A transgender charity has learnt the hard way that failing to keep the personal data of users secure can have dire consequences, after being found guilty of leaving 780 pages of confidential emails viewable online for nearly three years.
Mermaids was founded in 1995 by a group of parents and has evolved into one of the UK’s leading LGBTQ+ charities, running online communities, local community groups, helpline services, web resources, events and residential weekends.
However, in June 2019 the charity reported itself to the Information Commissioner’s Office over a data breach in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned.
The ICO found that the group was created with insufficiently secure settings; this led to personal information, such as names and email addresses, of 550 people being searchable online.
In fact, the personal data of 24 of those people was highly sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.
The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.
Under the UK GDPR, organisations that are responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.
During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff.
Given the implementation of the UK GDPR, as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.
The ICO said Mermaids cooperated fully with its investigation and has made significant improvements to its data protection practices since becoming aware of the security breach.
Nevertheless, the charity has still become only the fifth organisation to be fined under GDPR, with a £25,000 penalty. Although the breach began in 2016, the penalty relates to the incident from May 25 2018 – when GDPR came into effect – and was only rectified in June 2019.
ICO director of investigations Steve Eckersley said: “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
Child sex abuse inquiry fined £200,000 for data misuse
Glos cops cuffed over leak of sensitive child abuse data
Banged to rights: CPS guilty of losing child abuse data
You’re nicked: Humberside cops hit by £130k data fine
Bungling Crown Prosecution Service gets £200k fine