• Contact Us

Charity Fined by ICO for Not Implementing Proper Security Measures

on Monday, 06 September 2021.

In July 2021, registered charity Mermaids was fined £25,000 by the Information Commissioner's Office (ICO) for failing to implement an appropriate level of organisational and technical security to one of its internal email systems.

The case highlights the need for charities (and indeed all organisations) to ensure that they know what information they hold, where it's stored, and how it is secured - no matter when it was first created. It also highlights the importance of keeping records of decisions to demonstrate compliance.

Accessible Emails

This particular case concerned the accessibility of emails set up by the charity in 2016, which were found to be accessible to the public through an internet search in 2019.

The email group in question was set up using an internet-based email group service (groups.io), which is overseen by a company based in the US. The purpose was to allow the sharing of emails between the CEO and trustees, and its use included forwarding emails from service users.

The charity ceased using the group in July 2017, but the emails remained, with the security setting set to public viewing. This meant that the group was listed in the Groups.IO search directory, and in 2019, a journalist was able to find, access and view the emails within the group.

Mermaids is a parental support group for parents with children who are experiencing gender incongruence. The emails that were accessible contained personal data of approximately 550 individuals, with 24 of those being classified as 'high risk' because of the information that had been shared. 15 of those 24 also contained special category personal data related to health.

How Did the ICO Determine a Fine?

The charity was found not to have implemented appropriate technical and organisational measures to protect the personal data within the email group. The lack of records from the time when the group was set up meant that it was not clear whether the setting choice was deliberate (to facilitate access by the members), or an oversight. However, this didn't change the fact that they should not have remained accessible in the way that they did, and the ICO found that the action was not deliberate, but likely to be negligent.

Other factors considered by the ICO when deciding to implement a fine included:

  • the considerable risk of prejudice, distress, damage and harm that could have been caused to the individuals whose data appeared in the emails
  • the duration of the infringement - from 2017 to 2019
  • the high profile of the charity in recent years, which increased the risk of it being a target
  • the prompt action taken by the charity - which included removing access to the emails, undertaking training, and employing specialist third parties to assist with ongoing compliance

Interestingly, the ICO felt that the question of whether the journalist 'stumbled across' the information, or the group was found following a targeted, precise and unusual syntactical search was not relevant to the question of whether a fine was appropriate.

The ICO also found that the nature of the contravention was not affected by the question of whether anyone else had accessed the data. This was likely because of the nature of the data itself, the sensitivity of it, and the difficulty of establishing this. The charity had taken steps to ascertain whether the emails had been accessed by third parties, but the charity had not been able to obtain this information.

Lessons to Be Learned

Charities often deal with the most vulnerable in society, and therefore a higher level of security is often required when protecting the personal data of those individuals. What this case highlights is the need to ensure that the organisation understands where all of its personal data is stored, how it is stored, and who has access.

Pre-GDPR, the data protection regime was not as focused, and so it is likely that record keeping was not as detailed as it is now. However, that is not an excuse for holding personal data today that is not stored securely.

Recommendations for Your Charity

  • Ensure that, as an organisation, you know what data you have, where it is, and what security measures are applied.
  • Don't forget about historic data that you hold.
  • Keep data security under review - what was considered reasonable and appropriate in 2015 is unlikely to be reasonable and appropriate in 2021.
  • Remember that the appropriate level of security to attach depends upon the type of data, the likely harm unauthorised access might cause, and the effect on individuals.

For legal support with security measures for your charity, please contact Vicki Bowles in our Information Law team on 0117 314 5672, or please complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input