Transgender support charity Mermaids has apologised for a data breach and reported itself to the information regulator, after parts of its email database were found to be available on the internet.
The breach was identified by the Sunday Times, and the charity said it took “immediate action” by fixing the breach and notifying the Information Commissioners Office on Friday 14 June.
In a statement, it said: “Mermaids apologises for the breach. Even though we have acted promptly and thoroughly, we are sorry.
“At the time of 2016 to 2017, Mermaids was a smaller but growing organisation.
“Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur.”
‘Immediate action’ from Mermaids
The charity notified the ICO of the breach on the Friday and as well as fixing the online breach, took the further steps of:
- Contacting those affected according to ICO guidance
- Contacting families and stakeholders
- Trustees will instruct an independent third party expert to report to the trustees on the breach
- Reporting the incident to the Charity Commission.
- Examining the information to decide further measures
An ICO spokesperson said: “We have received a data breach report from Mermaids UK and we will assess the information provided.”
A Charity Commission spokesperson told Civil Society News: “The charity has submitted a serious incident report to the Commission regarding a data breach, in line with our guidance on reporting serious incidents.
"We have contacted the charity for further information so that we can assess this fully.
“More generally: charities hold important positions of trust and so it is vital that they take their responsibilities seriously, particularly when it comes to protecting people and sensitive information.”
The nature of the breach
The charity said: “The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users.
“Mermaids has contacted these people.
“The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids.
“The information shows Mermaids takes its responsibilities seriously and that there is candid internal consideration of all issues.”
It added: “The scope of the breach was that internal Mermaids emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search-terms were used.
“Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found.”
“There is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story.”
Please read the statement by our Trustees following a story in The Sunday Times about an inadvertent data breach, which has been rapidly remedied and promptly reported to the ICO. ⤵️https://t.co/FQeGXnJhZf pic.twitter.com/h2eWxQQ2BB— Mermaids (@Mermaids_Gender) June 15, 2019