A transgender charity has apologised after journalists were able to find sensitive internal emails via a public internet search.
Mermaids UK, which supports trans children and young people, said the emails came from 2016 and 2017, when it was a smaller organization without the internal processes and access to technical support which would now prevent such incidents.
Although the original Sunday Times report which uncovered the leak said the emails included “intimate details of vulnerable youngsters” which could be found simply by typing the organization’s name and charity number in, Mermaids sought to downplay the seriousness of the incident.
“Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found,” it said in a statement.
“The material mainly consisted of internal information involving full and frank discussion of matters relevant to Mermaids, but unfortunately included some information identifying a small number of service users. Mermaids has contacted these people. The information, seen in its actual and proper context, is normal internal information for a group such as Mermaids.”
The emails in question, which the BBC claims number around 1100, were apparently stored in a ‘private’ user group exposed online.
As well as contacting those whose details appeared in the leaked emails, the charity has contacted privacy regulator the Information Commissioner’s Office (ICO) and the Charity Commission and said it immediately remediated the incident.
“So the overall position is that there was an inadvertent breach, which has been rapidly remedied and promptly reported to the ICO, and there is no evidence that any of this information was retrieved by anybody other than the Sunday Times and those service users contacted by the journalist in pursuit of their story,” it concluded.
The scope of the incident falls well before the GDPR was introduced, although if the ICO judges there to have been a serious risk to vulnerable individuals, it may decide to take action under the old data protection regime.