The transgender young people’s support charity Mermaids has been fined £25,000 by the Information Commissioner’s Office after personal information relating to 550 people was available online for almost three years.
The regulator also concluded that the charity had a “negligent approach towards data protection with inadequate policies and a lack of training for staff”.
The ICO began investigating the charity in 2019 after The Sunday Times newspaper was made aware that almost 800 pages of confidential emails were viewable online, including names and email addresses.
The regulator’s two-year investigation found that the personal data of 24 people was sensitive because it showed how the person was coping and feeling, while a further 15 were classified as special category data because information relating to mental and physical health and sexual orientation was exposed.
The ICO found that Susie Green, the charity’s chief executive, had set up an online email service to communicate with the charity’s trustees in August 2016, which was used for almost a year.
But the charity was unaware until contacted by the newspaper in June 2019 that the email service was not sufficiently secure and resulted in personal information being searchable online if correct terms were applied.
The ICO concluded that the charity should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.
The regulator said Mermaids, which has until 3 August to pay the fine, had co-operated fully with the investigation and had made significant improvements to its data protection practices since becoming aware of the security breach.
Steve Eckersley, director of investigations at the ICO, said: “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with.
“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
“As an established charity, Mermaids should have known the importance of keeping personal data secure and, while we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
Belinda Bell, chair of Mermaids, said: “We are grateful to the ICO for taking into account our prompt remedial action and for balancing the size of its fine against our need to continue supporting service users, while protecting charitable donations made by our many generous supporters.
“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence.”
She said the Charity Commission, in communication with the ICO, had stated it had no further regulatory concerns.
The charity said it used both an external data consultant and an information technology security auditor to look into any issues raised. It had also conducted a safeguarding audit.
“All complaints from the data subjects affected have now been resolved and we would like to repeat our apology for this isolated lapse in data security,” said Bell.