The ICO said it made advisory visits to 32 charities during 2012/13 in a bid to "gain a better understanding of the processing they undertake and the circumstances in which they operate".
The watchdog said, though, that many of the charities lacked appropriate controls to prevent them storing personal data longer than is legally permitted (5-page / 138KB PDF) under the Data Protection Act (DPA).
"Over a half of charities visited did not have formal retention schedules in place to ensure that the different categories of personal data held had been identified, and were only being kept for an appropriate length of time," the ICO said. "Such retention/disposal schedules help safeguard against the indefinite retention of personal data which would be a breach of the Act."
"More than a third of organisations also lacked processes for the regular weeding of personal data held within manual records to ensure they were not excessive, irrelevant or out of date. Implementing regular weeding processes reduces the risk of breaching the DPA, helps minimise the data held and therefore reduces the impact and/or likelihood of any personal data breach," it said.
Under the DPA organisations are required to ensure that personal data they collect is "adequate, relevant and not excessive" for the purpose(s) for which it is to be processed and that the data is not "kept for longer than is necessary for that purpose or those purposes".
The ICO said that it identified several examples of good information management practice at the charities, including those that limit access to IT systems and electronic data and those that had "confidential waste processes" in place.
However, the ICO said that there were a number of areas for improvement. In particular it said that a "significant proportion" of charities it visited did not set "minimum requirements for password complexity" or require passwords to be updated. In addition, it said that more than a third of charities failed to provide annual training refreshers to staff on data protection issues and that a "large proportion" did not have adequate security in place for storing manual records.
The watchdog conceded, though, that a high turnover of volunteers presents a challenge for charities to ensure staff are aware of their data protection obligations.