Trans charity Mermaids fined after publishing parent's emails online

Transgender charity Mermaids is fined £25,000 after chief executive published hundreds of emails from parents discussing their children’s transitions

  • Mermaids CEO Susie Green uploaded emails from parents to a public website
  • Data of 550 people was shared online as site had insufficient security settings
  • This included data belonging to children and their parents who used the charity
  • Details including discussions over how they were coping and their treatment as well as how they choose to identify were all publicly accessible online until 2019 
  • The ICO fined the charity £25,000 for failing to protect personal data of users

A leading trans charity has been fined £25,000 after its chief executive published deeply personal emails from parents worried about their children’s transition.

Mermaids boss Susie Green had set up an email group online which mistakenly had insufficient security settings, meaning the exchanges were publicly accessible to anyone.

The emails were reportedly sent in strictest confidence from parents whose children were struggling with their sex change.

One included the experience of a mother whose trans son – born a girl – used to wet himself on purpose so that the nursery would provide him with boys’ clothes.

In total, data belonging to 550 people, not of all of whom were service users, was shared in the email exchanges from August 2016 until July 2017 when the email group was decommissioned.

The charity works with about 500 youngsters and 1,400 parents and educates schools about homophobic, biphobic and transphobic bullying. 

Mermaids has been fined after boss Susie Green (pictured) published confidential emails from parents on a website which was publicly accessible due to insufficient security settings

As well as disclosing intimate details about the trans children’s treatment and parents telephone numbers, names and email addresses were also searchable on the web.

The site, which is hosted by a third party to allow organisations to share and archive emails, was made private as soon as the charity became aware of the data breach and it referred itself to the Information Commissioner’s Office.

According to the ICO, of the 550 people involved in the breach, personal data of 24 of them related to sensitive details including how they were coping and feeling.

A further 15 were classified as ‘special category’ data because it related to mental and physical health as well as sexual orientation. 

Four of them were children aged under 13 at the time the breach was discovered. 

The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered using pseudonyms or encryption to add an extra layer of protection to the personal data it held. 

In a 30-page report, the ICO found that although it was an internal email group, parents’ emails had been forwarded between the charity and its trustees.

Steve Eckersley, Director of Investigations said: ‘The very nature of Mermaids’ work should have compelled the charity to impose stringent safeguards to protect the often vulnerable people it works with.

Leeds-based charity Mermaids was founded in 1995

‘Its failure to do so subjected the very people it was trying to help to potential damage and distress and possible prejudice, harassment or abuse.

‘As an established charity, Mermaids should have known the importance of keeping personal data secure and, whilst we acknowledge the important work that charities undertake, they cannot be exempt from the law.’

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff.

Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the ICO founds that the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.

According to Mermaids’ confidentiality policy, any staff member who discloses private client information risks ‘termination of your employment, or other corrective action.’

It adds that confidentiality is a ‘basic component of client care and business ethics’ and violating it could ‘also damage your relationship with the client and make it difficult to help the person.’

Ms Green, a former IT consultant who has served as CEO since 2016, took her own child to Thailand aged 16 for genital surgery as the minimum age in the UK is 18.

The charity works with about youngsters and parents who get in touch seeking support and also educates schools about homophobic, biphobic and transphobic bullying (file photo)

Her daughter Jackie was born a boy – Jack – and her struggles with the transition partly inspired the ITV drama Butterfly which aired in 2018. 

In response to the fine, the charity’s chair of trustees Belinda Bell said: ‘We take full responsibility for this data breach and thank our supporters for their solidarity and understanding at a difficult time.

‘The safety and security of our service users is paramount and we fully accept that an honest but significant mistake was made a number of years ago, and we are determined to ensure that Mermaids continues to fulfil its obligations regarding safe data management with the utmost diligence.

‘This historical data breach was brought to our attention in June 2019, at which point we immediately reported the incident to the ICO and cooperated fully to ensure issues regarding our systems and processes were addressed as a matter of the highest importance.

‘The Charity Commission, in communication with the ICO, has stated it has no further regulatory concerns.

‘The charity engaged an external data consultant to address issues raised, and their report confirms that no wider issues were identified.

‘The charity also instructed an information technology security auditor to carry out a review of the incident. In addition, a full safeguarding audit has been completed this year.

‘All complaints from the data subjects affected have now been resolved and we would like to repeat our apology for this isolated lapse in data security.’

Source: Read Full Article