ICO (UK) - Mermaids
ICO (UK) - Mermaids | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 32(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 05.07.2021 |
Published: | 08.07.2021 |
Fine: | 25000 GBP |
Parties: | Mermaids |
National Case Number/Name: | Mermaids |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA fined a children's charity approximately €29,250
for infringing Article 5(1)(f), 32(1) and 32(2) GDPR. Internal emails containing special category data sent by Mermaids, a charity supporting gender non-conforming children and their families, were publicly available online for over a year.
English Summary
Facts
Mermaids is a registered charity supporting children, young people and their families in relation to gender non-conformity.
In 2016, Mermaids created an internet-based email group service at https://groups.io, overseen by a third party in the USA. This email group was intende to be shared between the CEO of Mermaids and 12 trustees. The default security and privacy settings were left in place, including "Group listed in directory, publicly viewable messages".
Mermaids was notified in 2019 by a user of the charity that internal emails, sent using the groups.io email group service, were publicly available online and were searchable through search engines. These contained personal data, including special category data. The service user, who's child is gender non-conforming, was made aware that her child's name, "dead name", date of birth, mental and physical health were available online, as well as the mother's name, telehpone number and address.
Overall, 780 pages of confidential emails were available online. This corresponded to 550 data subjects. 15 data subjects had special category data concerning them made available online (mental or physical health; sex life; sexual orientation) and 9 data subject's personal data was considered sensitive in the context. Of these 24 data subjects, 4 were 13 years old or under.
Mermaid notified the ICO on the day it was told about this.
Dispute
Holding
The Information Commissioner's Office (ICO) considered that Mermaids processed emails on an email group without appropriate restricted access settings. Due to this failure, third parties could gain unauthorised access to emails containing personal data, including special category data. The ICO deemed this in contravention of the principe of integrity and confidentiality (Article 5(1)(f) GDPR)
The ICO also considered that Mermaid failed to satisfy its obligations under Articles 32(1) and 32(2) GDPR. It did not have adequate security measures in place to protect the email group affected. As a consequence, special category data was publicly accessible online for over a year between 2018 and 2019.
The ICO considered various factors that aggravated the violation in order to assess whether a penalty was appropriate. Accordingly, the ICO highlighted the sensitive nature of the publicly available personal data (special category data: gender and health data). It also assessed the gravity of the matter. In relation to this, it deemed that Mermaids' failures increased the vulnerability of the people who's special category data and personal data was made publicly available. The risk of damage or distress for gender non-conforming children was considered particularly high due to discrimination and prejudice. The ICO also took into consideration the types and number of data subjects (some children) affected and the fact that this concerned special category data or sensitive data in context.
The ICO found that Mermaids' general data protection policies were also inadequate. The staff lacked adequate training and insufficient safeguards were put in place to protect young vulnerable data subjects.
Since the discovery of the leak, the ICO found that Mermaids has taken proactive steps to remedy the infringement and mitigate the adverse consequences. For example, it immediately adjusted its groups.io privacy settings. It informed individual affected and hired a data protection consultant for additional support to address its failings and look into the organisation's data protection policies.
