ICO issues £18k GDPR fine to Scottish charity for illegally destroying records

The Information Commissioner's Office (ICO) has issued an £18,000 monetary penalty to the Edinburgh-based charity Birthlink, which maintains the Adoption Contact Register for Scotland. 

As part of its offering, Birthlink provides a "Linked Record" service whereby adopted individuals, along with their adoptive and birth relatives, can register their details with the aim of potentially being reunited one day. To support this service, Birthlink maintains manual records that applicants submit to make such links. These Linked Records include original birth certificates, adoption contact register application forms, correspondence between Birthlink and service users and other information relevant to the adoption. Birthlink also held irreplaceable personal items such as photographs and handwritten letters from birth families, along with other sensitive personal information. 

In April  2021, Birthlink destroyed a large number of records belonging to its service users without authorisation or a lawful basis. There is some ambiguity in the monetary penalty notice about whether Birthlink destroyed 4,800 personal records or manual records containing personal data of approximately 4,800 of its service users. What is confirmed is that  10% of the records were deemed irreplacable. It was only after an inspection by the Care Inspectorate in August 2023 that Birthlink became aware that irreplaceable items had been destroyed as part of the overall record destruction and reported the incident to the ICO.

Following an investigation, the ICO found that Birthlink had violated Articles 5(1)(f) and 32(1)-(2) of the UK General Data Protection Regulation (GDPR) for failing to put in place appropriate organisational measures ensuring the security of the personal data contained in the records.

A related article by data protection specialist John Baines on his personal website discusses the inconsistency in the ICO's approach towards registered charities. In April 2024, the ICO imposed a monetary penalty on the Central Young Men's Christian Association (YMCA). In this instance, the ICO applied a public sector enforcement strategy, which resulted in a reduction of the fine from £300,000 to £7,500. Asked about why a charity qualified for the discount, the ICO responded that the "fine is in line with the spirit of our public sector approach."  

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.