Last week, the ICO fined the charity Mermaids £25,000 for failure to implement an appropriate level of organisational and technical security measures, in contravention of its obligations under Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.

While this is another example of the ICO fining for data breaches, it is interesting because the breach was due to a failure to set appropriate security settings rather than an external cyber-attack. It also reminds organisations of all sizes and in all sectors that the ICO is not only targeting the deep pockets of multi-nationals.

What happened?

Mermaids is one of the UK’s leading LGBTQ+ charities whose work focuses on supporting transgender, nonbinary and gender-diverse children and young adults and their families and professionals involved in their care.

On 14 June 2019, the charity was notified by a service user that internal emails containing personal data (which, in some cases, included special category data) were publicly available online and had been for nearly three years. Mermaids reported the incident to the ICO on the same day and shortly after reached out to Google and Archive.li to request the deletion of various archived versions of the data.

The message threads contained personal data like names, email addresses, job titles and employer names and consisted of general discussions about the charity’s activities. However, they also contained more sensitive conversations about transgender issues and the personal experiences of certain data subjects with them (including special category data such as details of their mental or physical health, sex life or sexual orientation).

Given the sensitive nature of the data and Mermaids’ important support work, the charity’s failures, which the ICO established to be negligent, involved a high risk of damage or distress to the data subjects (some of whom were children and/or vulnerable persons).

After becoming aware of the personal data breach, Mermaids established that this was due to the security settings selected for the email group service (“Group listed in directory, publicly viewable messages”), which were acutely inappropriate and insecure.

In its investigation of the breach, the ICO noted that there was no record of how and why such settings had been adopted and that consideration should have been given to pseudonymisation or encryption of data.

The ICO also found that the charity’s approach to data protection training and compliance in the wake of the GDPR coming into effect in 2018 was lacking. The monetary penalty notice states that “[a]ll Mermaids staff and volunteers received mandatory data protection training in December 2018, which is updated annually, however, the ongoing contraventions were not identified by anyone at Mermaids during the period of operation of the insecure email system, which demonstrates that the training was inadequate and/or ineffective”.

Lessons to learn

The Mermaids breach, and the ICO’s monetary penalty notice, act as a useful reminder to organisations of the importance of carefully selecting security settings, particularly where sensitive personal data is involved, and that:

  • Recovering leaked personal data may not be a straightforward process and often requires engagement with third parties like Google and Archive.li to find all cached copies of the data.
  • Record keeping is key - while organisations may not always be flawless in their decision-making on data protection matters, the ICO does expect there to be evidence, and an explanation, of why a particular decision was made.
  • Training alone is not sufficient – the training must be adequate and effective. The ICO cited the fact that no member of staff had identified the email security issue as evidence that the training given by Mermaids was inadequate.
  • Under the UK GDPR, while infringements of the obligations relating to the security of processing (Article 32) are subject to the 2% fine threshold, infringements of the basic principles of processing, one of which covers security, integrity and confidentiality (Article 5) can receive the higher penalty rate of 4%. Mermaids’ £25,000 fine amounts to nearly 2.8% of its income for 2020 and therefore sits somewhere in between.

In crude numerical terms, this latest fine from the ICO pales in comparison with its recent decisions on the British Airways and Marriot breaches but it is significant because it demonstrates that the ICO will not look kindly on organisations, including charities, which do not put appropriate safeguards in place to protect the personal data that has been entrusted to them.