Charities are "potentially more susceptible to encountering a serious data breach" than other organisations, according to the Information Commissioner's Office.
The sensitive nature of the data that charities often handle, the ICO said, means they could be more likely to suffer a serious breach, putting them at risk of receiving a fine of up £500,000.
The ICO published a list of the five main areas for improvement where charities can improve their data practices. These are using strong passwords, encrypting portable devices, ensuring staff receive adequate training, letting people know what they are doing with their data and only keeping people's information as long as necessary.
“The top five list we’ve published has come from feedback we’ve found on visits we’ve already carried out, where we found many of the same problems,” an ICO spokesman told Information Age.
The data protection watchdog is also encouraging charities to make use of the free data protection 'check ups' it offers to small and medium-sized organisations. These advisory visits, which can range from a few hours to a day, give organisations the chance to discuss and receive advice from the ICO on improving data protection practices.
Sam Younger, chief executive of the Charity Commission, encourage UK charities to take the ICO's advice. “Trustees are responsible ensuring their charity complies with relevant legislation – including the Data Protection Act – and for protecting their charity’s reputation. Mishandling sensitive data not only causes individuals serious distress, it can also damage the good name of your charity. So I encourage trustees of charities that handle sensitive data to take note of the ICO’s guidance and consider taking part in an ICO advisory visit.”
The ICO has also published a guide to advisory visits as well as summaries of select ones that have taken place. In July, the Legal Services Board (LSB) used an advisory visit from the ICO to brief staff on how data is collected, processed, archived and destroyed. Feedback was also provided on data minimization, transparency, data protection principles and data on mobile devices.