ICO fines Mermaids transgender charity for data protection breach exposing sensitive personal information

Charity ‘should have known importance of keeping personal data secure’, Information Commissioner’s Office official says

Zoe Tidman
Friday 09 July 2021 09:37 BST
Mermaids charity has been fined £25,000 for a data protection breach
Mermaids charity has been fined £25,000 for a data protection breach (Getty Images)

A UK watchdog has fined transgender charity Mermaids for a personal data breach which led to sensitive information being put online.

The Information Commissioner’s Office (ICO) has told the charity to pay £25,000 in relation to an internal email group it set up several years ago.

The data protection watchdog - which conducted an investigation into the matter - found the group was set up with insufficiently secure settings.

This led to hundreds of pages of confidential emails being visible online for nearly three years.

As a result, the personal information of 550 people - including names and email addressess - was searchable online.

For 24 of these, this included sensitive information on how they were coping and feeling.

For 15 others, it concerned special category data, with details over mental and physical health and sexual orientation exposed online, the investigation found.

The director of investigations at the ICO - the UK’s independent body which upholds information rights - said Mermaids “should have known the importance of keeping personal data secure” from its position an established charity.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” Steve Eckersley from the watchdog said.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.”

The email group involved in the breach was set up and used between August 2016 and July 2017.

The charity only became aware of the breach - which led to around 780 confidential emails being visible on the internet - in June 2019.

The ICO’s investigation found Mermaids should have applied restricted access to its email group.

The charity could have also thought about using pseudonyms or encryption to add an extra layer of protection to information it held, the watchdog added.

Mr Eckersley from ICO said: “Whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in