Contact
July 19, 2021
The ICO has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.
The ICO says that its investigation began after it received a data breach report from the charity in relation to an internal email group it set up and used from August 2016 until July 2017 when it was decommissioned. The charity only became aware of the breach in June 2019.
The ICO found that the group was created with insufficiently secure settings, leading to approximately 780 pages of confidential emails to be viewable online for nearly three years. This led to personal information, such as names and email addresses, of 550 people being searchable online. The personal data of 24 of those people was sensitive as it revealed how the person was coping and feeling, and a further 15 people’s personal data was classified as special category data as mental and physical health and sexual orientation were exposed.
The ICO’s investigation found Mermaids should have applied restricted access to its email group and could have considered pseudonymisation or encryption to add an extra layer of protection to the personal data it held. Under the UK GDPR, organisations that are responsible for personal data must ensure they have the appropriate technical and organisational measures in place to ensure personal data is secure.
During the investigation the ICO says that it discovered Mermaids had a negligent approach towards data protection, with inadequate policies and a lack of training for staff. Given the implementation of the UK GDPR as well as the wider discussion around gender identity, the ICO says that the charity should have revisited its policies and procedures to ensure appropriate measures were in place to protect people’s privacy rights.
The ICO also says that Mermaids cooperated fully with the ICO investigation and has made significant improvements to its data protection practices since becoming aware of the security breach. To read the ICO’s press release in full and for a link to the monetary penalty notice, click here.
Expertise
Wiggin's expertise, delivered direct to you
This website uses cookies so that we can provide you with the best user experience possible. Cookies necessary for the operation the site are stored on your computer automatically. We need your consent before we can set cookies which aren't necessary, but which help us understand which sections of the website you find most interesting and useful, and which carry out other visitor analytics.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
To provide these analytics we would like to be able to set Google analytics cookies to help us collect anonymous information, such as the number of visitors to the site, and the most popular pages on the site.
Google's privacy policy relating to these cookies is available here. You can read more about how we use Google analytics cookies in our privacy policy which is set out below.
The slider shows your current preference. Please leave or change it as required, and then click Save.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Scope
This Privacy Notice (Notice) describes how Wiggin collects and uses your personal data. All our data processing is carried out in accordance with our obligations under the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Aims
This Notice tells you what personal data Wiggin collects, why we need it, how we use it and what protections are in place to keep it secure.
Key Terms
Wiggin, we, us and our mean or refer to Wiggin LLP, a limited liability partnership with registered number OC308767 and with registered office at Jessop House, Jessop Avenue, Cheltenham, Gloucestershire GL50 3WG, UK. Wiggin is registered as a data controller at the Information Commissioner’s Office with registration number Z5732337.
personal data means information about individuals (including you), and information from which such individuals could be identified.
you means any individual whose personal data we process, including Wiggin clients, Wiggin client personnel, counterparties, counterparty personnel, other solicitors and advisors, witnesses, suppliers, supplier personnel and general business contacts.
Data Controller
Wiggin LLP is a data controller in relation to your personal data and we take care to protect the privacy rights of individuals.
Information Protection Manager
We are not required under the GDPR to appoint a Data Protection Officer. We have, however, appointed a Data Protection Manager, currently Alexander Ross, who is responsible for overseeing our compliance with the GDPR and any other applicable data protection legislation and regulation. In addition, our Compliance Officer for Legal Practice, currently Alan Owens, oversees compliance with our professional responsibilities and with legislative requirements.
The Data Protection Manager can be contacted at dataprotection@wiggin.co.uk.
How does Wiggin obtain your personal data?
In many cases we obtain your personal data from you directly, including through your use of this website or when you contact us direct. In other cases we will obtain your personal data from a third-party source, for example, we may collect information from our clients or our clients’ personnel, agents and advisors; other law firms and advisors which represent you; the company for whom you work; other organisations and people with whom you have dealings; our associated and related businesses (including INCOPRO, Overmorrow, Viewfinder, Reviewed & Cleared, Cirkus); intermediaries; government agencies; credit reporting agencies; information or service providers; and publicly available records.
