Data breaches by Mermaids exposed in the Times

[truthisarevolutionaryact]

Mermaids has apparently put lots of confidential data online including private emails, personal data and emails demonstrating the pressure they have put on the Tavistock.
Andrew Gilligan article - share token:

www.thetimes.co.uk/article/parents-anger-as-child-sex-change-charity-puts-private-emails-online-tl0g5hwcg?shareToken=2f8ddc23419c61360023562a62e74d13

Anyone else getting a GDPR ad in this thread?😁

Thanks, Red. Not looking good, then.

The Eight "data protection principles".

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: a) at least one of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. About the rights of individuals e.g. personal data shall be processed in accordance with the rights of data subjects (individuals).
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Apparently DH thinks there are clear breeches of 2, 3, 5, 6, 7 and 8. And you could argue 1 but its difficult to prove.

Yup, GDPR ad. You could have got a free report Mermaids!

LordProfFekko I'm getting a Times ad. Which is timely as I'm within a gnat's crotchet of subscribing in recognition of their amazing work in this area.

Red I wonder whether Mermaids has yet got an expert to give them a similar summary as your DH. Because surely they can't continue to minimise it and try to shout it away with accusations of transphobia.

I've seen on Twitter people saying that as Mermaids is a charity, the ICO won't hit them hard. That's just not true. The most similar breach by a charity was back in 2014, when BPAS was hacked and vulnerable women's data stolen - BPAS tried the ignorance offence but it didn't help them then and it won't help Mermaids now. At the time, this was the biggest fine ever given out by the ICO. Since then the Information Commissioner has changed and the new one has demonstrated that she's not afraid to go after big players and levy big fines: I really don't expect her to let Mermaids off the hook for this at all.

This BBC report details the BPAS breach, and comparing the two it's easy to see certain similarities but also to see how much more serious Mermaids' breach is.
www.bbc.co.uk/news/health-26479985

TheBullshit - they're doing a £1/month for 3 months digital offer at the mo so well worth it

Thanks to your DH Red, that's v interesting.

Ironically, one of the emails is about confidentiality training post GDPR. Didn't have a lot of impact clearly

Red, could they demand structural changes including appointments and resignations?

Thinking back how could anyone not know about GDPR at least in its broadest sense. Didn't everyone get a gazillion emails from any organisation they ever had dealings with, asking for confirmation that they could continue to hold, often very basic, data. Did Susie thing that this did not apply to her.

Ultimately how can we expect a mother who took her child to Thailand for surgery aged 16 to understand safeguarding.

Just to add to Red's list of principles - the GDPR (and new DPA 2018) emphasise accountability: senior management can't just shrug their shoulders and say they didn't know. Data protection has to be from the top down, with all employees - including the CEO - undertaking mandatory training and being aware of what is happening with regards to data protection in the organisation.

I don't think complaining about transphobia will get them very far with the ICO somehow.

This is such a high profile case, with so many breeches which clearly constitute a culture for a complete disregard and consideration of data protection, its going to be hard for the ICO to let them off the hook. Otherwise they will look completely useless and never being able to persue another case again, without other organisations being able to argue that they are been treated unfairly in comparison with Mermaids. The ICO have to be seen to be fair about data processing - that is all - this is their soul purpose and reason for existence. For this reason they won't be bothered about what the organisation does; its not their priority nor concern.

Where it does matter is the sheer sensitivity of the data they were holding, which is pretty much considered the most sensitive data type, meaning that the ICO would actually expect higher standards and compliance than perhaps another organisation. The protection of being a trans charity, actually has the opposite effect on them in this field of safeguarding - the organisation should have been shit hot on the risk of sensitive data leaking for the safety of their clients. The more Mermaids they stress that trans kids are the most vulnerable the worse it is for them at data protection level; because it makes their lack of regard for safeguarding data look appalling, because of the level of risk they have exposed service users to.

I bet Rubberman is bloody over the moon this has happened.

But don't fret little cub, we've not forgotten you either...

The limits of power of the ICO are to issue fines. However they are highly respected and their influence huge. They are a very powerful body.

If they came out with a highly damning report (they do lengthy explanations point by point of their findings and each point of failure with references to attitude and culture of the organisation) it would be difficult for other public bodies to ignore. This is the important bit really, rather than the size of the fine.

The ICO reports directly to parliament (under the Department for Digital, Culture, Media and Sport), thus if their concerns were serious enough, this carries significant weight with other government departments.

Anyone who answers to another government department would have some serious questions to ask if they were involved with this charity because there would be concerns over the charities attitude and ability to govern itself full stop. This naturally would invite a lot more scrunity than Mermaids have been used to. Would they survive this in their current form?

On a corporate level would you want to go near a charity with a shitty reputation, if you are looking to virtue signal? Would you give a charity which had demonstrated poor governance a big grant? This could restrict their income to just personal donations. And if you've heard a scandal about a charity and they've had a big fine would you want your money to go to that charity?

Their whole reputation and brand is now under the spotlight by an organisation which hasn't been inflitrated by a load of people with a woke agenda. Their interest is purely to protect people on a data level.

Look how far and how fast all the love-ins ran when kids company went tits up.

an organisation which hasn't been inflitrated by a load of people with a woke agenda

Do we know this?

Do we know this?

Have you read an ICO report?

They are, how can I put this, 'very dry, blunt and to the point'...

The ICO also has a penalty that can be more serious than a monetary fine - an absolute ban on the processing of personal data. If an organisation isn't allowed to process personal data then there's not much it can do.

Some people will just go whatever they want anyway and cry ...phobia!

They are like the equivalent of HMRC but for data.

Accountantlike.

This is why I like them! (And if you are familiar with my posting style and content especially over things like polling you'll get what I mean. This being a reflection of my sad fuckness!).

Elizabeth Denham is a bloody brilliant.

Working for the ICO is something I aspire to and may well apply for at some point. I see our Rights being very much caught up in how we view and process data over the next decade or so.

(I am something of an ICO fangirl... you might notice).

Red Elizabeth Denham is a fantastic public speaker - she takes no prisoners. One of the ICO's biggest problems is retention of staff as the private sector pays so much more.

(Also a fangirl)

Anyone have any inkling of what Elizabeth Denham considers a woman to be?

No.

And I don't think it relevant to her job tbh.

The report for Bounty was very very feminist in tone, and went beyond my expectations on that score.

Its a story I've followed and been passionate about for a long time.

She did what I've not seen anyone else do in government and formally recognised the vulnerability of women (and children) who have just given birth, in safeguarding in terms.

Her focus was 100% on those failed, not protection of the institutions around them.

Plus as I said before, even if she did think trans kids were exceptionally vulnerable or transwomen are women, then that works AGAINST mermaids rather than for them, in this area of safeguarding. Its not an organisation full of art and social science types. Its an organisation of auditors, who do the facts in front of them not the feelz.

Can the ICO take action against the trustees?

I vaguely remember cases of trustees being disqualified for life and liable to fines for their own (mis)handling of data.

Presumably, trustees are insured or indemnified by their charity?

Someone on Twitter is asking why so many of Mermaids trustees have left and not been replaced over the last couple of years. If this is true they could be in a very weak position in terms of proper governance.