Data Protection Law
The Information Commissioner’s Office (ICO) has fined charity Mermaids £25,000 for failing to keep personal data (some of which was sensitive personal data) secure. ICO fines for failing to comply with data protection laws can go up to £17.5 million or 4% of an organisation’s total worldwide annual turnover, whichever is higher.
Mermaids is a charity that supports transgender and gender-diverse children and their families. It started out as a support group formed by parents whose children were experiencing gender incongruence. It registered with the Charity Commissioner in 1999. The Charity Commissioner’s website shows that most of Mermaids’ income is derived from donations and legacies with total income for the financial year ending 31 March 2020 standing at £902,437.
In August 2016 the CEO of Mermaids set up an internet-based email group service at https://groups.io. The CEO created [email protected] so that emails could be shared between the CEO and the 12 trustees of the charity. The email service offered various settings for security and privacy:
- “Groups listed in directory, publicly viewable messages”
- “Group not listed in directory, publicly viewable messages”
- “Group listed in directory, private messages” and
- “Group not listed in directory, private messages”.
The Mermaids group email service was set up under the default option “Groups listed in directory, publicly viewable messages”.
The Groups.IO email service was in active use by Mermaids from August 2016 until July 2017. After it became dormant it continued to hold emails. In addition to communications between the trustees, the emails included some forwarded emails from individuals who were using Mermaid’s services. Those emails included personal data, in some case relating to children, and some of the data was special category data (i.e. data concerning health, sex life or sexual orientation).
In June 2019 a service user of the charity who was the mother of a gender non-conforming child, informed the CEO that she had been contacted by a journalist from the Sunday Times who had told her that her personal data could be viewed online. The journalist had informed the parent that by searching online he could view confidential emails including her child’s name, date of birth, mother’s name, her employer’s address, her mobile telephone number and details of her child’s mental and physical health.
On the same day, Mermaids received pre-publication notice from the Sunday Times that the emails were accessible online and the newspaper would be publishing an article about the incident.
Mermaids immediately took steps to block access to the email site and engaged lawyers. They began informing data subjects about the incident, contacted the ICO to report what had happened and took other measures to deal with the situation.
The ICO’s investigation found, amongst other things, that Mermaids had failed to ensure that adequate measures were in place to ensure the appropriate security for personal data and as a result, 780 pages of confidential emails containing personal data relating to 550 individuals were searchable and viewable online for almost three years by third parties. The ICO also found that in the period May 2018 to June 2019 there was a negligent approach towards data protection at Mermaids, data protection policies were inadequate and there was a lack of adequate training. The ICO found that Mermaids should have applied restricted access to its email group and used pseudonymisation or encryption to add an extra layer of protection to the personal data it held and shut down the email group correctly when it was no longer in use.
On 5 July 2021 an ICO fine was imposed on Mermaids of £25,000.
In arriving at the fine the ICO took into consideration:
- Mermaids’ income
- The gravity of the incident
- The fact that special category data was made public
- The duration of the data breach
- The number of data subjects affected
- The damage caused
- The intentional or negligent character of the infringement
- The action taken by Mermaids to mitigate the damage caused
- The degree of responsibility of Mermaids taking into account the technical and organisational measures they implemented
- Any relevant previous infringements
- The degree of cooperation provided by Mermaids with the ICO in order to remedy the infringement and mitigate the damage caused
- Other aggravating or mitigating factors
The ICO’s Monetary Penalty Notice (which gives further detail and explanation about the ICO’s findings) can be accessed here.
One never wants to see an organisation receiving an ICO fine. However, given the nature of the work that Mermaids does and the sensitivity of some of the personal data that was made public, the fine appears low. Many businesses, especially small businesses, will try and find ways to cut corners to make their budgets or resources stretch further. Some businesses, especially those who do not process special category data, may feel from reading this ICO decision that the worst that can happen to them if they do not have proper data protection processes in place is that they are going to be fined less than £25,000.
In its decision the ICO took into account not just “the prompt remedial action taken by Mermaids” but also that “this breach was highlighted in a national newspaper and that resulted in a degree of reputational damage to the charity”. It also seems that the fact that Mermaids was a charity had some bearing on the ICO decision with the ICO balancing the fine as a deterrent against not wanting to be “taking away donations made by the public.”
The ICO took into account the financial position of Mermaids. While we do not know what the content of Mermaids’ representations were in this regard, the charity made a loss for its financial year ended 31 March 2020 with total expenditure of £1,041,325 against income of £902,437. Without us knowing the true financial position, it appears that if Mermaids had received an ICO fine of, say, £250,000, this may well have caused the charity to shut down.
It is worth noting as well that in addition to the ICO fine imposed, Mermaids costs for engaging lawyers and other consultants and dealing with the fallout from the incident would have been significant. Mermaids is also vulnerable to claims being brought against it by the data subjects themselves.