What about personal data relating to others which you provide to Wiggin?
If you provide information to us about someone else (such as one of your associates, directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that information to us and that the person understands that we, without taking any further steps, may process that information in accordance with this Notice.
What personal data does Wiggin collect from (and about) you?
If we collect and use personal data about you, the types of data we collect will vary in nature depending on the circumstances and purpose of processing. Here are some illustrative and non-exhaustive examples:
- personal data about you: name, address, date of birth, marital status, nationality, race, gender, preferred language, job title, work life, CV, restrictions and/or required accommodations, and possibly personal data about your family life;
- personal data to contact you at work or home: name, address, telephone, and email addresses;
- personal data which may identify you: photographs and video, passport and/or driving licence details, electronic signatures;
- personal data to process any payment we might need to make to you personally: bank account details, HMRC numbers and references (where applicable);
- personal data to monitor your use of our website: see the ‘website cookies and trackers’ section below.
Why do we need to collect and use your personal data?
If we collect and use personal data about you, we will do so for one or more of a number of reasons, the primary purpose being to provide legal advice and services to our clients, and this may involve the use of your personal data in one or more of the following (non-exhaustive) ways:
- to contact you if you are involved in a matter we are undertaking for a client, whether in your professional or personal capacity;
- to carry out investigations, risk assessments and client due diligence;
- to review, draft and disclose correspondence and other documents, including court documents;
- to instruct third parties on behalf of our clients;
- to prepare legal opinions and provide legal advice; and
- to enable the exchange of information between Wiggin and our affiliated and related businesses.
We may also process your personal data for business management purposes, which are likely to involve the use of your personal data in one or more of the following (non-exhaustive) ways:
- to engage and contact suppliers;
- to interview prospective members of staff;
- to carry out marketing and general business development activities;
- to carry out internal reviews, investigations and audits;
- to conduct business reporting and analytics;
- to help measure performance and improve our services;
- for regulatory and legislative compliance and related reporting; and
- for the prevention and detection of crime.
What is Wiggin’s lawful basis for processing your personal data?
Under the GDPR, we must identify a lawful basis for processing your personal data, and that basis may vary according to the type of personal data processed and the individual to whom it relates, and the nature of the processing.
Performance of a contract with you (where applicable)
If you are a private client or an individual supplier or other individual with a direct contractual relationship with us, we process the personal data we require in order to fulfil our obligations under our contract with you.
The legitimate interests of Wiggin or a third party
We may process your personal data on the lawful basis that it is in our legitimate interests and/or the legitimate interests of a third party to do so. This will primarily apply when we provide legal advice and services to our clients. Our legitimate interest in such instances is the proper performance of our role as an authorised and regulated provider of legal services. Our clients also have a legitimate interest (and a more general right in law) in obtaining legal advice and services.
Our broad interest in the provision of legal services as a basis for processing your personal data, and our clients’ corresponding interest in the receipt of such services, can be broken down into more discrete categories which may include (but are not limited to):
- contacting individuals relevant to our work and our clients’ matters, which may involve the use of your personal data;
- reviewing documents and correspondence that have been disclosed to us, our clients and third parties which may contain your personal data;
- reviewing and analysing evidence available to us and our clients which may contain your personal data;
- adducing legal arguments and preparing documents and correspondence which may contain your personal data;
- disclosing documents and correspondence which may contain your personal data to various parties in the furtherance of our clients’ objectives;
- instructing third parties on behalf of our clients;
- receiving payments from our clients and third parties and facilitating payments to our clients and third parties; and
- to allow for all of the above, the secure management and storage of your personal data within our IT environment and hard copy filing systems.
