Information Commissioner’s Office Fines Charity for Personal Data Breach Exposing Sensitive Personal Data Online

The Information Commissioner’s Office (ICO) has fined a transgender charity £25,000 for failing to keep the personal data of its users secure.  The ICO discovered that approximately 780 pages of confidential emails were viewable online for nearly 3 years, which contained the personal data, including sensitive personal data, of around 550 of the charity’s users.

The ICO’s investigation was initiated following a data breach report from the charity in relation to an internal email group which it set up and used for almost a year.  However, the charity only became aware of the breach in June 2019.

The ICO found that the charity did not restrict access to its internal email group and should have considered either encrypting or using pseudonyms which would add an extra layer of protection to the personal data which it was processing.

It is a requirement under Data Protection law for organisations who are responsible for personal data to have appropriate technical and organisational measures in place to ensure that personal data is secure.  The ICO found that the charity had adopted a rather negligent approach towards data protection with inadequate policies and a lack of training for staff.

Given the nature of the charity’s focus and users, the type of the personal data it held was particularly sensitive, including data relating to medical and sexual records.  It should be noted that the charity did comply with the ICO’s investigation; however, this did not absolve it of its inadequate procedures and practices leaving to the substantial fine.

If your organisation has committed a data breach, or if your data has been breached by an organisation, please contact Chadwick Lawrence’s Regulatory Team on 01484 519999 or email nilso@chadlaw.co.uk or nicholasworsnop@chadlaw.co.uk for a free initial consultation.