Transgender children’s charity Mermaids has been fined for failing to keep the personal information of its vulnerable users safe.
Around 780 pages of confidential email were put online for nearly three years before being discovered in 2019.
The personal data of 24 people were considered to be particularly sensitive as they revealed their coping and emotional situation, with 15 data classified as a special category revealing information about mental health, physical health and sexual orientation.
Mermaids has again apologized for the “isolated data security oversight”.
“The safety of our service users is of the utmost importance and we fully accept that an honest but grave mistake was made a few years ago, and we are determined to ensure that Mermaids continues to diligently carry out its commitments to secure data management. “Said Belinda Bell, trustee of the mermaids.
The ICO has fined Mermaids a total of £ 25,000, taking into account their full cooperation during the investigation and the significant improvements made since the incident became known.
The regulator opened an investigation after the charity reached out through an internal email group it set up and used between August 2016 and July 2017.
The data protection officer was informed of the violation as soon as Mermaids became aware of it in June 2019.
At the time, the ICO found that the charity was negligent in its handling of data protection with inadequate policies and poor training of employees.
“The nature of Mermaids’ work should have forced the charity to put in place strict safeguards to protect the often vulnerable people they work with,” said Steve Eckersley, investigator at the ICO.
“Failure to do so exposed the very people she was trying to help to potential harm and suffering and possible prejudice, harassment, or abuse.
“As an established charity, mermaids should have known the importance of protecting personal information, and while we recognize the important work charities do, they cannot be exempted from the law.”