The case highlights the need for charities (and indeed all organisations) to ensure that they know what information they hold, where it's stored, and how it is secured - no matter when it was first created. It also highlights the importance of keeping records of decisions to demonstrate compliance.
This particular case concerned the accessibility of emails set up by the charity in 2016, which were found to be accessible to the public through an internet search in 2019.
The email group in question was set up using an internet-based email group service (groups.io), which is overseen by a company based in the US. The purpose was to allow the sharing of emails between the CEO and trustees, and its use included forwarding emails from service users.
The charity ceased using the group in July 2017, but the emails remained, with the security setting set to public viewing. This meant that the group was listed in the Groups.IO search directory, and in 2019, a journalist was able to find, access and view the emails within the group.
Mermaids is a parental support group for parents with children who are experiencing gender incongruence. The emails that were accessible contained personal data of approximately 550 individuals, with 24 of those being classified as 'high risk' because of the information that had been shared. 15 of those 24 also contained special category personal data related to health.
The charity was found not to have implemented appropriate technical and organisational measures to protect the personal data within the email group. The lack of records from the time when the group was set up meant that it was not clear whether the setting choice was deliberate (to facilitate access by the members), or an oversight. However, this didn't change the fact that they should not have remained accessible in the way that they did, and the ICO found that the action was not deliberate, but likely to be negligent.
Other factors considered by the ICO when deciding to implement a fine included:
Interestingly, the ICO felt that the question of whether the journalist 'stumbled across' the information, or the group was found following a targeted, precise and unusual syntactical search was not relevant to the question of whether a fine was appropriate.
The ICO also found that the nature of the contravention was not affected by the question of whether anyone else had accessed the data. This was likely because of the nature of the data itself, the sensitivity of it, and the difficulty of establishing this. The charity had taken steps to ascertain whether the emails had been accessed by third parties, but the charity had not been able to obtain this information.
Charities often deal with the most vulnerable in society, and therefore a higher level of security is often required when protecting the personal data of those individuals. What this case highlights is the need to ensure that the organisation understands where all of its personal data is stored, how it is stored, and who has access.
Pre-GDPR, the data protection regime was not as focused, and so it is likely that record keeping was not as detailed as it is now. However, that is not an excuse for holding personal data today that is not stored securely.