We may also process your personal data on the basis that it is necessary for our legitimate interest in the effective management and running of our firm, which may include (but is not limited to): engaging suppliers and supplier personnel; interviewing prospective staff members; ensuring that our systems and premises are secure and running efficiently; for regulatory and legislative compliance and related auditing and reporting; for marketing and general business development purposes; for insurance purposes; to facilitate, make and receive payments, and to collect money owing to us.
We do not consider that the processing of your personal data on the basis of our legitimate interests as described above is likely to result in any unwarranted prejudicial effect on your rights and freedoms or your own legitimate interests, and we regularly review our systems and processes to ensure that remains the case.
Compliance with a legal obligation to which Wiggin is subject
In certain circumstances, we may be obliged process personal data in order to comply with our legal obligations. This might include, but is not limited to, processing where required for tax and accounting purposes; where required by our regulators for conflict checking purposes; where required by the order of a court or tribunal; or to enable us to fulfil our compliance and other obligations under relevant legislation or regulation.
More information relating to the lawful bases for processing personal data can be found on the Information Commissioner’s Office website (see details below) or by contacting our Data Protection Manager (contact details below).
Special category personal data
If we process any special category personal data, which is data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data or sexual orientation, we will obtain your explicit consent to that processing, unless this is not required by law (because, for example, it is processed for the purpose of exercising or defending legal claims) or the information is required to protect your health in an emergency. Where we are processing personal data based on your consent, you have the right to withdraw that consent at any time by emailing us at dataprotection@wiggin.co.uk and describing the specific consent that you wish to withdraw.
To whom do we disclose your personal data?
We will disclose your personal data internally within Wiggin LLP and (if applicable) its associated businesses to those members of staff who provide legal services to you or your business, and/or to other members of staff with whom you or your employer or agent makes contact.
We may disclose your personal data to third parties (outside Wiggin), but only when it is necessary to do so, and subject to our obligations of confidentiality. Such recipients include but are not limited to: other clients and contacts; co-counsel, other solicitors/barristers/experts/foreign law firms whom we instruct on your behalf; our insurance brokers and underwriters; our bank, auditors and accountants; debt collectors; our outsourced IT providers and other suppliers; HMRC; the Solicitors Regulation Authority; the Law Society; the Home Office and HM Passport Office; the other side and/or other parties on any given matter (lay and solicitor).
We may also need to disclose your personal data in the course of business to our consultants who operate in the UK and in the USA, to staff in our Brussels office, and to our associated and related businesses (including INCOPRO, Overmorrow, Viewfinder, Reviewed & Cleared, Cirkus).
Your personal data is also likely to be disclosed to one or more third party service providers who provide us with IT and other technical services, and those service providers act as data processors under our control. We take suitable steps as required by law to ensure that, where the other party concerned is a data processor, they have appropriate data security systems in place and process data solely in accordance with our instructions.
Is your personal data transferred outside the EEA, and if so what safeguards are in place?
Some of the third-party service providers we use and some of our consultants are based in, or carry out their activities in, the European Economic Area (EEA). Until such time as the Brexit transition period expires on 31 December 2020 no additional safeguards are required for the transfer of data to/from the EEA. Some of the third-party service providers we use and some of our consultants are based in, or carry out their activities in, countries outside the UK and the EEA. If in the course of providing services to us any of the latter service providers process personal data, we have made sure to include in their contract with us standard clauses approved by the European Commission (sometimes called ‘the EU Model Clauses’) to ensure that their processing meets the security standards required within the EU. You can view the Commission’s decision which includes these standard clauses via this link: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en. After the decision of the CJEU in the Schrems II case, in which the CJEU found that the US/EU Privacy Shield does not afford sufficient protection for personal data when transferred to the US, we have been monitoring the instances in which personal data is transferred to the US to establish whether any such transfer presents a significant risk to your rights and freedoms even when done under the relevant EU Model Clauses. If it does, we commit to making necessary changes.
How do we protect your personal data?
