Site navigation

Mermaids Charity Fined £25k for Leaving Sensitive Data Exposed for Three Years

David Paul


The charity has been fined after private information, including names and email addresses, was left vulnerable online.

Transgender charity Mermaids has been fined for failing to keep sensitive secure after a major breach.

The charity, which supports transgender, nonbinary and gender-diverse children, young people, and their families, was fined £25,000 by the Information Commissioner’s Office (ICO) after member data was left available to view online for nearly three years.

Problems stemmed from an internal email group set up and used by Mermaids from August 2016 until July 2017 when it was decommissioned. However, during that period and up to 2019 the data was still available online and eventually discovered by the charity.

It was found that the group was created with “insufficiently secure settings”, leading to approximately 780 pages of confidential emails being viewable online for the period.

Personal information, such as names and email addresses, of 550 people was accessible. Additionally, particularly sensitive data on of 24 members was visible, revealing how the person was coping and feeling, with a further 15 classified as special category data, exposing information on mental and physical health and sexual orientation.

According to the ICO, Mermaids should have done more to protect the data, such as applying restricted access to its email group and using pseudonyms or encryption to “add an extra layer of protection to the personal data it held”.

Commenting on the fine, Steve Eckersley, Director of Investigations at the ICO, said: “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with.

“Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”


The ICO established that Mermaids had a “negligent approach” towards data protection and provided “inadequate policies and a lack of training for staff” during the period.

In a statement, an ICO spokesperson said: “Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.”

Mermaids have said it is cooperating fully with the ICO investigation and has made “significant improvements” to its data protection practices since becoming aware of the security breach.

This is the second time in the same week that the ICO has probed an organisation about their handling of private data. An investigation has been opened into the use of personal emails by the Health Department.

The ICO’s investigation aims to establish if the department used private correspondence channels to conduct government business and whether this led to breaches of freedom of information or data protection law.

David Paul

Staff Writer, DIGIT

Latest News

%d bloggers like this: