ICO fines charity £25,000 for failing to keep hundreds of users’ data safe

Transgender charity Mermaids has been fined £25,000 by the Information Commissioner’s Office (ICO) for failing to protect the personal data of its users.

The breach includes failing to protect confidential information related to mental and physical health as well as sexual orientation, the ICO investigation found.

The ICO became aware of the breach two years ago relating to an internal email group set up by the charity and used between 2016 and 2017

This group “was created with insufficiently secure settings” leading to around 780 pages of confidential emails viewable online for nearly three years.

This included names and email addresses of 550 people being searchable online

The regulator says that the personal data of 24 of these people was sensitive, relating to their emotional wellbeing.

A further 15 people had mental and physical health and sexual orientation details exposed.

The charity should have restricted access to this group through pseudonymisation or encryption said the ICO.

“During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff,” it said.

Under the UK General Data Protection Regulations organisations that are responsible for personal data must have appropriate safeguards in place to protect users’ personal data.

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” said ICO director of investigations Steve Eckersley.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

The ICO said that Mermaids had “cooperated fully” with its investigation and had “made significant improvements” to data protection since becoming aware of the security breach.

Mermaids chair Belinda Bell said that the charity takes “full responsibility for this data breach”.

“This historical data breach was brought to our attention in June 2019, at which point we immediately reported the incident to the ICO and cooperated fully to ensure issues regarding our systems and processes were addressed as a matter of the highest importance,” she said.

    Share Story:

Recent Stories


How to elevate your non-profit storytelling with data and performance metrics.
Sage Intacct the non-profit financial management platform, takes a look at giving trends and insights.

What has the pandemic taught us about the public’s perception of charities?
In this episode of the Charity Times Leadership podcast, we take a look at what the pandemic has taught us about the public’s perception of charities. Charity fundraising platform, Enthuse, recently released its quarterly donor research study, which highlighted significant shifts in donor behaviour throughout the duration of the pandemic. Not only does the report highlight an overarching sense of positivity towards the sector, but a propensity for younger generations to give more generously, too. Lauren Weymouth is joined by Enthuse CEO, Chester Mojay-Sinclare to discuss more.

The importance of the ‘S’ in ‘ESG’
In this episode, Lauren Weymouth is joined by Ketan Patel, equities fund manager at EdenTree, to delve into the issue of social investment and why that all-important ‘S’ in ESG is more relevant now than ever before. The social element of ESG often gets forgotten when thinking about investing in more ethical and sustainable ways. But, after a challenging year for all areas of society, social injustice has been highlighted, and there’s a much greater need for charities to put people at the heart of their investment decisions.