Posted by Irene Trubbiani Montagnac,
ICO fines transgender charity for data breach
Mermaids, a charity which supports children, young people, and their families in relation to gender non-conformity, has been fined £25,000 by the Information Commissioner’s Office (ICO) after personal information relating to 550 people, including children, was available online for almost three years.
Some of this personal information was found to be sensitive as it revealed how the person was coping and feeling and some was classified as “special category data”, as it included information on mental and physical health and sexual orientation.
The ICO’s investigation
The ICO began investigating the charity in 2019 after receiving a data breach report from the charity. The breach related to an internal email group the charity set up and used from August 2016 until July 2017. The data was still available online up to 2019 when the charity eventually became aware of the breach after being notified by a user. The group was created with insufficient security settings and meant that almost 780 pages of confidential emails could be viewed online for nearly three years.
The gravity of the offence was taken into account by the ICO when setting the fine. The topic of gender incongruence is still regarded to be controversial and the fact that a child or adult may be experiencing gender incongruence is a sensitive issue which can lead to increased vulnerability. The Commissioner considered that the data about gender incongruence was sensitive in its context.
The penalty was issued under Article 5(1)(f) and 32(1) and (2) of the UK GDPR as the charity failed to implement an appropriate level of organisational and technical measures to its internal email systems, contravening its obligations under the UK GDPR.
The ICO’s Director of Investigation said “the very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
In its investigation of the breach, the ICO noted that there was no record of how and why such settings had been adopted and that consideration should have been given to pseudonymisation or encryption of data, either of which would have offered an extra layer of protection to the personal data.
The ICO also found that the charity’s approach to data protection training and compliance with GDPR was lacking.
What can we take away from this case?
This is an interesting case as in most instances the ICO has been fining institutions for breaches due to external cyber-attacks as opposed to a failure to apply appropriate security access settings as in this case. This case acts as a stark reminder to organisations of the need to carefully select security settings. In addition, organisation must put in place adequate and effective training for their staff as training alone is rarely sufficient.
Whilst the penalty notice issued by the ICO may appear insignificant compared with the recent fines imposed to household names such as British Airways and Marriot, it is a reminder for organisations of all kind and sizes that the ICO will not only target multinationals but is ready to fine smaller organisations, including charities, which do not safeguard the processing of their personal data.
If you have any enquiries, please contact Irene Trubbiani Montagnac on:
020 7842 1514 Email us
Keeping you informed about Corporate news, events and opinion.