Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

ICO fines Mermaids transgender charity for data protection breach exposing sensitive personal information

Charity ‘should have known importance of keeping personal data secure’, Information Commissioner’s Office official says

Zoe Tidman
Friday 09 July 2021 09:37 BST
Comments
Mermaids charity has been fined £25,000 for a data protection breach
Mermaids charity has been fined £25,000 for a data protection breach (Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A UK watchdog has fined transgender charity Mermaids for a personal data breach which led to sensitive information being put online.

The Information Commissioner’s Office (ICO) has told the charity to pay £25,000 in relation to an internal email group it set up several years ago.

The data protection watchdog - which conducted an investigation into the matter - found the group was set up with insufficiently secure settings.

This led to hundreds of pages of confidential emails being visible online for nearly three years.

As a result, the personal information of 550 people - including names and email addressess - was searchable online.

For 24 of these, this included sensitive information on how they were coping and feeling.

For 15 others, it concerned special category data, with details over mental and physical health and sexual orientation exposed online, the investigation found.

The director of investigations at the ICO - the UK’s independent body which upholds information rights - said Mermaids “should have known the importance of keeping personal data secure” from its position an established charity.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” Steve Eckersley from the watchdog said.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.”

The email group involved in the breach was set up and used between August 2016 and July 2017.

The charity only became aware of the breach - which led to around 780 confidential emails being visible on the internet - in June 2019.

The ICO’s investigation found Mermaids should have applied restricted access to its email group.

The charity could have also thought about using pseudonyms or encryption to add an extra layer of protection to information it held, the watchdog added.

Mr Eckersley from ICO said: “Whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in