The Information Commissioner’s Office (ICO) has fined Mermaids £25,000 after approximately 780 pages of confidential emails were viewable online for nearly three years.
Mermaids, which supports transgender, non-binary and gender-diverse children and their families, became aware of the data breach in June 2019 and reported itself to the ICO.
Today Mermaids’ chair said the charity takes “full responsibility” and apologised for “this isolated lapse in data security”.
Information relating to over 500 people online
In 2016, Mermaids' chief executive created an email group hosted online, but did not have high enough security settings, meaning that data remained online even once the group was no longer being used.
This meant that approximately 780 pages of confidential information were viewable online for nearly three years.
These emails included personal information, such as names and email addresses, of 550 people. The ICO says that the personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data because mental and physical health and sexual orientation were exposed.
The ICO concluded that the “contraventions were not deliberate, although there is an element of negligence as the CEO created the email group with the least secure settings in error”.
Furthermore, according to the ICO, by 25 March 2018, when GDPR came into force, Mermaids was a “well-established significant charity and should have implemented appropriate measures to ensure that personal data was safeguarded”.
Steve Eckersley, director of investigations said: “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often-vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
Mermaids: ‘We fully accept that an honest but significant mistake was made’
The ICO says that Mermaids co-operated throughout.
Mermaids has apologised for the error, taken action to improve its polices and and resolved complaints relating to the incident.
In a statement, Belinda Bell, chair of Mermaids, said: “We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time.
“We are grateful to the ICO for taking into account our prompt remedial action and for balancing the size of its fine against our need to continue supporting service users, whilst protecting charitable donations made by our many generous supporters.”
Mermaids brought in experts to help it improve its data protection and safeguarding policies.
Bell said: “The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence.”
Mermaids also filed a serious incident report with the Charity Commission in 2019. It says it is not expecting any further regulatory action from the Commission.
Two former trustees and two service users complained to Mermaids about the breach.
“All complaints from the data subjects affected have now been resolved and we would like to repeat our apology for this isolated lapse in data security,” Bell said.
Must pay fine by 3 August
Mermaids must pay the fine by 3 August 2021. This is not kept by the ICO but will be paid into the consolidated fund, which is the government's general bank account at the Bank of England.
For the financial year ending 31 March 2020, Mermaids’ income was just over £900,000. Its income has risen quickly recent years – it was just £84,000 in 2016.
The breach was uncovered by the Sunday Times, which then notified the charity that it intended to run a story.
In recent years the charity has also been the focus of media criticism over its work. In 2019, a grant from the Big Lottery Fund, now the National Lottery Community Fund, was delayed after critics asked for a review of the decision.
The ICO's report notes the “nature and gravity of the contraventions” mean its conclusion is not affected by whether the journalist found the information by accident or if they had “set out to find the information by using a precise and unusual syntactical search”.