Charities are reminded of the importance of keeping personal data secure after the Information Commissioner’s Office (ICO) imposed fines this year on two UK charities for breaches of data protection rules in the UK.

In July 2021, the ICO (as regulator of data protection in the UK) imposed a fine of £25,000 on the transgender charity Mermaids for failing to keep personal data secure. In 2019 the charity became aware of a data breach and reported the breach to the ICO. However, the breach itself had started in 2016 when an internal email group set up and used by the charity, resulted in emails being available to search online. The emails contained personal data (names and email addresses) and sensitive personal data (details of mental and physical health, and sexual orientation).

In October 2021, the ICO then imposed a fine of £10,000 on HIV Scotland as a result of their bulk email practices which resulted in a breach of data protection laws when email addresses were shown to all recipients (including 65 emails where the individuals were identified by name).  Given the personal data involved, it was possible to assume certain things about an individual’s HIV status or risk which meant special category data was made available. Following its investigation, the ICO found the charity had insufficient staff training in place, improper email practices and an inadequate data protection policy in place.

In both cases, the charities had been dealing with information that could cause substantial damage and distress, as well as potential prejudice or abuse, if the information had got into the wrong hands. It is unsurprising that the ICO imposed fines for the breaches, and it highlights the need for charities to take data protection seriously. Aside from a breach in data protection rules, there is the potential for reputational damage and distrust, which could have a lasting effect on a charity and its revenue.


  • As with all things data protection- related, it is crucial that charities keep good records of decisions made to demonstrate compliance so that if the ICO comes asking questions a few years later, they can show that they considered data protection and explain the reason they took a particular action.
  • It is equally important to keep data (and its security) under review, updating policies and procedures at appropriate intervals and deleting personal data no longer needed. Remember that what is appropriate in terms of security will depend on the type of data, the likely harm a breach might cause, and the effect on individuals involved.
  • Finally, organisations should ensure they have appropriate technical and organisational measures in place to keep any personal data held secure. This covers a wide range of measures from regular staff training, to controlling access to premises and documents, to secure methods of storing and sending data.

Gillespie Macandrew are part of the SCVO free legal advice service which gives up to two hours free legal advice to SCVO members. If you have any questions on what measures you should have in place or more generally about data protection, please get in touch.