Website Cookie Policy

We use cookies to give you the best possible online experience. If you continue, we’ll assume you are happy for your web browser to receive all cookies from our website.
See our cookie policy for more information.

✓ Accept & Close

Practice Areas

More Information

thepartners@wrigleys.co.uk

Leeds: 0113 244 6100

Sheffield: 0114 267 5588

FOLLOW WRIGLEYS:

Send us an enquiry
Close

ICO fines charity £25,000 for failing to secure personal data

09 July 2021

The Information Commissioners Office (“ICO”) has published its decision to fine the charity Mermaids £25,000 following a data breach.

Mermaids reported the breach to the ICO in 2019, following the discovery of a failure to appropriately secure the personal data of its beneficiaries. 

An internal email group was set up by Mermaids in 2016 and continued until 2017. The group was set up with inadequate security settings, such that over 700 pages of emails and 550 email addresses were accessible when searched for online.

The sensitive personal data of 24 beneficiaries’ experiences and feelings was available freely. In addition, the special category personal data about the mental and physical health and sexual orientation of a further 15 beneficiaries, which is afforded particular protection in data protection law, was publicly available as a result of the data breach. All the information was publicly accessible for nearly three years.

The ICO has taken a firm approach to dealing with Mermaids and, in its investigation, the ICO identified a complacency within Mermaids as to the requirement to keep personal data safe and to undertake the training for its staff in data protection practices.

The ICO also criticised Mermaids for failing to update its policies following the implementation of the UK GDPR and wider societal conversations surrounding gender identity.

Whilst Mermaids has since taken significant steps to improve its practices and co-operated with the investigation fully, the ICO still found these breaches sufficiently serious to fine Mermaids £25,000 as a consequence of this breach. In imposing such a substantial fine, the ICO is sending a clear message to the sector that it will not take a lenient approach to enforcement with charities.

This case serves to act as a reminder to all charities, in particular those dealing with sensitive or special category personal data, that it is their duty to:

  • protect the personal data they control;
  • continue to review and update their data protection policies and procedures taking account of fresh guidance and best practice; and
  • keep staff appropriately trained to minimise the risk of data protection breaches.

Wrigleys can support you with your data protection obligations.  If you have any questions or we can assist please contact Nick Dunn or any other member of Wrigleys data protection team on 0113 244 6100. 

 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Nick Dunn View Biography

Nick Dunn

Associate
Leeds

News
Events
Publications
19 Nov 2024

Law Commission review of the Co-operative and Community Benefit Societies Act: what does it mean for charitable community benefit societies?

In this article we take a closer look at the potential impact for charitable community benefit societies.

Click here to read more
18 Nov 2024

Deferred payment agreements

Latest statistics released by the NHS Digital indicate that social care deferred payment agreements are on the increase.

Click here to read more
15 Nov 2024

Employee Ownership Trusts: Recent Legislative Changes

The UK Government proposes updates to legislation to tighten the Employee Ownership Trust tax regime and ensure EO remains viable and sustainable.

Click here to read more
Read All News