Transgender charity Mermaids has been fined £25,000 by the Information Commissioner’s Office (ICO) for failing to protect the personal data of its users.
The breach includes failing to protect confidential information related to mental and physical health as well as sexual orientation, the ICO investigation found.
The ICO became aware of the breach two years ago relating to an internal email group set up by the charity and used between 2016 and 2017
This group “was created with insufficiently secure settings” leading to around 780 pages of confidential emails viewable online for nearly three years.
This included names and email addresses of 550 people being searchable online
The regulator says that the personal data of 24 of these people was sensitive, relating to their emotional wellbeing.
A further 15 people had mental and physical health and sexual orientation details exposed.
The charity should have restricted access to this group through pseudonymisation or encryption said the ICO.
“During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff,” it said.
Under the UK General Data Protection Regulations organisations that are responsible for personal data must have appropriate safeguards in place to protect users’ personal data.
“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” said ICO director of investigations Steve Eckersley.
“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
The ICO said that Mermaids had “cooperated fully” with its investigation and had “made significant improvements” to data protection since becoming aware of the security breach.
Mermaids chair Belinda Bell said that the charity takes “full responsibility for this data breach”.
“This historical data breach was brought to our attention in June 2019, at which point we immediately reported the incident to the ICO and cooperated fully to ensure issues regarding our systems and processes were addressed as a matter of the highest importance,” she said.
Latest News
-
Former ACEVO chair to lead youth charity
-
Small charity funder boosts grant size
-
Cranfield Trust announces appointment of new chief executive
-
Large charities 'more effective' by partnering with small community groups
-
400-year-old funder pledges more ‘flexible and longer term’ grant giving
-
Cyber security chief to lead Girlguiding
Charity Times video Q&A: In conversation with Hilda Hayo, CEO of Dementia UK
Charity Times editor, Lauren Weymouth, is joined by Dementia UK CEO, Hilda Hayo to discuss why the charity receives such high workplace satisfaction results, what a positive working culture looks like and the importance of lived experience among staff. The pair talk about challenges facing the charity, the impact felt by the pandemic and how it's striving to overcome obstacles and continue to be a highly impactful organisation for anybody affected by dementia.
Charity Times Awards 2023
Mitigating risk and reducing claims
The cost-of-living crisis is impacting charities in a number of ways, including the risks they take. Endsleigh Insurance’s* senior risk management consultant Scott Crichton joins Charity Times to discuss the ramifications of prioritising certain types of risk over others, the financial implications risk can have if not managed properly, and tips for charities to help manage those risks.
* Coming soon… Howden, the new name for Endsleigh.
* Coming soon… Howden, the new name for Endsleigh.
Better Society
© 2021 Perspective Publishing Privacy & Cookies
Recent Stories