Children’s transgender charity Mermaids fined by ICO over sensitive data leak

Around 780 pages of confidential emails were exposed online for nearly three years, leaving personal information such as names and email addresses of 550 people searchable online, an investigation by the Information Commissioner’s Office (ICO) found.

The personal data of 24 individuals considered particularly sensitive revealed how they were coping and feeling, with 15 classified as special category data disclosing information about mental health, physical health and sexual orientation.

Four related to children aged 13 and under at the time it was discovered in June 2019.

Mermaids has apologised again for the “isolated lapse in data security”.

“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence,” said Belinda Bell, Mermaids’ chair of trustees.

The ICO has fined Mermaids £25,000 in total, taking into consideration its full cooperation during the investigation and the significant improvements that have been made since the incident came to light.

An investigation was launched by the regulator after the charity reported itself about an internal email group set up by its chief executive Susie Green, who had used a third party platform with insufficient security settings switched on, resulting in exchanges being made public.

The data protection watchdog was notified about the breach as soon as Mermaids became aware of it in June 2019, years after the charity had stopped using it between August 2016 and July 2017.

At the time, the ICO found the charity had a negligent approach towards data protection with inadequate policies and a lack of training for staff.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” said Steve Eckersley, director of investigations at the ICO.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

In a statement posted on the Mermaids website, Chair of Trustees Belinda Bell said: "We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time.

"We are grateful to the ICO for taking into account our prompt remedial action and for balancing the size of its fine against our need to continue supporting service users, whilst protecting charitable donations made by our many generous supporters.

"The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence.

"This historical data breach was brought to our attention in June 2019, at which point we immediately reported the incident to the ICO and cooperated fully to ensure issues regarding our systems and processes were addressed as a matter of the highest importance.

"The Charity Commission, in communication with the ICO, has stated it has no further regulatory concerns.

"The charity engaged an external data consultant to address issues raised, and their report confirms that no wider issues were identified.

"The charity also instructed an information technology security auditor to carry out a review of the incident.

"In addition, a full safeguarding audit has been completed this year. All complaints from the data subjects affected have now been resolved and we would like to repeat our apology for this isolated lapse in data security."