Melissa Hall on data governance lessons from the case
When Scottish charity Birthlink was fined £18,000 by the Information Commissioner’s Office (ICO) for a serious data breach, it served as a clear reminder to the third sector that protecting personal data goes beyond compliance. For charities working with vulnerable individuals, data governance is not a technical side issue but central to delivering safe, responsible services.
While the Birthlink case may be unique, the underlying challenges are a warning to charities of all sizes. When sensitive personal information is mishandled - whether it relates to health, care or personal history - the consequences can be serious. So, how can charities avoid similar mistakes?
UK data protection law places clear responsibilities on organisations. Charities must know what data they hold, why they hold it, and whether they still need it. Staff should be trained to manage that data properly, and key decisions, particularly around deletion or retention, must be documented and subject to oversight. These are legal obligations, but they also reflect a wider duty of care to the people charities support.
One of the clearest lessons from the Birthlink case is that responsibility must start at the top. Data protection cannot be treated as a back-office issue or something that is simply covered by having a policy. Trustees and senior leaders need to be directly engaged in how personal information is handled and stored. That includes understanding where the risks lie and being ready to step in when needed.
Delegating day-to-day responsibilities is often necessary in any organisation, but it must be supported by meaningful oversight. Boards remain ultimately accountable for the outcomes of decisions, even when the practical tasks are carried out by staff or volunteers. When it comes to sensitive activities, such as the destruction of personal records, clear guidance, active monitoring and a willingness to pause if concerns are raised are all essential. In Birthlink’s case, staff did raise concerns - but the process continued without reassessment.
Policies play a key role in supporting this kind of decision-making, but only if they are actively used and understood. A policy that sits in a folder, untouched and untested, offers little protection. The ICO noted that simple, low-cost steps could have prevented the breach, underlining the fact that data governance doesn’t need to be complex - but it does need to be taken seriously and made part of day-to-day organisational thinking.
Training is an essential part of making that happen. Governance structures and written procedures only work if the people carrying them out know what’s expected and feel confident in doing so. Whether someone is working full time, volunteering, or serving as a trustee, they need to understand how to manage personal data appropriately and how to raise concerns when something doesn’t seem right. Training should never be treated as a one-off exercise or a box to tick. It’s most effective when it’s built into the rhythm of the organisation - refreshed regularly, tailored to different roles, and backed by visible leadership support.
Charities also need to understand what data they actually hold. Many are keeping information they no longer need, sometimes without realising it. A simple audit can clarify what is necessary, what is outdated, and what should be more tightly protected. This supports better retention practices and reduces the risk of accidental breaches.
No system is perfect, and even well-run organisations will sometimes experience issues. What matters is how they respond. Being able to identify a breach, act quickly, notify the ICO when appropriate, and support affected individuals is part of what builds public trust (and ensures compliance with statutory requirements).
Birthlink has taken steps to improve its data practices - including bringing in board-level data expertise and modernising its systems. But other charities should not wait for a crisis before taking action.
Getting data governance right does not require unlimited resources. It starts with clear leadership, a commitment to transparency, and a willingness to ask difficult questions. In doing so, charities can protect not only personal data, but also the trust and confidence of those they serve.
Melissa Hall is legal director at MFMac, Charities and Data Protection.