Charity cold calling Investigation: You cannot subcontract liability
It has been reported that charities have subcontracted their fundraising to third party companies, and those companies have been irresponsibly using the data provided to them. The law states that the data controller is liable for any subcontractor and their service. Read on to find out more.
4 well known charities will be investigated after their fundraising techniques have been found to be unlawful and likened to harassment. The 4 charities have all sub-contracted their fundraising to a third party company. The charities themselves will be investigated as part of a new enquiry to tackle "forceful" cold calling, that targets vulnerable elderly members of the public- even pushing those with dementia and those over 90 years old.
"The allegations claim some of the people who received unsolicited calls have dementia and memory problems" and that "it puts into question whether Charities should be using profit-making companies to do their fundraising."
According to the Data Protection Act, the data controller (the charities) are liable for the data processor's (the third party fundraising companies) actions, despite the fact they may be unlawful and irresponsible. As a data controller, you must ensure that your sub-contractor has assurances and certifications in place to prevent any mishandling of data.
The following is taken from our article "What is the Data Protection Act?"
When using third party “data processors”:
- Establish a written contract outlining what can be done with the personal data and how it will be protected. Ensure the level of protection is sufficient to meet your organisation’s compliance with the DPA
- Take reasonable steps to monitor the security measures are effective.
For a serious breach of the DPA, the ICO can issue:
- Monetary penalty notice of up to £500,000
- An Undertaking – a published enforcement notice requiring the organisation to commit to a particular course of action to improve its compliance.