ICO imposes £25,000 fine on Mermaids charity for data protection breach

Internal emails containing sensitive data were accessible on the internet

The UK's Information Commissioner's Office (ICO) has fined transgender charity Mermaids £25,000 for a data breach that exposed the personal information of nearly 550 people.

Following a detailed investigation, the ICO found that the charity had failed to implement an appropriate level of security measures, in violation of its obligations under UK GDPR.

On 14 June 2019, Mermaids was alerted by a user that internal emails of the charity containing personal data of users were publicly available on internet.

The organisation reported the breach to the ICO on the same day and also requested Google and Archive.li to delete the archived versions of the data.

The ICO found in its investigation that the charity had established an internal email group in 2016, which was used from August 2016 until July 2017. During this time, the charity's staff failed to pay proper attention to set effective security controls.

As a result of those inappropriate settings, more than 700 pages exposing users' sensitive personal details, including their names, job titles, and email address were available for nearly three years on the internet.

The breach also exposed conversations about transgender issues, including the emotional states of 24 data subjects and sexual orientation and mental and physical health details of 15 others.

The ICO said that Mermaids also failed to keep a record of how and why inappropriate settings for the email group were adopted. It noted that the charity should have enforced restricted access to its email group and could have considered encryption or pseudonymisation as an added layer of protection for users' data.

The regulator also said that Mermaids had failed to conduct proper effective staff awareness training.

While its staff and volunteers received data security training in December 2018, it was "inadequate and/or ineffective," according to the ICO.

Steve Eckersley, the ICO's director of investigations, said that the charity "should have known the importance of keeping personal data secure" from its position as an established charity.

But the ICO acknowledged that Mermaids cooperated fully during the probe and had also made improvements to its data protection practices over the past two years.

"We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time," Belinda Bell, chair of Mermaids, said.

"We are grateful to the ICO for taking into account our prompt remedial action and for balancing the size of its fine against our need to continue supporting service users, whilst protecting charitable donations made by our many generous supporters," she added.