A leading trans charity has been fined £25,000 after its chief executive published hundreds of deeply personal emails from parents worried about their children's transition.
Mermaids boss Susie Green had set up an email group online which mistakenly had insufficient security settings, meaning the exchanges were publicly accessible to anyone.
The emails were reportedly sent in strictest confidence from parents whose children were struggling with their sex change.
One included the experience of a mother whose trans son - born a girl - used to wet himself on purpose so that the nursery would provide him with boys' clothes.
In total, data belonging to 550 people, not of all of whom were service users, was shared in the email exchanges from August 2016 until July 2017 when the email group was decommissioned.
However, archived emails remained online until 2019 because the charity was unaware of the data breach.
Mermaids works with about 500 youngsters and 1,400 parents and educates schools about homophobic, biphobic and transphobic bullying.
Mermaids has been fined after boss Susie Green (pictured) published confidential emails from parents on a website which was publicly accessible due to insufficient security settings
As well as disclosing intimate details about the trans children's treatment and parents telephone numbers, names and email addresses were also searchable on the web.
The site, which is hosted by a third party to allow organisations to share and archive emails, was made private as soon as the charity became aware of the data breach and it referred itself to the Information Commissioner's Office.
According to the ICO, of the 550 people involved in the breach, personal data of 24 of them related to sensitive details including how they were coping and feeling.
A further 15 were classified as 'special category' data because it related to mental and physical health as well as sexual orientation.
Four of them were children aged under 13 at the time the breach was discovered.
The ICO's investigation found Mermaids should have applied restricted access to its email group and could have considered using pseudonyms or encryption to add an extra layer of protection to the personal data it held.
In a 30-page report, the ICO found that although it was an internal email group, parents' emails had been forwarded between the charity and its trustees.
Steve Eckersley, Director of Investigations said: 'The very nature of Mermaids' work should have compelled the charity to impose stringent safeguards to protect the often
