Mermaids fined £25,000 for data breach

ICO screen numbers

Mermaids UK, a charity that supports transgender children and young people, has been fined £25,000 by the Information Commissioner’s Office (ICO) for failing to keep the personal data of its users secure.

The privacy violation exposed thousands of private emails made between the charity and parents. These emails were all sent between 2016 and 2017. The confidential communications were then publicly available online. Mermaids only became aware of the breach in June 2019.

In total, 780 pages of Mermaids’ confidential emails, including angst-ridden messages from parents about their children’s anguish were uploaded for anyone to view for nearly three years.

What did the ICO find?

The ICO launched an investigation into the data breach which related to a specific internal email group used between August 2016 and July 2017.

Personal information such as names and email addresses were exposed in this breach. Furthermore, the details of 550 people were searchable online. Of those, the data of 24 people was especially sensitive as the emails revealed how they were coping and feeling. A further 15 people had their special category data (mental and physical health and sexual orientation) exposed.

The ICO investigation found that:

  • The group was created with insufficiently secure settings.
  • Mermaids should have applied restricted access to its email group.
  • Mermaids could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.
  • Mermaids had a negligent approach towards data protection with inadequate policies and a lack of staff training.

Commenting on the results of the investigation, Steve Eckersley, Director of Investigations, said:

“The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

Will victims of the Mermaid’s data breach be awarded compensation?

While the ICO has fined Mermaids £25,000, none of this money will go to victims of the data privacy violation. The only way that those affected by the breach can claim compensation is to make a legal claim.

Commenting on the breach, Matthew Evans, associate and senior data breach solicitor, said:

“Under the UK’s data protection laws, organisations must ensure that they have robust and secure data protection policies and measures in place to keep personal information safe. Mermaids fail to meet its legal obligations, and, while it has since made significant improvements to its data protection practices, for victims of this breach, that is of little consolation.

“Every day, we see what happens when the personal information of people across the UK falls into the wrong hands. And the consequences can be damaging and long-lasting. What is particularly worrying in this instance is that the data breached included the sensitive and intimate details of the very vulnerable youngsters it exists to help. This could have a severe impact on their mental health and wellbeing.

Many people are passionate about the charities and causes they care about and use for support. Nobody wants to sue a charity – especially one that aligns with their values and beliefs – but something must be done to ensure that personal and potentially intimate details are protected.

“In this instance, it appears that Mermaids hoped that it could get away with its negligence by simply apologising and promising that it wouldn’t happen again. Such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.”

Have you been affected by the Mermaids data breach?

Mermaids has contacted those affected by the data breach. If you have been told that your data has been put at risk, you may be able to make a no-win, no-fee data breach compensation claim

Often charities and organisations are insured against data breaches, so you do not have to worry about the impact of the work you support.

If Mermaids put your data at risk, contact us today for a free initial assessment of your claim.

Contact Keller Postman to discuss a data privacy violation.

In March 2024, our firm changed its name to KP Law. 

Share this article: