The Charity Commission and the Information Commissioner (usually known by her office, the “ICO”) have agreed a new Memorandum of Understanding (“MoU”, available here). This latest MoU expands on and updates the previous iteration from June 2017, including to refer to the General Data Protection Regulation and Data Protection Act 2018, which took effect in May 2018. According to the Commission and the ICO, they have agreed this new MoU in order to “enable closer working between the parties, including the exchange of appropriate information, to assist them in discharging their regulatory functions.”
The MoU describes each party’s functions and powers, and sets out the purposes and principles for their exchange of information, subject to any legal restrictions. The MoU is clear that the parties will aim to co-operate in this regard but they maintain their independence and, from a data protection law perspective, that means they will only ever share personal data under the MoU as independent data controllers (as opposed to “joint controllers”, or with one party acting as a data processor for the other). The MoU also sets out the various legal bases, under the Charities Act and the Data Protection Act, on which the parties will rely in order to share information with each other. The MoU also encourages the sharing of draft policy documents, where these may be an impact for the other party’s regulatory work.
Perhaps the most noteworthy aspect of the new MoU for charities processing personal data is “Appendix A”, which lists some circumstances when the Commission and the ICO may need to share information. This includes situations where: the Commission receives “a complaint, or intelligence, which appears to be relevant to the GDPR” (or other privacy legislation); where the Commission “receives a Serious Incident Report from a charity relating to a personal data breach or similar, and in which it has not been explicitly stated that the [ICO] has been informed”; where the ICO “identifies matters (relating to [data protection laws]) indicating poor governance, mismanagement or misconduct within a charity; or indicating misuse of charitable status”; and otherwise where regulatory or policy matters are identified by one party that “may have significant implications for the other organisation”.
Where personal data breaches (or other “incidents” involving personal data) are concerned, this reinforces the idea of dual notification of such incidents to both regulators – however, while that can be a useful “rule of thumb” for serious incidents, there may be good reasons for reporting only to one of the Commission or the ICO (as applicable), and we would stress that the MoU only says that the Commission and the ICO “may” share information with each other about data breaches, charity governance issues, etc – and not that they “must” or “will” do so. So, we would nevertheless recommend that charities take a case-by-case approach, avoiding “over-reporting” data breaches and other incidents to one or both of these regulators where that could invite unwelcome regulatory scrutiny which was not strictly necessary.
If you require further information about anything covered in this briefing, please contact Alan Baker, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2019