The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019.

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. Under the UK GDPR, organisations that are responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.

Steve Eckersley, Director of Investigations said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.

Mermaids cooperated fully with the ICO investigation and has made significant improvements to its data protection practices since becoming aware of the security breach.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. This penalty was issued under the Data Protection Act 2018 for infringements of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.
  4. Although the Commissioner considers the breach to have begun on 15 August 2016, the penalty relates to the breach from 25 May 2018 (to 14 June 2019) when new rules under the UK GDPR came into effect.
  5. Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
  6. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.