UK transgender charity fined for data breach

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” said the ICO’s director of investigations Steve Eckersley.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

The data protection authority’s investigation began after receiving a data breach report from the charity about an internal email group it run for 12 months to July 2017. The charity only became aware of the breach two years later.

The ICO found the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years.

That led to personal data, such as names and email addresses, of 550 people being searchable online. For 24 people the information was sensitive as it revealed how the person was coping and feeling and for another 15 it was special category data because their mental and physical health and sexual orientation were exposed.

The investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data held.

The ICO described Mermaids as having a negligent approach towards data protection with inadequate policies and a lack of training for staff.

“Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights,” it added.

The ICO noted Mermaids has made significant improvements to its data protection practices since becoming aware of the security lapse.

In response, chairwoman of the charity’s trustees Belinda Bell said: “We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time …

“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence.”

She also said the charity is grateful to the ICO for balancing the size of its fine against its need to continue supporting service users and protecting charitable donations. 

Bell added a full safeguarding audit was completed this year and all complaints from the data subjects affected have been resolved.