The UK’s data protection regulator has taken the rare step of fining a charity after a series of “systematic” failings led to the destruction of thousands of personal records.
Birthlink provides post-adoption support and advice, and has owned and maintained the Adoption Contact Register for Scotland since 1984.
However, in August 2023 the charity’s board became aware that it may have destroyed some irreplaceable items as part of a cull of 4,800 personal records designed to free up space in its on-premises filing cabinets.
The Information Commissioner’s Office (ICO) claimed that as many as 10% of these files may have been irreplaceable.
Read more on charity data protection failings: YMCA Fined for Data Breach, ICO Raises Concerns About Privacy for People with HIV.
“This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs,” argued ICO head of investigations, Sally Anne Poole.
“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history – some now lost for eternity.”
The problems began in 2021, when the charity sought to destroy “Linked Records” – which are files of cases where people had already been linked with the person they sought. These can include handwritten letters from birth parents, as well as photographs and copies of birth certificates.
Although the board ruled that only replaceable records could be destroyed, the charity’s record keeping, compliance with data protection law and staff training and awareness were so poor that the cull far exceeded these limits.
“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process,” continued Poole.
“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicizing this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”
Birthlink Makes Amends
The ICO reduced its initial financial penalty from £45,000 after considering representations from the charity. It has subsequently noted positive steps Birthlink has taken, such as:
- Digitally recording and storing all physical records
- Appointing a data protection officer to monitor compliance and raise awareness internally
- Starting a staff training program
No tags.
