Information Commissioner's Office Fines Transgender Charity For Data Protection Breach Exposing Sensitive Personal Data

Published date30 July 2021
Law FirmWiggin
AuthorMr Alexander Ross

The ICO has fined transgender charity Mermaids '25,000 for failing to keep the personal data of its users secure.

The ICO says that its investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019.

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, and a further 15 people's personal data was classified as special category data as mental and physical health and sexual orientation were exposed.

The ICO's investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. Under the UK GDPR, organisations that are...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT