The Information Commissioners Office has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO found that Mermaids (a charity which offers support to children/young adults and their families in relation to gender non-conformity) breached users’ data by failing to implement appropriate security and technical measures to protect personal information. This security failure resulted in documents and emails containing the personal information of users (including children) and special category data to be available to third parties online.

On 14 June 2019, a service user notified Mermaids that internal emails containing personal information were viewable online. The charity promptly reported the incident to the ICO.

The ICO investigation found that an internal email group set up and used by Mermaids between August 2016 and July 2017 was created without appropriate security settings. This led to 780 pages of emails, containing confidential information, to be viewable online for nearly three years. The following personal details of 550 users were exposed on the internet:

  • Names
  • Email addresses
  • More sensitive data regarding 24 users, such as mental and physical health, the users’ feelings and sexual orientation.

Steve Eckersley, the Director of Investigations at the ICO stated:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

During the investigation the ICO found that Mermaids had been negligent in complying with their data protection obligations and that there was a lack of staff training. Considering the sensitive nature of the information that was left readily available online, there can be little doubt that the breach has caused significant distress to the people affected.

It is of utmost importance that organisations, charities included, follow data protection policies and implement the necessary measures to ensure their clients’ data is not at risk. If organisations fail to protect their customers’ personal data, it can lead, as here, to a hefty fine from the ICO and compensation claims for those whose privacy rights have been breached.

If you have suffered distress as a result of the Mermaid’s data breach or if you have been adversely impacted by a data breach by another organisation, please get in touch and one of our solicitors at DRM Legal will confirm if you are eligible to bring a claim for compensation.