Data breaches by Mermaids exposed in the Times

[truthisarevolutionaryact]

Mermaids has apparently put lots of confidential data online including private emails, personal data and emails demonstrating the pressure they have put on the Tavistock.
Andrew Gilligan article - share token:

www.thetimes.co.uk/article/parents-anger-as-child-sex-change-charity-puts-private-emails-online-tl0g5hwcg?shareToken=2f8ddc23419c61360023562a62e74d13

Can somebody who works in school safeguarding explain something to me?

I was under the impression that there are very strict rules reporting cases and that confidential information wouldn't be emailed across as standard to other parties. So telephone conversations, forms as attachments rather than content in the body of an email, maybe even encrypted emails ?

So (and sorry if this has been asked) but why were sensitive cases and personal information being emailed so freely, data fail aside?

I always think twice with work emails if there is anything remotely sensitive (I might ring the individual instead or have a meeting).

Are there not any child protection guidelines that need following when it comes to paperwork or can Mermaids really do what it likes? I know has its own rules in so many other areas, but often, it's the paperwork that can be the undoing of many who think they are above the law.

I have just seen this comment on twitter:

Jen @ Seinnean
Yet you seem to think that all data breaches mean a law has been broken. Surely you would have learned in your DP training that this actually isn't the case. Which is why investigations happen. Investigations determine if laws were broken, not the breach itself.

This is an interesting take.

In this case we have a charity which has:
Previously had an incident
Seemingly the breach is multi faceted (not keeping the data private in the first place and also sharing with people who didn't need to know details without consent)
The highly sensitive nature of the data
The amount of data over a long time period
Poor data protection training and understanding in the organisation.
A contemptuous attitude to the breach by trustees after the fact
A statement which was bollocks, followed by one which was slightly less bollocks. Both of which are inaccurate.
The fact data relates to children
The inadequate response and lack of taking it seriously by getting in an expert.
The fact that this is now on the Internet elsewhere which they are not informing those affected (I've just been told that Google search facility is making this easier to find as it's generating an auto correct algorithm).

The investigation of a data breech isn't so much about whether the law has been broken but about the seriousness of it, whether sufficient measures were in place to prevent it, the response to it and whether its worth taking action under the law as a result. The law has been broken by Mermaids own admission (cos if they didn't admit it, it would be an offence cos the times have got the evidence to prove they had been negligent).

Apparently none of these people are aware of the legal concept of 'in the public interest' either.

Are there not any child protection guidelines that need following when it comes to paperwork or can Mermaids really do what it likes? I know has its own rules in so many other areas, but often, it's the paperwork that can be the undoing of many who think they are above the law.

Charities have to have Safeguarding policies.
For a children's charity, this would/should include policies re information sharing, confidentiality etc

Policies though are intended to representative of estabished practice which is subject to review & scrutiny.

Having a policy & getting people to sign it matters not a jot if the principles are not understood.

Mermaids do not understand Safeguarding.

There are multiple demonstrations of this.
(In fact every time the CEO Susie Green leverages suicide (contrary to Samaritans & all established good practice), this in itself should be considered clear evidence.

Mermaids could have used networks such as Stonewall and Lloyds Bank to find an IT expert as soon as they realised there was a problem. Instead they minimised it. Did they still not understand.

I helped run children's sports club. All volunteers and a limited budget. No way did I have access to information about children's medical needs (asthma mainly I assume) because I did not need it. I did have access to coaching and volunteers DBS, safeguarding and coaching certificates because I needed that, but even that information was restricted to a clear need to know.

And safe data storage was in our initial website spec a decade ago.

How come something like this was very obvious to a group of parents doing our bit to help our kids, yet the people running a significant children's charity, dealing with complex medical and emotional needs, have no idea.

Bloody obvious surely.

Mermaids could have done a lot of things.

But they know better than experts at everything and instead have an arrogant institutional attitude that they know better than anyone else at absolutely everything regardless of their qualifications and level of professional experience.

Which hasn't been helped by all these other institutions using them without question as an expert authority.

They are a bunch of charlatans who recommended quacks.

They know but they don't care, this archive was basically set up so trustees could read intimate details about these children.

I think they don't know. I haven't seen anything in statements to suggest that they appreciate that transfer of personal client details to trustees (regardless of how securely done) could be a breach. They seem to be thinking that it was an accident and an apology and calling anyone who demurs a bigot will allow them to tough it out.

But they know better than experts at everything and instead have an arrogant institutional attitude that they know better than anyone else at absolutely everything regardless of their qualifications and level of professional experience.

