.

Read more

Charity Commission

Report published on Commission’s work to detect and prevent wrongdoing and harm in charities 2017-18

The Commission has published its annual report on its work to protect charities from wrongdoing or abuse. This report was previously known as “Tackling abuse and mismanagement”. The report provides lessons for trustees which have been drawn from the Commission’s work over the past year including on the areas of insider fraud, safeguarding, reporting serious incidents, counter-terrorism, data protection and military charities.

Data Protection

Data protection and no-deal Brexit – Information Commissioner’s advice for organisations

The ICO has issued guidance on data protection and a no-deal Brexit for organisations which receive personal data from the European Economic Area (EEA) or operate in the EEA and send personal data outside the UK.

Guide to data protection published

The ICO has published a Guide to Data Protection which covers the Data Protection Act 2018 and GDPR. It is aimed at small and medium sized organisation and is split into five main sections:

• Introduction to data protection
• Guide to GDPR
• Guide to Law Enforcement processing
• Guide to Intelligence Services processing
• Key data protection themes

The guide combines the existing ICO guides to the GDPR and Law Enforcement Processing, with the addition of new pages on intelligence services processing and key data protection themes.

Guidance on data protection impact assessment updated

The ICO has updated its guidance on data protection impact assessments (DPIAs) as recommended by the European Data Protection Board (EDPB). The ICO's guidance is based on the guidelines on DPIAs adopted by the Article 29 Working Party and endorsed by the EDPB, which set out nine criteria that may act as indicators of likely high risk processing.

The guidance will help controllers to identify when a mandatory DPIA is required for high risk processing. However, even if no mandatory obligation applies, controllers are responsible for assessing whether their intended processing is "likely to result in high risk". The ICO strongly recommends that a DPIA is done if there is any doubt.

Under the GDPR, failure to carry out a DPIA when required can result in enforcement action, including an administrative fine of up to €10 million, or in the case of an undertaking, up to 2% of the global annual turnover if higher.