Mermaids charity fined £25,000 for data breach

The ICO launched an investigation in 2019 after the charity reported a data breach in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. Mermaids only became aware of the breach in 2019.

The regulator found that insecure settings meant that around 780 pages of confidential emails were viewable online for almost three years, including personal information such as names of 550 people.

Of those people, the personal data of 24 was found to be sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data, as it included information on mental and physical health and sexual orientation.

Mermaids should have applied restricted access to its email group and considered more rigorous security, the ICO concluded.

The regulator has issued the charity with a penalty notice under section 155 of the Data Protection Act 2018, which imposes an administrative fine on Mermaids, in accordance with Article 83 of the General Data Protection Regulation. 

Steve Eckersley, director of investigations, ICO, said: "The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

"As an established charity, Mermaids should have known the importance of keeping personal data secure and, while we acknowledge the important work that charities undertake, they cannot be exempt from the law."

The ICO said that Mermaids had inadequate policies and a lack of staff training with regards to data protection, but that it had cooperated with the investigation and has since improved its processes.

Belinda Bell, chair of trustees, Mermaids, said in a statement: "We are grateful to the ICO for taking into account our prompt remedial action and for balancing the size of its fine against our need to continue supporting service users, while protecting charitable donations made by our many generous supporters. The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence."