Scottish charity fined following destruction of irreplaceable personal records

A Scottish charity specialising in post-adoption support and advice has been fined £18,000 by the Information Commissioner’s Office after it destroyed approximately 4,800 personal records – up to 10 percent of which may be irreplaceable – because it was running out of space in its filing cabinets.
Edinburgh-based Birthlink assists people who have been affected by adoption with a Scottish connection. Since 1984 the charity has owned and maintained the Adoption Contact Register for Scotland.
The register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members.
In January 2021, Birthlink reviewed whether they could destroy ‘linked records’ as space was running out in the charity’s filing cabinets where they were stored. Linked records are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.
Following a February 2021 board meeting, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record keeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.
In August 2023, following an inspection by the Care Inspectorate, the Birthlink Board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction and self-reported the incident to the ICO.
The ICO investigation found the charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies and procedures, which would likely have prevented the destruction.
Sally Anne Poole, head of investigations, said: “This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.
“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history – some now lost for eternity.
“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.
“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”
After considering representations from the charity, ICO reduced the fine it had issued against Birthlink from £45,000 to £18,000. Since the breach occurred the charity has implemented improvements including digitally recording and storing all physical records, appointing a data protection officer and initiating staff training.
Interim Birthlink CEO Abbi Jackson said: “On behalf of Birthlink, I wish to express our deepest and most sincere apology for the destruction of post-adoption support records.”