We have robust security arrangements in place to guard against unauthorised access, use, alteration or destruction of, or the accidental loss of, your personal data. We take appropriate technical and organisational security measures and have rules and procedures in place to ensure that any personal data we hold that is particularly sensitive, or highly confidential, is not accessed by anyone unauthorised to access it, and where applicable to ensure client confidentiality. We have in place, and strictly comply with, an information security policy which determines the security standards we use to protect your personal data.
When we use third-party organisations to process your personal data on our behalf, we require them to have appropriate security arrangements in place, they must comply with our contractual requirements and instructions, and they must ensure compliance with the GDPR and any other relevant data protection legislation, all as required under the GDPR.
How long will your personal data be retained by Wiggin?
It is our policy to retain your personal data for no more than the length of time required for the specific purposes for which it is processed by us and which are set out in this Notice. However, we may be obliged to keep your personal data for a longer period, for example, where required by our legal and regulatory obligations, or in order to ensure we have effective IT back-up systems. In such cases, we will ensure that your personal data will continue to be treated in accordance with this Notice, we will restrict access to any archived personal data, and we will ensure that all personal data is held securely and kept confidential.
Website cookies and trackers
The only cookies we ourselves use on our website are the following session registration cookies:
- When you fill in your details on our registration form (for example where you wish to register to receive communications or other services from us), this cookie remembers the details that you load into the registration form so that if you make a mistake or have to redo the form, your details are not all erased (which could be annoying and inconvenient). The cookie is a ‘session’ cookie in that it dies after you have completed and submitted the form. We assume that you are happy with this cookie but if you wish to withhold your consent you can do so by modifying your browser settings to block cookies – please see http://www.wikihow.com/Adjust-Browser-Settings.
- Our email marketing messages may direct you to a web page which uses an ASPSESSIONID% cookie. This cookie allows the page to remember certain settings you use. This cookie is temporary and is destroyed each time you close your browser.
For more information about cookies generally, please visit All About Cookies.
We also use Google Analytics, the web analysis service provided by Google. Google utilises the data collected to track and examine the use of our website, to prepare reports on its activities and share them with other Google services. Google may use the data collected to contextualise and personalise the ads on its own advertising network. The personal data that is collected is cookie and usage data, and that processing takes place in the USA under Google’s standard terms and privacy policy, which you will find here. You have the option of refusing to accept Google Analytics cookies when you first visit our website.
What are your rights?
You have various rights in relation to your personal data under Data Protection law. The UK’s Information Commission’s Office website provides a helpful and informative summary of your rights which you can access here: https://ico.org.uk/your-data-matters/. In particular, we’d like to remind you that you have:
- the right of access to a copy of the personal data we hold about you;
- the right to require us to correct any inaccuracies in your personal data;
- the right to object to decisions about you being taken by automated means (although we do not make any decisions by automated means);
- where we have sought your consent, the right to withdraw your consent at any time; and
- the right to ask us not to process your personal data for direct marketing purposes.
You may also have the following rights in relation to your personal data in certain circumstances:
- the right to restrict or object to our use of your personal data;
- the right to require us to provide a copy of your personal data to others; and
- the right to require us to erase your personal data.
If you wish to exercise any of your rights please contact our Data Protection Manager at dataprotection@wiggin.co.uk.
There are exceptions to the rights of individuals in relation to their personal data and, particularly if we are processing your personal data for the purpose of providing legal advice to our clients, your rights may be limited. We will, at all times, respect your personal data and seek to be as transparent as possible, but please be aware that in some instances we may be restricted by law from even acknowledging that we process your personal data.
How to make a complaint
If you have a question about the information provided in this Notice, or you have a concern or complaint about the way in which we process your personal data, please contact our Data Protection Manager at dataprotection@wiggin.co.uk. In any event you have the right to address a complaint to the Information Commissioner. The Information Commissioner can be contacted at: –
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF www.ico.org.uk. The ICO helpline number is 0303 123 1113.
Last updated 28 September 2021