Privacy Daily is a service of Warren Communications News.

ICO Slams Charity for Expunging Thousands of Adoptions-Related Records

The U.K. Information Commissioner's Office Monday fined Scottish charity Birthlink £18,000 ($24,000) for destroying around 4,800 personal records, many of which may be irreplaceable. An investigation found Birthlink had limited knowledge of requirements for data protection.

Sign up for a free preview to unlock the rest of this article

Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.

In addition, the investigation found cost-effective and easy-to-implement policies and procedures could have prevented destruction of the personal records.

It also found staff was inappropriately trained in data protection and that despite concerns about shredding people's photographs and cards, the demolition continued, and that the charity couldn't identify people affected by the breach.

Among the items lost were handwritten letters and photographs from birth parents, the ICO said. Some people's access to part of their family histories and identities may have been permanently erased due to "systemic data protection failures."

Birthlink specializes in post-adoption support and advice, ICO noted.

In January 2021, the charity reviewed whether it could destroy "linked records" because its filing cabinets were running out of space, the ICO said. Linked records are cases where people have already been linked with the person(s) they sought.

In February 2021, Birthlink's board agreed there was no barrier to the destruction of the records but stated that retention periods should apply to certain files and that only replaceable records could be destroyed. However, poor record-keeping meant that some were destroyed in April 2021, with another 40 bags demolished in May 2021.

The board became aware of the destruction of irreplaceable items in 2023 and reported it to the ICO.

The violations were serious enough to merit a fine, which was reduced to £18,000 from £45,000 after the charity agreed to improve procedures, including appointing a data protection officer and providing staff training, the ICO said.

Last year, the ICO launched a Ripple Effect campaign to stress the impact data breaches can have on people and to encourage organizations to do better.