Mermaids: Transgender charity fined over sensitive data leak by ICO

Information Commissioners Office
Information Commissioners Office
Gareth Milner

By Gareth Milner

Published: 08/07/2021

- 18:11

Updated: 14/02/2023

- 11:05

Around 780 pages of confidential emails were exposed online for nearly three years

Children’s transgender support charity Mermaids has been fined for failing to keep the personal data of vulnerable users secure.

Around 780 pages of confidential emails were exposed online for nearly three years, leaving personal information such as names and email addresses of 550 people searchable online, an investigation by the Information Commissioner’s Office (ICO) found.

The personal data of 24 individuals considered particularly sensitive revealed how they were coping and feeling, with 15 classified as special category data disclosing information about mental health, physical health and sexual orientation.

Four related to children aged 13 and under at the time it was discovered in June 2019.

Mermaids has apologised again for the “isolated lapse in data security”.

“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence,” said Belinda Bell, Mermaids’ chair of trustees.

The ICO has fined Mermaids £25,000 in total, taking into consideration its full cooperation during the investigation and the significant improvements that have been made since the incident came to light.

An investigation was launched by the regulator after the charity reported itself about an internal email group set up by its chief executive Susie Green, who had used a third party platform with insufficient security settings switched on, resulting in exchanges being made public.

The data protection watchdog was notified about the breach as soon as Mermaids became aware of it in June 2019, years after the charity had stopped using it between August 2016 and July 2017.

At the time, the ICO found the charity had a negligent approach towards data protection with inadequate policies and a lack of training for staff.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” said Steve Eckersley, director of investigations at the ICO.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

You may like