Charity Fined £25,000 for Data Breach

Together we are Forbes


13 July, 2021

Bethany Paliga
Senior Associate

The ICO has announced this week that it has fined the charity Mermaids £25,000 for failing to keep the personal data of its users secure.

Mermaids is a charity which originated as a parents' support group for parents whose children were experiencing gender non-conformity. In August 2016, the charity set up an email group. Unfortunately, restricted access settings were not applied to the email group and Mermaids were notified by a service user that the emails were publicly available online.

The incident meant that the personal data of a large number of children and vulnerable individuals was available online. In addition, some of that information was classified as special category data. Once the breach was identified, an investigation was commenced and it was found that if the appropriate security access settings had been applied, then access would have been restricted to approved members of the group only and it would not have been possible for third parties to gain unauthorised access online. The investigation established that the default setting for security and privacy on the internet-based email service provided, "Group listed in directory, publicly viewable messages," which was an insecure and inappropriate setting. Alternative settings available to users of the email service were, "Group not listed in directory, publicly viewable messages,", "Group listed in directory, private messages," and, "Group not listed in directory, private messages," which, if selected, may have provided more appropriately secure settings.

The ICO were informed of the breach by Mermaids after they had been notified that the emails were publicly available online. The ICO found that Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents and emails containing personal data, including some cases special category data, being searchable and viewable online by third parties through internet search engine results. The ICO has fined Mermaids £25,000 for this breach.

How is this case relevant to the Education sector?

This case will be of interest to our education clients as it demonstrates the importance of staff, trustees/governors and volunteers being aware of their obligations under the GDPR, regardless of whether or not they are on the payroll.

For further data protection advice and support, please contact Bethany Paliga via email or telephone 0800 689 3206.

For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

Break condition requiring vacant possession

Impact of social media backlash for employers

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: