A post-adoption support charity in Scotland has been fined £18,000 after it destroyed thousands of its service users’ personal data without authorisation.
Today, the Information Commissioner’s Office (ICO) published the findings of its investigation into Birthlink, which supports adults with a Scottish connection who have been affected by adoption.
The regulator found that in April 2021, Birthlink destroyed around 4,800 personal records including handwritten letters and photographs from birth parents, up to 10% of which may be irreplaceable.
ICO originally imposed a penalty of £45,000 on the charity but reduced it to £18,000, which it said “will appropriately reflect the representations from Birthlink on financial hardship whilst ensuring the penalty is effective, dissuasive and proportionate”.
Birthlink has owned and maintained the adoption contact register for Scotland since 1984, which allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details to be linked to and potentially reunited with family members.
‘Limited understanding of GDPR’
The ICO’s report shows that Birthlink discussed destroying “linked records” at a board meeting on 26 January 2021, as space was running out in its filing cabinets.
The following week, the charity’s board concluded that there were no barriers to their destruction, provided that it maintained adoption and care files for 75 to 100 years and only shredded replaceable records.
In a follow-up management meeting on 13 April 2021, the charity confirmed that the linked records would be destroyed on 15 April 2021, while a meeting on 25 May 2021 concluded that a further 40 bags of linked records would be shredded on 27 May 2021.
In August 2023, following an inspection by Scottish government body Care Inspectorate, Birthlink became aware that irreplaceable items had in fact been destroyed and reported the incident to the ICO.
The ICO’s investigation found that at the time of the breach, Birthlink had a limited understanding of UK GDPR and not implemented any data protection policies or procedures or appropriately trained its staff.
Its report says that despite concerns raised about shredding people’s photographs and cards, these were nonetheless destroyed.
“In the circumstances, the destruction of the linked records hadn’t received the relevant approval and was therefore unauthorised,” it reads.
The report adds that poor record-keeping means the true extent of actual loss will never fully be known.
Birthlink: ‘Destruction of files was a grave error’
Birthlink’s interim chief executive Abbi Jackson acknowledged that the destruction of the files was “a grave error”.
“Birthlink offers its deepest and most sincere apology for the destruction of post-adoption support records, including deeply personal, irreplaceable documents,” she said.
“We recognise and profoundly regret any loss and distress this may have caused.”
Jackson admitted that “a lack of knowledge about data protection legal requirements existed at Birthlink at the time of the breach” and that there were “inadequate systems in place to keep vitally important information safe”.
“Documents which are deeply personal, things which matter hugely to people’s histories and sense of identity, weren’t handled with the respect and thought that they deserved.
“That’s inexcusable. We want to assure everyone who’s interacted with Birthlink that we’re doing everything in our power to ensure this can never happen again.”
Birthlink has since conducted a review of information governance and data protection across the organisation, introduced new policies and data protection systems and implemented regular staff training.
ICO: ‘Charities aren’t above the law’
Sally Anne Poole, head of investigations at ICO, said: “This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.
“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history – some now lost for eternity.
“It’s inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process.”
Poole welcomed the improvements that Birthlink had subsequently implemented, “not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation”.
“Whilst we acknowledge the important work charities do, they’re not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes,” she added.
Related articles
