A transgender charity has been fined £ 25,000 by the Office of the Information Commissioner (ICO) for failing to keep its users ’personal data secure.
An investigation into the sirens was launched after the ICO received a report of non-compliance with data from the charity. The non-compliance was related to an internal email group he created and used from August 2016 to July 2017, when he unsubscribed. The charity only found out about the default in June 2019.
The investigation revealed that the group was set up with an insufficiently secure configuration and meant that around 780 pages of confidential emails could be viewed for almost three years.
This meant that personal information, such as names and email addresses, of 550 people could be searched online.
The ICO’s investigation found that sirens would have to apply restricted access to their email group and could have considered pseudonymization or encryption to add an extra layer of protection to the personal data they had.
Steve Eckersley, ICO’s director of research, said: “The very nature of the work of the mermaids should have forced the charity to impose strict guarantees to protect the often vulnerable people it works with. Its failure goes subjecting people trying to help with potential harm and distress and possible prejudice, harassment, or abuse.
“As an established charity, mermaids should have known the importance of keeping personal data secure, and while we recognize the important work that charities do, they cannot be exempt from the law.”
During the investigation, the ICO found that sirens had a negligent approach to data protection, with inadequate policies and a lack of training for staff. However, the ICO confirmed that the charity fully cooperated with the investigation and has made improvements in its data protection practices since learning of the security breach.
In response to the investigation, Belinda Bell, president of Mermaid Trustees, said: “We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time.
“We are grateful to the ICO for taking into account our prompt reparation action and for balancing the size of their fine with our need to continue to support service users, while protecting the charitable donations made by our generous supporters.
“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a few years ago and we are committed to ensuring that Mermaids continues to meet its data management obligations with the utmost diligence.” .
“All the complaints of those affected have already been resolved and we would like to reiterate our apologies for this isolated lapse of data security,” Add Bell’s statement.