ICO fines Mermaids transgender charity for data protection breach exposing sensitive personal information

A British watchdog has fined the transgender charity Mermaids for a personal data breach that resulted in sensitive information being put online.

The Information Commissioner’s Office (ICO) ordered the charity to pay £ 25,000 in relation to an in-house email group set up a few years ago.

The data protection regulator, which investigated the matter, found that the group was set up with insufficiently secure settings.

This resulted in hundreds of pages of sensitive email being visible online for nearly three years.

This enabled the personal data of 550 people – including names and email addresses – to be researched online.

For 24 of them, this included sensitive information about how they got along and felt.

Fifteen others had special category data with details on mental, physical health and sexual orientation that were disclosed online, the research found.

The chief investigator of the ICO – the UK’s independent authority that upholds information rights – said mermaids “should have known the importance of protecting personal information” from their position as an established charity.

“The nature of Mermaids’ work should have forced the charity to put in place strict safeguards to protect the often vulnerable people they work with,” said Steve Eckersley of the Watchdog.

“Failure to do so has exposed the very people she was trying to help to potential harm and suffering and possible prejudice, harassment or abuse.”

The email group involved in the breach was set up and used between August 2016 and July 2017.

The charity didn’t become aware of the breach until June 2019, which resulted in around 780 confidential emails being visible on the internet.

The ICO’s investigation found that mermaids should have used restricted access to their email group.

The charity could also have considered using pseudonyms or encryption to further protect their stored information, the watchdog added.

ICO’s Mr Eckersley said, “While we recognize the important work that charities are doing, they cannot be exempted from the law.”

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...