ICO fines transgender charity for data breach
Some of this personal information was found to be sensitive as it revealed how the person was coping and feeling and some was classified as “special category data”, as it included information on mental and physical health and sexual orientation.
The ICO’s investigation
The ICO began investigating the charity in 2019 after receiving a data breach report from the charity. The breach related to an internal email group the charity set up and used from August 2016 until July 2017. The data was still available online up to 2019 when the charity eventually became aware of the breach after being notified by a user. The group was created with insufficient security settings and meant that almost 780 pages of confidential emails could be viewed online for nearly three years.
The gravity of the offence was taken into account by the ICO when setting the fine. The topic of gender incongruence is still regarded to be controversial and the fact that a child or adult may be experiencing gender incongruence is a sensitive issue which can lead to increased vulnerability. The Commissioner considered that the data about gender incongruence was sensitive in its context.
The penalty was issued under Article 5(1)(f) and 32(1) and (2) of the UK GDPR as the charity failed to implement an appropriate level of organisational and technical measures to its internal email systems, contravening its obligations under the UK GDPR.
The ICO’s Director of Investigation said “the very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with. Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.
As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.”
In its investigation of the breach, the ICO noted that there was no record of how and why such settings had been adopted and that consideration should have been given to pseudonymisation or encryption of data, either of which would have offered an extra layer of protection to the personal data.
The ICO also found that the charity’s approach to data protection training and compliance with GDPR was lacking.
What can we take away from this case?
This is an interesting case as in most instances the ICO has been fining institutions for breaches due to external cyber-attacks as opposed to a failure to apply appropriate security access settings as in this case. This case acts as a stark reminder to organisations of the need to carefully select security settings. In addition, organisation must put in place adequate and effective training for their staff as training alone is rarely sufficient.
Whilst the penalty notice issued by the ICO may appear insignificant compared with the recent fines imposed to household names such as British Airways and Marriot, it is a reminder for organisations of all kind and sizes that the ICO will not only target multinationals but is ready to fine smaller organisations, including charities, which do not safeguard the processing of their personal data.