The Guide to Grants for Individuals in Need 24/25 - hold an umbrella over someone's head

Mermaids fined £25K for exposing sensitive personal information

Melanie May

Melanie May | 12 July 2021 | News

a hand typing on a lapboard keyboard. Photo: Pixabay

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 after sensitive personal information was available online for almost three years.

The ICO fined Mermaids for failing to keep the personal data of its users secure.

Its investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017. The charity only became aware of the breach in June 2019.

Advertisement

Getting Started with TikTok: An Introduction to Fundraising & Supporter Engagement

The ICO found that the group had been created with insufficiently secure settings, which had led to approximately 780 pages of confidential emails to be viewable online for nearly three years. This meant personal information, such as names and email addresses, of 550 people was searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. Under the UK GDPR, organisations responsible for personal data must ensure they have technical and organisational measures in place to ensure personal data is secure.

Steve Eckersley, Director of Investigations said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

 

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

During the investigation the ICO discovered Mermaids was negligent in its approach towards data protection with inadequate policies and a lack of training for staff, and should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.

Mermaids cooperated fully with the ICO investigation and since becoming aware of the security breach has made significant improvements to its data protection practices.

Related posts

UK Fundraising
17 February 2017

Three regulators to hold conference on rules affecting fundraisers
UK Fundraising
31 March 2017

New Working Party formed to clarify ‘Legitimate Interests’
UK Fundraising
10 April 2018

Reasonable expectation must be key factor in determining Legitimate Interest, says fastmap report
UK Fundraising
25 May 2018

Survey shows 57% likely to ask charities to delete personal data after 25 May

Loading

Melanie May

About Melanie May
Melanie May is a journalist and copywriter specialising in writing both for and about the charity and marketing services sectors since 2001. She can be reached via thepurplepim.com.

Mastodon