Peter A Clarke

The UK Information Commissioner’s office has fined Mermaids £25,000 for failing to keep personal information secure.  The nature of the breach was personal information found in emails and documents created by staff at Mermaids or its clients were publicly available on line.  Mermaids were advised by a newspaper of this fact in June 2019.  Mermaids contacted the Commissioner that day.

Mermaids is a charity that offers support to young people and their families regarding gender non comformity.  As such the nature of discussions and personal information were very sensitive.

The media release provides:

The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.

The ICO’s investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019.

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. Under the UK GDPR, organisations that are responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.

Steve Eckersley, Director of Investigations said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.

Mermaids cooperated fully with the ICO investigation and has made significant improvements to its data protection practices since becoming aware of the security breach.

The 30 page Monetary Penalty Notice relevantly states:

• that Mermaids failed to have adequate security measures in place to ensure the appropriate security for personal data in the period 25 May 2018 to 14 June 2019 including:
  
  • The email group  not having the appropriate restricted access settings applied to it and therefore the personal data including the special category data were accessible to third parties.
  • no pseudonymisation or encryption of the data, either of which would have offered an extra layer of protection to the personal data.
• that the likely increased vulnerability of a data subject in turn increases the risk of damage or distress being caused to the data subject by any data contravention that reveals that an individual is seeking information about, or support for, gender incongruence [32]
  
• around 780 pages of confidential emails were visible online, which included sensitive data relating to gender incongruence and personal data relating to 550 data subjects, such as name, email address, job title, or employer’ [36]
  
• the Commissioner expected them to ensure stringent safeguards were in place to protect service users and their personal data [40]
  
• In the period 25 May 2018 to 14 June 2019, there was a negligent approach towards data protection at Mermaids, data protection policies were inadequate and there was a lack of adequate training, including a lack of face-to-face training, on data protection [41]
  
• following the introduction of the GDPR, Mermaids’ data protection policies were not updated to ensure compliance. Safeguards should have been in place to protect the young and / or vulnerable data subjects who had used or were using the charity’s services, particularly as that personal data controlled or processed by Mermaids would include special category data and / or data which was sensitive in its context [41]
  

In addition to the impact on its members, Mermaids clearly underwent a thorough analysis of its systems by the Commissioner which were found to be inadequate.  That cost time and expense.  In addition to the monetory penalty there was a significant amount of bad press that comes with the publication of these fines.  The Independent ran with ICO fines Mermaids transgender charity for data protection breach exposing sensitive personal information and Zdnet’s story Mermaids transgender charity data breach exposed confidential emails excoriated Mermaids.

The Monetary Penalty Notice highlights the need to have proper systems in place to monitor emails and ensure access settings are sufficiently robust and restricted to users only.  It seems there was a loss of corporate memory regarding the management of the email group which in fact stopped operating in July 2017. This highlights the need for proper record keeping Dormant groups and excess data being kept on systems long after they have any functional use is a chronic problem.  Not enough effort is made to properly manage data, including deleting it when email groups stop operating.   While Mermaids did train its staff that training was inadequate and ineffective. The Commissioner highlighted the the fact that no member of staff had identified the email security issue as evidence that the training was inadequate. There might be some ex post facto reasoning in that analysis however it is a valuable example that when data breaches of this nature occur the regulator, or litigant will review everything associated with data security and may use some ex post facto reasoning to explain other deficiencies.