Mermaids, a controversial UK charity which helps transgender youth, has been fined £25,000 after it unknowingly exposed nearly 800 pages of personal emails containing the private information of trans children and their parents.
The Information Commissioner’s Office (ICO) fined Mermaids £25,000 (nearly $35,000) for failing to “implement an appropriate level of organisational and technical security to its internal email systems.” The failure, it said, led to emails and documents containing personal information about children and other vulnerable people “being searchable and viewable online by third parties through internet search engine results” – a violation of GDPR laws.
According to the ICO’s penalty notice, the security flaw was discovered in 2019 after a Sunday Times journalist informed one of the parents who had been in contact with Mermaids that their child’s current name, birth name, date of birth, and health details, along with the child’s mother’s name, telephone number, and employer’s address were freely available online.
Four exposed emails contained details about transgender children under the age of 13 at the time.
Also on bisnisheboh.com
The ICO claimed that the leaked data was particularly “sensitive in its context” as “groups supporting transgender rights and people experiencing gender incongruence may be at a higher risk of experiencing prejudice, harassment, physical abuse or hate crime.”
“If someone had accessed the email group online there would have been sufficient available identifying data to potentially ‘out’ the data subject, removing any choice and infringing their privacy,” the penalty notice explained.
The ICO admitted that it was unsure whether any third parties had accessed the data other than the Sunday Times journalist who broke the story.
ICO Director of Investigations Steve Eckersley said in a statement that the “very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with,” and that “its failure to do so subjected the very people it was trying to help to potential damage and distress.”
He added that, though charities like Mermaids do “important work,” they should know the importance of safeguarding personal information and “cannot be exempt from the law.”
Responding to the fine, Mermaids said it took “full responsibility” for the data breach and thanked the ICO for “balancing the size of its fine against our need to continue supporting service users.” The charity’s chair of trustees Dr. Belinda Bell said in a statement that it fully accepts “that an honest but significant mistake was made” and that the privacy of its service users is “paramount.”
“We are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence,” Bell said.
Also on bisnisheboh.com
Think your friends would be interested? Share this story!