NEWS

ICO fines charity following destruction of irreplaceable personal records

28 July 2025
by Niall Christie

Read next

Handwritten letters and photographs from birth parents amongst items destroyed.

The Information Commissioner’s Office (ICO) has fined Scottish charity Birthlink £18,000 after it destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable.

The ICO’s investigation found the charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies and procedures, which would likely have prevented the destruction.

Birthlink is a charity specialising in post-adoption support and advice, for people who have been affected by adoption with a Scottish connection.

Since 1984 the charity has owned and maintained the Adoption Contact Register for Scotland. The Register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members.

In January 2021, Birthlink reviewed whether they could destroy ‘Linked Records’ as space was running out in the charity’s filing cabinets where they were stored. ‘Linked Records’ are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.

Following a February 2021 board meeting, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record keeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.

In August 2023, following an inspection by the Care Inspectorate, the Birthlink board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction and reported the incident to the ICO.

The ICO’s subsequent investigation found at the time of the breach there was a limited understanding of data protection law at the charity, which had not implemented relevant policies and procedures or appropriately trained its staff.

The ICO also found that despite concerns being raised about shredding people’s photographs and cards at the time of destruction the task continued. In addition, poor record keeping meant Birthlink were unable to identify people affected by the breach.

Due to the serious nature of the breach the ICO concluded a fine was appropriate and after considering representations from the charity reduced the amount from £45,000 to £18,000.

Since the breach occurred the charity has implemented improvements including digitally recording and storing all physical records, appointing a Data Protection Officer and initiating staff training. Birthlink have also apologised.

Sally Anne Poole, head of investigations at the ICO, said: “This case highlights - perhaps more than most - that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.

“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history - some now lost for eternity.

“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.

“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”

Abbi Jackson, Birthlink's Interim CEO, told TFN: “That a data breach happened matters deeply to Birthlink, the people who work here and the people we serve.

"It is unacceptable that such a serious breach was able to happen, and we apologise unreservedly. Since March 2023, we have introduced a series of measures, policies and procedures, all of which are designed to keep personal data safe.

“Birthlink offers its deepest and most sincere apology for the destruction of post-adoption support records, including deeply personal, irreplaceable documents. We recognise and profoundly regret any loss and distress this may have caused.

“Documents which are deeply personal, things which matter hugely to people’s histories and sense of identity, were not handled with the respect and thought that they deserved. That is inexcusable. We want to assure everyone who’s interacted with Birthlink, that we are doing everything in our power to ensure this can never happen again.

“We have set up a helpline for anyone concerned about the loss of their personal information. We also have a range of services in place which may be able to help support people with their individual situation. Birthlink offers a sincere and unreserved apology to anyone affected by what’s happened, and we encourage anyone with concerns to contact us. Anyone who is worried about the loss of personal information can contact Birthlink’s dedicated support service by email dataprotection@birthlink.org.uk or by telephone on 0131 225 6441, option 2."