Charity Fined £18,000 Following Destruction of Thousands of Records
The Information Commissioner’s Office (ICO) has hit Birthlink, a Scotland-based post-adoption support charity with an £18,000 fine for destroying an estimated 4,800 personal records without authorization.
How did this incident occur?
The report from the ICO states that in early 2021, a discussion was held regarding the destruction of “linked records” as they were running out of physical storage space in their physical filing cabinets.
Following this, a week later, it was agreed that certain documents could be destroyed as long as they maintained adoption and care files for 75 to 100 years, and only records that were replaceable were destroyed.
The destruction of these documents was confirmed in another meeting in April, and another meeting in late May took place, where it was agreed that 40 more bags of linked records would also be destroyed.
This all occurred, despite there being concerns raised internally about destroying items such as photographs.
However, in August 2023, over two years later, an investigation by the Care Inspectorate, Birthlink discovered that irreplaceable items had in fact been destroyed. This was quickly reported to the ICO.
What did the ICO find?
The ICO found that, at the time of the incident, there was an organisation-wide lack of understanding of UK GDPR. As a result of this, there were very few data protection policies or procedures in place, and until March 2023, no data protection training for staff.
They also found that the main cause of this incident was a lack of proper organisational measures to protect the personal data held in the records. If Birthlink had put the right measures in place, the destruction of the records would most likely have been avoided.
The report from the ICO concludes that the destruction of the linked records had not received proper authorisation and was therefore considered unauthorised. Additionally, due to poor overall record-keeping practices, it’s very likely that the full scale of the data loss may never be known.
As a result of this, the charity was found to have breached Articles 5(1)(f) and 32(1)(2) of the UK GDPR, which relate to the need for organisations to keep personal data safe and the expectations to maintain a high level of security for personal data.
ICO fine and the chairty’s response
Initially, the ICO proposed a fine of £45,000, but with consideration of factors such as the organisation’s status as a charity, and their financial circumstances, this was reduced to £18,000, which, while still significant, isn’t as devastating.
Birthlink’s interim chief executive Abbi Jackson responded to this incident by acknowledging an overall lack of knowledge about data protection legal requirements at Birthlink at the time of the breach” and that at the time, the systems they had in place were “inadequate”.
She also apologised for the incident, adding that “we’re doing everything in our power to ensure this can never happen again”.
The ICO taking enforcement action against a charity is highly unusual. Sally Anne Poole, head of investigations at ICO has also commented, saying “This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs”.
This was before adding that charities are “not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes”.
What can we learn from this?
The circumstances surrounding this incident are rather unique, but that doesn’t mean that there are a few things that your organisation can’t learn from this:
Good data protection practices must be embedded organisation-wide: Compliance with data protection law is mandatory, regardless of sector or organisation size. Enforcement action is most often given to larger organisations, who process much larger volumes of data, though it still isn’t uncommon for smaller organisations to be penalised too.
Correct record destruction methods are vital: If you’re unsure whether something should be deleted, don’t act until legal and regulatory checks are made. When most think of what constitutes a data breach, they often forget that accidental deletion or destruction of data also counts. It’s just as important that your data deletion practices are strong, as it is to have strong data security practices.
Physical records are riskier to store than digital ones: When you store physical records, there is always a risk that they could be destroyed, even accidentally. With digital records, it’s easy to create backups, meaning if that if something is deleted, it can be easily recovered. This greatly reduces the risk of accidental data deletion.
Lack of training often poses a significant risk: Birthlink had no staff data protection training in place until 2023. With the leading cause of breaches being human error, this highlights just how critical regular staff training is. Privacy Helper offers both in person and online training, so you can be confident that your staff are aware of correct data protection practices.
Poor decisions can have lasting consequences: This wasn’t just a paperwork issue, destroyed photographs and records may never be recovered. There is a risk that this incident could have a lasting impact on people’s identities and histories.
Next Steps
Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data compliance in your business.
Additionally, if you’re a charity, take a look at our blog post on how the recently passed Data (Use and Access) Act may impact your operations.
Follow us on LinkedIn.
