ICO imposes £25,000 fine on Mermaids charity for data protection breach


The UK’s Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £ 25,000 for a data breach that exposed the personal information of nearly 550 people.

After an in-depth investigation, the ICO found that the charity had failed to implement adequate security measures in breach of its obligations under the UK GDPR.

On June 14, 2019, Mermaids was made aware by a user that internal emails from the charity containing personal data of users were publicly available on the Internet.

The organization reported the violation to the ICO on the same day and also asked Google and Archive.li to delete the archived versions of the data.

The ICO found during its investigation that the charity had set up an internal email group in 2016 that was in use from August 2016 to July 2017. During this time, the charity staff did not take adequate care to put in place effective security controls.

As a result of these inappropriate settings, more than 700 pages of sensitive personal information about users, including their name, job title, and email address, were available on the Internet for nearly three years.

The violation also revealed conversations on transgender issues, including the emotional states of 24 people affected and the sexual orientation, as well as the mental and physical health of 15 others.

The ICO said Mermaids also failed to record how and why inappropriate settings were adopted for the email group. It noted that the charity should have enforced restricted access to their email group and could have considered encryption or pseudonymization as additional protection for users’ data.

The regulator also said that mermaids had failed to provide adequate and effective awareness training for employees.

While its employees and volunteers received data protection training in December 2018, it was “inadequate and / or ineffective” according to the ICO.

Steve Eckersley, the ICO’s chief investigator, said that from its position as an established charity, the charity “should have known the importance of securing personal information.”

However, the ICO acknowledged that Mermaids fully cooperated during the investigation and had also improved its privacy practices over the past two years.

“We take full responsibility for this data breach and thank our supporters for their solidarity and understanding during a difficult time,” said Belinda Bell, Chairwoman of Mermaids.

“We are grateful to the ICO for considering our immediate remedial actions and balancing the size of their fine against our need to continue serving service users while protecting the charitable donations from our many generous supporters,” she added.