Children’s transgender charity Mermaids fined by ICO over sensitive data leak

Children’s transgender support charity Mermaids has been fined for failing to keep the personal data of its vulnerable users secure.

Around 780 pages of confidential emails were exposed online for nearly three years before being discovered in 2019, leaving personal information such as names and email addresses of 550 people searchable online, an investigation by the Information Commissioner’s Office (ICO) found.

The personal data of 24 individuals was considered particularly sensitive as it revealed how they were coping and feeling, with 15 classified as special category data disclosing information about mental health, physical health and sexual orientation.

Mermaids has apologised again for the “isolated lapse in data security”.

“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence,” said Belinda Bell, Mermaids’ chair of trustees.

The ICO has fined Mermaids £25,000 in total, taking into consideration its full cooperation during the investigation and the significant improvements that have been made since the incident came to light.

An investigation was launched by the regulator after the charity reported itself about an internal email group it set up and used between August 2016 and July 2017.

The data protection watchdog was notified about the breach as soon as Mermaids became aware of it in June 2019.

At the time, the ICO found the charity had a negligent approach towards data protection with inadequate policies and a lack of training for staff.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” said Steve Eckersley, director of investigations at the ICO.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”