A transgender charity has been fined £25,000 by the Information Commissioner’s Office (ICO) for failing to keep the personal data of its users secure.

An investigation into Mermaids was launched after the ICO received a data breach report from the charity. The breach was related to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019.

The investigation revealed the group was created with insufficiently secure settings and meant that around 780 pages of confidential emails could be viewed online for almost three years.

This meant the personal information, such as names and email addresses, of 550 people were searchable online.

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held.

Steve Eckersley, director of investigations at ICO, said: “The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

“As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection, with inadequate policies and a lack of training for staff. However, the ICO confirmed the charity cooperated fully with the investigation and has made improvements to its data protection practices since becoming aware of the security breach.

In response to the investigation, Belinda Bell, chair of trustees at Mermaid, said: “We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time.

“We are grateful to the ICO for taking into account our prompt remedial action and for balancing the size of its fine against our need to continue supporting service users, whilst protecting charitable donations made by our many generous supporters.

“The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence.”

“All complaints from the data subjects affected have now been resolved and we would like to repeat our apology for this isolated lapse in data security,” Bell’s statement added.