With these considerations in mind, the ICO imposed a fine of approximately €29,250 on Mermaids for its violation of Article 5(1)(f), Article 32(1) and Article 32(2) of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
ICO. Information Commissioner'sOffice DATA PROTECTION ACT 2018 (PART 6, SECTION 155) SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE TO: Mermaids OF: Main Office, Suite 4, Tarn House, 77 the High Street, Yeadon, Leeds, LS19 7SP; London Office, Office 3, 63 Charterhouse Street, London, EClM 6HJ 1. Mermaids is Registered Charity Number 1160575. 2. The Information Commissioner ("the Commissioner") has decided to issue Mermaids with a Penalty Notice under section 155 of the Data Protection Act 2018 ("the DPA"). This penalty notice imposes an administrative fine on Mermaids, in accordance with the Commissioner's powers under Article 83 of the General Data Protection Regulation 2016 ("the GDPR"). The amount of the monetary penalty is £25,000. 3. This penalty has been issued because of contraventions by Mermaids of Articles 5(l)(f) and 32(1) and (2) of the GDPR in that during the period of 25 May 2018 to 14 June 2019 Mermaids failed to implement an appropriate level of organisational and technical security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and / or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results. 1 ICO. Information Commissioner'sOffice In the interests of clarity, 25 May 2018 is the date on which the GDPR became applicable in all member states, including the United Kingdom ("the UK"), and 14 June 2019 is the date on which the controller took steps to secure the email group in question. 4. This Monetary Penalty Notice explains the Commissioner's decision, including the Commissioner's reasons for issuing the penalty and for the amount of the penalty. Legal framework for this Monetary Penalty Notice Obligations of the controller 5. Mermaids is a controller for the purposes of the GDPR and the DPA, because it determines the purposes and means of processing of personal data (GDPR Article 4(7)). 6. 'Personal data' is defined by Article 4(1) of the GDPR to mean: information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 7. 'Processing' is defined by Article 4(2) of the GDPR to mean: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction 2 ICO. Information Commissioner'sOffice 8. Article 9 GDPR prohibits the processing of 'special categories of personal data' unless certain conditions are met. The special categories of personal data subject to Article 9 include 'data concerning health or data concerning a natural person's sex life or sexual orientation'. 9. Controllers are subject to various obligations in relation to the processing of personal data, as set out in the GDPR and the DPA. They are obliged by Article 5(2) to adhere to the data processing principles set out in Article 5(1) of the GDPR. 10. In particular, controllers are required to implement appropriate technical and organisational measures to ensure that their processing of personal data is secure, and to enable them to demonstrate that their processing is secure. Article 5(l)(f) stipulates that: Personal data shall be[. ..] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures 11. Article 32 ("Security of processing") provides, in material part: 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3 ICO. Information Commissioner'sOffice (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. The Commissioner's powers of enforcement 12. The Commissioner is the supervisory authority for the UK, as provided for by Article 51 of the GDPR. 13. By Article 57(1) of the GDPR, it is the Commissioner's task to monitor and enforce the application of the GDPR. 14. By Article 58(2)(d) of the GDPR the Commissioner has the power to notify controllers of alleged infringements of GDPR. By Article 58(2)(i) she has the power to impose an administrative fine, in accordance with Article 83, in addition to or instead of the other corrective measures referred to in Article 58(2), depending on the circumstances of each individual case. 15. By Article 83(1), the Commissioner is required to ensure that administrative fines issued in accordance with Article 83 are effective, proportionate, and dissuasive in each individual case. Article 83(2) goes on to provide that: 4 • ICO. Information Commissioner'sOffice When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and ifsoto what extent, the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and 5 • ICO. Information Commissioner'sOffice (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 16. The DPA contains enforcement provisions in Part 6 which are exercisable by the Commissioner. Section 155 of the DPA ("Penalty Notices") provides that: (1) If the Commissioner is satisfied that a person (a) has failed or is failing as described in section 149(2) ... the Commissioner may, by written notice (a "penalty notice"), require the person to pay to the Commissioner an amount in sterling specified in the notice. (2) Subject to subsection (4), when deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must have regard to the followingso far as relevant- (a) to the extent that the notice concerns a matter to which the GDPR applies, the matters listed in Article 83(1) and (2) of the GDPR. 17. The failures identified in section 149(2) DPA 2018 are, insofar as relevant here: (2) The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following- (a) a provision of Chapter II of the GDPR or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing); .., 6 ICO. Information Commissioner'sOffice (c) a provision of Articles 25 to 39 of the GDPR or section 64 or 65 of this Act (obligations of controllers and processors)[. ..] Factual background to the incident 18. The origins of Mermaids lie in a parents' support group formed by parents whose children were experiencing gender incongruence. It was registered in 1999 with the Charity Commissioner. Mermaids was incorporated as a registered charity in 2015 and offers support to children, young people and their families in relation to gender non conformity. 19. On 15 August 2016, which is the date on which the email group of relevance to the contraventions set out in this notice was created, the Chief Executive Officer ("the CEO") was at that date the only paid staff member at Mermaids. On 14 June 2019, Mermaids were notified by a service user of the charity that internal emails containing personal data were publicly available onlinMermaids contacted the Commissioner later that day to report the concerns. On 17 June 2019, the CEO telephoned the Commissioner to update her and sent a follow up email detailing the remedial steps which Mermaids had taken. Contraventions of Articles S(ll(fl, 32(1) (2) of the GDPR 20. In regard to the principle of integrity and confidentiality under Article (5)(l)(f) of the GDPR, the Commissioner considers that emails were processed by Mermaids on an email group without Mermaids applying the appropriate restricted access settings. If the appropriate security access settings had been applied, then access would have been restricted to approved members of the group only and it would not have been possible for third parties to gain unauthorised access 7 ICO. Information Commissioner'sOffice through the internet to the emails containing personal data, in some cases concerning children and/ or in some cases containing special category data, in the period 25 May 2018 to 14 June 2019. In the interests of clarity, 25 May 2018 is the date on which GDPR became applicable in all member states, including the UK, and 14 June 2019 is the date on which the controller took steps to secure the email group in question. 21. In regard to the requirement under Articles 32(1) and (2) of the GDPR to implement a level of security appropriate to the risk when processing data, the Commissioner considers that Mermaids failed to have adequate security measures in place to ensure the appropriate security for personal data in the period 25 May 2018 to 14 June 2019. The email group did not have the appropriate restricted access settings applied to it and therefore the personal data including the special category data were accessible to third parties. Consideration should have been given to pseudonymisation or encryption of the data, either of which would have offered an extra layer of protection to the personal data. Taking such a step may have reduced the opportunity for the emails to be placed at risk in circumstances where Mermaids' organisational memory had failed to account for the existence of the dormant email group after it stopped being used on 21 July 2017. For the avoidance of doubt, the Commissioner has concluded that the nature and gravity of the contraventions are unaffected by the unanswered question as to whether the journalist and third party stumbled across the data by accident or by any possibility, however remote, that individuals deliberately set out to find the information by using a precise and unusual syntactical search. Further, it is considered by the Commissioner that the nature of the contraventions is unaffected by the unanswered question as to the extent to which any other third party or parties accessed the data. 8 ICO. Information Commissioner'sOffice 22. The contraventions by Mermaids between 25 May 2018 and 14 June 2019 involved personal data which in some cases included special category data and/ or data which was sensitive in its context. The incident involved data which in many cases belonged to children and/ or vulnerable individuals. It involved a large group of 550 data subjects and around 24 data subjects whose data was sensitive in its context and/ or belonged to children and/ or belonged to vulnerable individuals. It has been confirmed in the course of Representations that of those 24 data subjects whose data could be said to be sensitive in context, and/ or belonged to children or vulnerable individuals, 15 of the data subjects had special category data accessible. The sensitive nature of the data which was accessible to third parties means that the contraventions necessarily involved significant damageand/ or distress to the data subjects, whether or not it was also special category data. The Commissioner has not taken account of any contraventions which may have occurred between 15 August 2016 (i.e., the date of creation of the email group) and 25 May 2018 but has had regard to how the failure first arose and persisted. The Commissioner considers the contraventions to have been negligent. Notice of Intent 23. On 19 March 2021, in accordance with s.55(5) and paragraphs 2 and 3 of Schedule 16 DPA 2018, the Commissioner issued Mermaids with a Notice of Intent to impose a penalty under s.155 DPA 2018. The Notice of Intent described the circumstances and the nature of the personal data in question, explained the Commissioner's reasons for a proposed penalty, and invited written representations from Mermaids. 9 ICO. Information Commissioner'sOffice 24. On 20 April 2021, Mermaids provided written representations in respect of the Notice, together with a supporting document. 25. On 17 May 2021 the Commissioner held a 'representations meeting' to thoroughly consider the representations provided by Mermaids. Factors relevant to whether a penalty is appropriate, and if so, the amount of the penalty 26. The Commissioner has considered the factors set out in Article 83(2) of the GDPR in deciding whether to issue a penalty. For the reasons given below, she is satisfied that (i) the contraventions are sufficiently serious to justify issuing a penalty in addition to exercising her corrective powers; and (ii) the contraventions are serious enough to justify a significant fine. 27. In regard to the amount of the penalty, the Commissioner has considered the following facts: Mermaids' total income rose from 1 £317,580 in the year ending 31 March 2018 , to £715,330 in the year ending 31 March 2019, to £902,440 in the year ending 31 March 2020. The Commissioner is mindful that the penalty must be effective, proportionate and dissuasive. (al the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as 1 https://register-of-charities.charitycommission.gov.uk/charity-search/-/charity-details/5054976/financial history 10 ICO. Information Commissioner'sOffice well as the number of data subjects affected, and the level of damage suffered by them 28. Nature: The CEO set up an internet-based email group service at https: /groups.io, which is overseen by a third party based in the United States of America ("the USA"). In particular, the CEO created Generalinfo@Groups.IO so that emails could be shared between the CEO and the 12 trustees. An absence of records relating to the creation of the group and the controls that were considered at that time has meant that it has been impossible to establish exactly how the group service was set up, and therefore how the incident originated. The CEO is unable to recall whether the emails were left accessible deliberately to facilitate a general discussion or whether it was an oversight not to select a more secure option and to leave a default security setting in operation. However, after being made aware that the emails were accessible, Mermaids established that the default setting for security and privacy on the Groups.IQ internet-based email service provided, "Group listed in directory, publicly viewable messages," which was an insecure and inappropriate setting. Alternative settings available to users of the email service were, "Group not listed in directory, publicly viewable messages,", "Group listed in directory, private messages," and, "Group not listed in directory, private messages," which, if selected, may have provided more appropriately secure settings. 29. The Groups.IQ internet-based email group service was in active use by Mermaids from 15 August 2016 to 21 July 2017. After it became dormant it nevertheless continued to hold emails. Mermaids' failure to implement appropriate security settings meant that the email group was listed in the Groups.IQ search directory and was indexed on large search engines such as Google. In addition to communications 11 ICO. Information Commissioner'sOffice between the trustees, the emails included some forwarded emails from Mermaids' service users. Mermaids failed to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data, including in some cases relating to children and/ or including in some cases special category data, being searchable and viewable online by third parties through internet search engine results. Mermaids was unaware that it had failed to implement an appropriate level of security or that personal data of its service users was searchable and viewable online by third parties. 30. The last email on the Groups.IQ service was sent on 21 July 2017. Nevertheless, the email group remained live and the emails remained publicly visible on the Groups.IQ website until remedial actions were taken in June 2019. 31. On 14 June 2019, a service user of the charity, who was the mother of a gender non-conforming child, informed the CEO that she had been called by a journalist from the Sunday Times, who had told her that her personal data could be viewed online. The journalist had informed the parent that by searching online he could view confidential emails, including her child's current name, the child's "dead name", the date of birth, the mother's maiden name and married name, her employer's address, her mobile telephone number and details of her child's mental and physical health. On the same day, Mermaids received pre-publication notice from the Sunday Times that the emails were accessible online and the newspaper would be publishing an article about the incident. Mermaids are understood to have taken immediate steps to block access to the email site before the newspaper report of the incident was published. 12 ICO. Information Commissioner'sOffice 32. Gravity: The topic of gender incongruence is still regarded, by many commentators and members of the public, to be controversial, and the fact that a child or adult may be experiencing gender incongruence is a sensitive issue which can lead to increased vulnerability. The Commissioner considers that the likely increased vulnerability of a data subject in turn increases the risk of damage or distress being caused to the data subject by any data contravention that reveals that an individual is seeking information about, or support for, gender incongruence. The Commissioner considers that the data about gender incongruence was sensitive in its context. The Government ran a consultation on reform of the Gender Recognition Act 2004 between July and October 2018, which generated widespread public interest in and debate about gender incongruence. Groups supporting transgender rights and people experiencing gender incongruence may be at a higher risk of experiencing prejudice, harassment, physical abuse or hate crime. According to the Home 2 Office Hate Crime report published on 15 October 2019 , transgender identity is the least commonly recorded hate crime, however, in 2018 it increased by 37%. The large percentage increase may be due to the relatively small number of transgender identity hate crimes of 2,333 during the 2018-2019 period, improvements by the police in identifying and recording such crimes, more people coming forward to report the crimes, or a genuine increase in transgender hate crimes. The Commissioner has had regard to such risks when considering the potential harm that may be caused to affected data subjects. 33. In regard to 15 data subjects, the emails included special category data, such as details of the data subject's mental or physical hate-crime-1819-hosb2419.pdfrvice.gov.uk/government/uploads/system/uploads/attachment_data/fi le/839172/ 13 ICO. Information Commissioner'sOffice health and/ or sex life and/ or sexual orientation, with a further 9 data subjects whose data could be classified as sensitive in context. Four of those 24 data subjects were aged 13 or under in June 2019 and therefore must have been aged 12 or under in the period between 25 May 2018 and 14 June 2019. 35. Duration: The Commissioner has been unable to confirm the exact duration of the contraventions. However, given the age of some of the data, she is satisfied that it has been occurring, to some extent, since at least 25 May 2018, and she has not considered any contravention prior to this date, which would fall to be considered under the previous data protection regime. The Commissioner considers that Mermaids was in contravention of the GDPR from the date on which it came into force on 25 May 2018 until the issue was remedied by 14 June 2019. 36. Number of data subjects affected: The Commissioner understands that around 780 pages of confidential emails were visible online, which included sensitive data relating to gender incongruence and personal data relating to 550 data subjects, such as name, email address, job title, or employer's name. 37. Damage: It has not been possible to establish whether or not the data which was exposed online was accessed by third parties other than the Sunday Times journalist. Two data subjects, a mother and a child, 14 ICO. Information Commissioner'sOffice made complaints to Mermaids about the contraventions. The Commissioner also received two complaints. 38. It is reported that 550 emails were accessible and could be viewed online from August 2016 until 14 June 2019. They contained personal data such as names, emails address, job title, employer's name which identified individuals and their connection with the transgender charity. It can be inferred that the individuals whose email addresses were on the group are users of Mermaids, who are a transgender charity, that their data would be sensitive data in context. Most of the email threads contained general discussions, for example, concerning fundraising, arranging attendance at conferences and advice about anti-bullying, and the data subjects were open about their connection with Mermaids. Twenty-four emails have been identified by Mermaids as being of a higher risk, containing more sensitive details within conversations between the CEO, stakeholders and subscribers of Mermaids and included discussions of transgender issues and how the data subjects were feeling and coping with their experiences. Four of these emails related to data subjects who were aged 13 or under as of June 2019. With the introduction of the GDPR, children should be afforded more protection in relation to their data. 39. If someone had accessed the email group online there would have been sufficient available identifying data to potentially "out" the data subject, removing any choice and infringing their privacy. 40. Due to the nature of the services offered by the Mermaids charity, being an organisation who offer support to transgender individuals, the Commissioner expected them to ensure stringent safeguards were in place to protect service users and their personal data. Mermaids received four complaints from former trustees and two from service users. All 15 ICO. Information Commissioner'sOffice complaints have been resolved. (bl the intentional or negligent character of the infringement 41. By 25 May 2018, Mermaids was a well-established significant charity and should have implemented appropriate measures to ensure that personal data was safeguarded, particularly since the data in some cases related to vulnerable children and/ or vulnerable adults and/ or included special category data and/ or a significant proportion of data was sensitive in its context. In the period 25 May 2018 to 14 June 2019, there was a negligent approach towards data protection at Mermaids, data protection policies were inadequate and there was a lack of adequate training, including a lack of face-to-face training, on data protection. Following the introduction of the GDPR, Mermaids' data protection policies had not been updated to ensure compliance. Safeguards should have been in place to protect the young and/ or vulnerable data subjects who had used or were using the charity's services, particularly given the probability that personal data controlled or processed by Mermaids would include special category data and/ or data which was sensitive in its context. 42. The Commissioner considers that the contraventions were not deliberate, although there is an element of negligence as the CEO created the email group with the least secure settings in error. This was compounded by the fact the CEO, not nor any other person associated with the charity, did not correctly close down the email group, thereby leaving it accessible, albeit dormant. 16 ICO. Information Commissioner'sOffice (cl any action taken by the controller or processor to mitigate the damage suffered by data subjects 43. As soon as Mermaids were made aware, by the service user, that the email group was accessible, the charity immediately took the email group down and took proportionate action to ensure any data collected was removed from any archive website. - (dl the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32 45. All Mermaids staff and volunteers received mandatory data protection training in December 2018, which is updated annually, however, the ongoing contraventions were not identified by anyone at Mermaids during the period of operation of the insecure email system, which demonstrates that the training was inadequate and/ or ineffective. 46. The CEO of Mermaids created the email group with the least secure settings. Even though it was created in 2016 which would have been covered by the Data Protection Act 1998, the group remained live and accessible until June 2019, with the same settings that were applied on its creation in 2016. The settings were the least secure and allowed access to the email group and the contents of the emails were 17 ICO. Information Commissioner'sOffice viewable online. When the use of the email group ceased there was no clear documentation to demonstrate how it was created or decommissioned. The email group remained dormant but accessible and appears to have been forgotten. 47. In addition to the change in data protection legislation such as the introduction of the GDPR, the Government consultation concerning the Gender Recognition Act 2004 ("GRA") and associated public debate on gender incongruence should have prompted Mermaids to re-visit their policies and procedures to ensure appropriate measures were in place to protect individuals' privacy rights. (el any relevant previous infringements by the controller or processor 48. The Commissioner is unaware of any previous data protection infringements by Mermaids. (fl the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement 49. Mermaids were co-operative and replied to the enquiries promptly. They employed both solicitors and a data protection consultant to review the incident and to oversee any remedial action. Mermaids also instructed a specialist media law firm on 14 June 2019. They received four complaints from former trustees and two from service users - all of which have been concluded. 50. Mermaids immediately adjusted the settings on the Groups.IQ website so that the data was no longer accessible to third parties. 18 ICO. Information Commissioner'sOffice Mermaids staff began reviewing all the emails which had been exposed to viewing by third parties. Mermaids also reported itself to the Commissioner on 14 June 2019. 51. On 15 June 2019, The same day, the Sunday Times printed an online article stating that 1,000 pages of confidential emails by Mermaids were available on the 10 platform which had been active between 2016 and 2017 and could be viewable online. The same day, Mermaids informed an initial number of data subjects, whom it regarded as "sensitive data subjects", and for whom Mermaids had contact details, about the incident. Also on 15 June 2019, Mermaids published a press statement on its website which included an apology. Also on 15 June 2019, Mermaids notified the Charity Commission of the existence of a serious risk incident. Also on 15 June 2019, Mermaids liaised with Groups.IQ to obtain metadata to identify when the relevant data had been accessed by third parties and Mermaids were told by Groups.IQ that they did not collect that metadata. 52. On 16 June 2019, a printed article was published in the hard copy Sunday Times, drawing attention to the matter. Also on 16 June 2019, Mermaids notified all former trustees and major funders of the incident; and took initial steps to transition its email service to a more secure email platform. 53. On 17 June 2019, Mermaids engaged a data protection consultant. Also on 17 June 2019, Mermaids updated the Charity Commission about the incident. 19 ICO. Information Commissioner'sOffice 54. On 18 June 2019, Mermaids learnt that various archived or cached versions of the data remained online, and therefore their solicitors requested Google to remove them, and the data were immediately removed. Similar steps were taken by Mermaids to remove data from Archive.Ii. The same day, Mermaids sent the Commissioner an update. 55. On 19 June 2019, Mermaids liaised with Groups.IQ to request information regarding users making requests of the Mermaids' group's archives. Three further data subjects were identified by Mermaids as "sensitive data subjects". Mermaids continued its efforts to remove access to the data via Archive.Ii. 56. On 20 June 2019, the three additional "sensitive data subjects" were notified of the incident. Legal advisors to Mermaids reviewed with staff the current data systems at Mermaids for any further areas of vulnerability. The same day, Mermaids instructed their solicitors to begin liaising with the "sensitive data subjects". 57. On 21 June 2019, Groups.IQ confirmed that they did not hold any relevant information in their logs. The same day, Mermaids engaged an information technology security auditor, to begin to review the incident on 27 June 2019. 20 ICO. Information Commissioner'sOffice 58. On 22 June 2019, - confirmed that the data had been removed. Mermaids' solicitors contacted all the "sensitive data subjects" to explain the remedial steps which had been taken and provided copies of their data which had been affected. They also sought permission from the data subjects whose data had been uploaded on Archive.Ii to contact Archive.Ii on their behalf to seek removal of their data. 59. Between 24 June 2019 and 25 June 2019, the law firm obtained all the consents required from the data subjects to remove the data from Archive.Ii and sent compliance notices to Archive.Ii and its webhost, copied to their local data protection authorities. Mermaids held a trustee meeting to provide an update to trustees on the remedial steps which had been taken to address the contraventions, with Mermaids' external legal advisers in attendance. 60. On 26 June 2019, Mermaids updated their website message to include reference to Archive.Ii. 61. On 27 June 2019, two additional "sensitive data subjects" were identified by Mermaids, they were updated on the remedial steps which had been taken and they were sent copies of the personal data which had been exposed. On the same day, Mermaids was alerted to the fact that a larger group of data subjects had been affected by the incident. On Mermaids' instruction, the solicitors then reviewed all the data which had been accessible online to ensure all remedial actions had been taken. Mermaids, through their lawyers, notified the Commissioner and also chased the Sunday Times for a substantive response to their letter of 21 June 2019. 21 ICO. Information Commissioner'sOffice 62. On 28 June 2019, Mermaids' solicitors updated the "sensitive data subjects" whose data had been uploaded to Archive.Ii to confirm that the relevant webpages had been removed. They also sent an update to the Commissioner; continued to review the data; wrote seeking further information from Groups.IQ, if available, about the extent of any third-party access to the data in question; and updated the Commissioner on what remedial actions had been taken. 63. On 25 July 2019, the CEO completed half a day of data protection training from an external trainer, in response to the contraventions. 64. The Commissioner understands that the specialist data consultant appointed by Mermaids completed a review of all Mermaids' data systems and policies to ensure they were compliant with the GDPR and that Mermaids undertook to implement all his recommendations. The Commissioner understands that the contravention has been identified as an isolated incident and no wider issues were identified during the review. Further, it appears that all policies at Mermaids have now been updated to conform to the GDPR and that Mermaids undertook to put all data protection policies on one place on the intranet where they would be easily accessible to all staff and volunteers. Further, a security assessment was undertaken by a specialist consultancy, over a three-week period in June to July 2019, involving a review of all systems and processes at Mermaids to assess security and access controls, recommendations were made, implementation was agreed and the recommendations were then implemented by Mermaids to strengthen security and privacy. (gl the categories of personal data affected by the infringement 22 ICO. Information Commissioner'sOffice 65. These include information allowing identification of individuals, including children; in some cases the data was sensitive in context relating to gender incongruence, and in some cases it was special category data, including data relating to health. 66. The email addresses identified 550 data subjects, all of whom had been in contact with Mermaids at some point. Due to the nature of the services offered by Mermaids it can be inferred that some of data of those individuals can be identified as special category data. 24 have been identified by Mermaids as being of a higher risk, containing more sensitive details with conversations between the CEO, stakeholders and subscribers of Mermaids and included discussions around transgender issues and how the data subjects were feeling and coping with their experiences. 15 of those 24 data subjects had special category data accessible. Some of the emails show an exchange with Tavistock and Portman NHS Foundation Trust, who run a gender identity clinic. These emails disclose health information. 4 of those 24 data subjects were under 13 as of June 2019. (hl the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement 67. Mermaids notified the Commissioner about the infringement on 23 ICO. Information Commissioner'sOffice Mermaids reported themselves to the Commissioner on the same day. (il where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; 68. Not applicable. (j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; 69. Not applicable. (kl any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. 70. An aggravating factor is the duration of the infringement from 2017 to 2019. 71. Since 2016, Mermaids has raised its profile and in recent years it has received funding from various sources, including from the National Lottery, Children in Need and the Government. These factors have contributed to an increase in the public attention which Mermaids receives and the good standing from which it has benefited. Regulatory action against Mermaids will serve as an important 24 ICO. Information Commissioner'sOffice deterrent to other entities or persons who are not complying or who are risking not complying with their duties under the GDPR. 72. The Commissioner has taken account of the prompt remedial actions taken by Mermaids in response to becoming aware of the incident, which reduced the detriments caused to the data subjects, and of Mermaids' co-operation with the Commissioner. 73. Mermaids' profile significantly increased after being linked to a television programme. This breach was highlighted in a national newspaper and that resulted in a degree of reputational damage to the charity. The Commissioner considers that whilst the fine itself should act as a deterrent, it was important to balance this against ensuring the charity is able to maintain effective provisions for service users nor taking away donations made by the public. Summary and decided penalty 74. For the reasons set out above, the Commissioner has decided to impose a financial penalty on Mermaids. The Commissioner has taken into account the size of Mermaids and the financial information which is available about the charity on the Charity Commission website, as well as the representations that Mermaids has made to her about its financial position. She is mindful that the penalty must be effective, proportionate and dissuasive. 75. Taking into account all of the factors set out above, the Commissioner has decided to impose a penalty on Mermaids of £25,000 (twenty-five thousand pounds). Payment of the penalty 25 ICO. Information Commissioner'sOffice 76. The penalty must be paid to the Commissioner's office by BACS transfer or cheque by 3 August 2021 at the latest. The penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 77. There is a right of appeal to the First-tier Tribunal (Information Rights) against: (a) The imposition of the penalty; an/or, (b) The amount of the penalty specified in the penalty notice 78. Any notice of appeal should be received by the Tribunal within 28 days of the date of this penalty notice. 79. The Commissioner will not take action to enforce a penalty unless: • the period specified within the notice within which a penalty must be paid has expired and all or any of the penalty has not been paid; • all relevant appeals against the penalty notice and any variation of it have either been decided or withdrawn; and • the period for appealing against the penalty and any variation of it has expired 80. In England, Wales and Northern Ireland, the penalty is recoverable by Order of the County Court or the High Court. In Scotland, the penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. 26 ICO. Information Commissioner'sOffice 81. Your attention is drawn to Annex 1 to this Notice, which sets out details of your rights of appeal under s.162 DPA 2018. Dated the 5 day of July 2021 Stephen Eckersley Director of Investigations Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 27 ICO. Information Commissioner'sOffice ANNEX 1 Rights of appeal against decisions of the commissioner 1. Section 162 of the Data Protection Act 2018 gives any person upon whom a penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRP Tribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LEl 8DJ Telephone: 0203 936 8963 Email: grc@justice.gov.uk 28 ICO. Information Commissioner'sOffice a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address name and address of your representative (if any); b) an address where documentsmay be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 29 ICO. Information Commissioner'sOffice 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (General Regulatory Chamber) are contained in sections 162 and 163 of, and Schedule 16 to, the Data Protection Act 2018, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)) 30