ICO fine Mermaids

[bitheby]

Just came across this press release

ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/07/ico-fines-transgender-charity-for-data-protection-breach-exposing-sensitive-personal-data/

It's a small fine for a shocking breach

The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, with a further 15 classified as special category data as mental and physical health and sexual orientation were exposed.

It's a small fine for a shocking breach

I think the breach was pre-GDPR, when fines were much lower, instead of some of the very substantial fines we've seen since.

Glad they've been held to account in some small way, at least, instead of just getting away with it.

@InspiralCoalescenceRingdown

It's a small fine for a shocking breach

I think the breach was pre-GDPR, when fines were much lower, instead of some of the very substantial fines we've seen since.

Glad they've been held to account in some small way, at least, instead of just getting away with it.

Actually, I need to correct myself:

3. This penalty was issued under the Data Protection Act 2018 for infringements of Articles 5(1)(f) and 32(1) and (2) of the UK GDPR.

4. Although the Commissioner considers the breach to have begun on 15 August 2016, the penalty relates to the breach from 25 May 2018 (to 14 June 2019) when new rules under the UK GDPR came into effect.

That is actually a pretty small fine under GDPR.

During the investigation the ICO discovered Mermaids had a negligent approach towards data protection with inadequate policies and a lack of training for staff.

Data protection is not the only thing this charity has a negligent approach to, imo.

3-2-1 to their crowdfunder to pay the fine.

That is quite low.

I’ve skimmed quickly as I’m on my way out, but I didn’t see it mentioning that the data breach related to minors, either, which should mean ever stricter controls are necessary.

I hope they’ve taken it seriously and really redone their systems from the ground up. they were very blasé about it at the time, and took what I’m now calling the Wi Spa approach, which was to castigate people for looking rather than address the fact that they’d left sensitive medical data wide open to the whole world.

While that is low compared to some of the recent fines, it was never going to be a massive fine considering that Mermaids is a charity.

This is with Sue Green claiming to be IT expert. I guess one couldn’t be blame to think all expertises under this banner might have a few holes!

Just like fellow traveller Dr H Webberley who being the safeguard head, didn’t care to check the safeguarding policy.

There is so much carelessness around this issue from people who swears they are soooo kind and caring.

A paltry fine for a shocking breach.

Have been wondering if this investigation was actually going to lead anywhere.

Don't you mean Sue Green identifying as an IT expert?

Original MN thread about the breach here: www.mumsnet.com/Talk/womens_rights/3613168-Data-breaches-by-Mermaids-exposed-in-the-Times