The transgender children’s charity Mermaids has apologised after it accidentally made internal emails containing confidential client information available online.
In a statement issued over the weekend, the charity said it had remedied the data breach as soon as it became aware of the issue and sought to reassure those affected that the information was available only if certain search terms were used.
The ICO said it had heard from Mermaids and it was assessing the situation.
The charity was made aware of the breach by a journalist at The Sunday Times, which this weekend reported that more than 1,000 pages of Mermaids’ confidential emails, including names, addresses and telephone numbers of young people using the service and details of some of the issues they were experiencing, had been posted online.
The story alleged that the charity’s chief executive, Susie Green, had thought she was setting up a private email group on a webmail platform, but had not realised the archives would be visible to everyone.
In a statement, the charity acknowledged the breach had occurred and said it was "immediately" dealt with when it was told about the issue on Friday.
"Internal Mermaids emails from 2016 and 2017 in a private user group were available on the internet, if certain precise search terms were used," the statement said.
"Mermaids understands that the information could not be found unless the person searching for the information was already aware that the information could be found."
There was no evidence that the information had been accessed by anyone other than The Sunday Times journalist and the service users who had contributed to the story, the statement said.
It said the trustees of the charity would instruct an independent third-party expert to produce a report on the incident.
"Mermaids apologises for the breach," the statement said. "Even though we have acted promptly and thoroughly, we are sorry. At the time of 2016/2017, Mermaids was a smaller but growing organisation.
"Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur."
The charity also defended the fact that it held such information, said it was normal internal information for such an organisation and demonstrated the charity was taking its responsibilities seriously.
Green told Third Sector: "We have worked tirelessly over the weekend and will continue to do everything we can to respond to this issue.
"We are grateful for the many private and public messages of solidarity and support from our many service users and supporters."
An ICO spokeswoman said: "We have received a data breach report from Mermaids UK and we will assess the information provided."
In December, a Sunday Times story criticised the National Lottery Community Fund, formerly known as the Big Lottery Fund, for its decision to award the charity a £500,000 grant.
The story resulted in a slew of complaints, prompting the grant-maker to carry out a review of the decision, but it ultimately concluded there was no reason to withhold the funding.