ICO fines Mermaids transgender charity for data protection breach exposing sensitive personal information

The data protection watchdog - which conducted an investigation into the matter - found the group was set up with insufficiently secure settings.

This led to hundreds of pages of confidential emails being visible online for nearly three years.

As a result, the personal information of 550 people - including names and email addressess - was searchable online.

For 24 of these, this included sensitive information on how they were coping and feeling.

For 15 others, it concerned special category data, with details over mental and physical health and sexual orientation exposed online, the investigation found.

The director of investigations at the ICO - the UK’s independent body which upholds information rights - said Mermaids “should have known the importance of keeping personal data secure” from its position an established charity.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” Steve Eckersley from the watchdog said.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.”

The email group involved in the breach was set up and used between August 2016 and July 2017.

The charity only became aware of the breach - which led to around 780 confidential emails being visible on the internet - in June 2019.

The ICO’s investigation found Mermaids should have applied restricted access to its email group.

The charity could have also thought about using pseudonyms or encryption to add an extra layer of protection to information it held, the watchdog added.

Mr Eckersley from ICO said: “Whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”