Which hasn't been helped by all these other institutions using them without question as an expert authority.

Professionals who have close contact with Mermaids should have been able to identify the risks the organisation presented.
That they have either being unable to identify, unable to report or their whistleblown concerns dismissed is an even greater Safeguarding framework failure.

I think they don't know. I haven't seen anything in statements to suggest that they appreciate that transfer of personal client details to trustees (regardless of how securely done) could be a breach.

They are playing ignorant because frankly for them shouting loudly normally means reality bends for them, everything is always as they say it is.

this archive was basically set up so trustees could read intimate details about these children.

This is what bothers me. The data breach (ie making the emails publicly available) was appalling but it was unintentional. What I can't get my head around is that Green was sharing these private emails with trustees. There is absolutely no need to share those kinds of confidential emails with trustees. Indeed, I would imagine the parents involved would be horrified to know their emails were being shared in this way.

It's the bit that disturbes me the most too.

Yep, two breaches have occured here, not just one. These details should never have been shared with trustees in the first place.

The Charities Commission, quoted in Civil Society News:

“The charity has submitted a serious incident report to the Commission regarding a data breach, in line with our guidance on reporting serious incidents.

"We have contacted the charity for further information so that we can assess this fully.

“More generally: charities hold important positions of trust and so it is vital that they take their responsibilities seriously, particularly when it comes to protecting people and sensitive information.”

www.civilsociety.co.uk/news/mermaids-uk-apologies-for-online-data-breach-over-weekend.html#sthash.vXaEWmFM.dpuf

Ouch.

Good.

I cannot understand why they shared this information. I work in a school and the information shared with Governors (similar responsibilities to Trustees) is anonymised. For instance performance data has no names at all, support for individual pupils is discussed at a high level only e.g. no names or details. There is no reason to share confidential information especially not medical information. It will be interesting to see how this is dealt with and how Mermaids try to justify it.

That's a far cry from the Mermaids statement trying to make out it wasn't a big deal and the incident was now over....

I'm not sure where to pop this is, as it isn't specifically related to the data issue, but I think it might be relevant in terms of demonstrating the clouded-boundaries and lack of critical thinking that drives some people to make poor choices.

I noticed recently that Helen, (mimmymum), who is closely related to Mermaids, was enthusiastically waving about the fact she'd bumped into a meeting of Leeds 'Furries' recently.

twitter.com/mimmymum/status/1139893697926094848

For some of us who have been around these boards for a while, you'll know how un-innocuous the 'furry-culture' is. There's only a whisper paper-thin line between pretty pictures of fluffy foxes, My Little Ponies and nappy-wearing 'age-play' fantasies and very concerning online personalities.

As much as 'furries' might want us to think they're just fluffy people wanting to put on costumes, the evidence points to blurred boundaries and linked fetishes.

'Leeds fetishmans' have links to 'leeds furries'. Which is fine, you do you. But when mimmymum is waving at you all like you're a disney parade, but when I know what I know about the 'furry scene' and can also see from the twitter links that a 13 year old girl is "proud to become a 'furry" the red flags are waving.

If I was strongly linked to Mermaids, and had a trans child, this is the last group I'd be cheering on.

(Awaits furry onslaught!)

Can someone who understands GDPR and the Data Protection Act clarify something?

The internet group was set up and used in 2016-7, as I understand it, but as it was never made private did it breach the Data Protection Act back then?

Also, when the GDPR came into force last year, did it apply to information that was already online, like this old group that was still available to anyone at all if they happened to make the right Google search? I would assume it did. So the much larger fines under the GDPR might apply here?

Yes and yes.

Thanks.

Gasp0deTheW0nderD0g, DH has to know the law in this area professionally and advises on it.

The answer is yes and yes.

Will they still get the Lottery grant if it turns out it'd all go on fines?

I knew those all those data protection and GDPR seminars I did for work would come in handy.

DH has just gone through the sections of the DPA and which sections they failed on. (If you fail on DPA you fail on GDPR).

He thinks they have failed on at least half of it and some of the breeches are extremely serious. And that's before you consider the sensitive nature of the data.

He says its probably the worst failing of the DPA he's ever seen.

Will they still get the Lottery grant if it turns out it'd all go on fines?

DH thinks the ICO will throw the book at them, but he worries about the issue with fines because its a charity and the ICO will go through the accounts and not necessarily give one as big as they could because so much of their income is through charitable donation, and people have donated for a specific purpose not to pay off the charity's liabilities.

Where I wonder is if they will coordinate their findings with the charities commission because of the seriousness of the incident because of this though.