ICO fines charity following destruction of irreplaceable personal records

The Information Commissioner’s Office (ICO) has fined Scottish charity Birthlink £18,000 after it destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable.

The ICO’s investigation found the charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies and procedures, which would likely have prevented the destruction.

Sally Anne Poole, Head of Investigations at the ICO, said: “This case highlights - perhaps more than most - that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.

“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history -  some now lost for eternity.

“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.

“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”

Details of the breach and ICO investigation

In January 2021, Birthlink reviewed whether they could destroy ‘Linked Records’ as space was running out in the charity’s filing cabinets where they were stored. ‘Linked Records’ are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.

Following a February 2021 Board meeting, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record keeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.

In August 2023, following an inspection by the Care Inspectorate, the Birthlink Board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction and reported the incident to the ICO.

The ICO’s subsequent investigation found at the time of the breach there was a limited understanding of data protection law at the charity, which had not implemented relevant policies and procedures or appropriately trained its staff. The ICO also found that despite concerns being raised about shredding people’s photographs and cards at the time of destruction the task continued. In addition, poor record keeping meant Birthlink were unable to identify people affected by the breach.

Due to the serious nature of the breach the ICO concluded a fine was appropriate and after considering representations from the charity reduced the amount from £45,000 to £18,000. Since the breach occurred the charity has implemented improvements including digitally recording and storing all physical records, appointing a Data Protection Officer and initiating staff training.

Ripple effect

Last year the ICO published its Ripple Effect campaign, detailing the far reaching effects and human impact data breaches can have on people. The regulator called for all organisations to step up, do better and recognise the critical importance data protection has in protecting people’s lives.

Anyone who feels they may have been impacted by this incident should contact Birthlink, as the charity will be able to provide further information and access to support services.

Guidance

The ICO publishes detailed guidance on its website to help organisations understand and comply with data protection law. This includes easy to use self-service tools, helpful bitesize guidance and tips aimed at small charities and detailed records management and security guidance setting out what the ICO expects from organisations.

About Birthlink

Birthlink is a charity specialising in post-adoption support and advice, for people who have been affected by adoption with a Scottish connection. Since 1984 the charity has owned and maintained the Adoption Contact Register for Scotland. The Register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members.

-ends-

Notes to editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator that exists to empower people through their information rights. The ICO regulates the whole economy, including government and the public sector. 
2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.  
3. Civil monetary penalties are paid direct into the Consolidated Fund. From 1 April 2022, HM Treasury has allowed the ICO to keep some funds to cover certain pre-agreed costs up to a maximum cap of £7.5m per financial year. The approach is explained in the ICO’s Annual Report and Accounts and is externally audited by the National Audit Office.
4. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.  
5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.