Action against tiny Scottish charity sparks huge ICO row

The Information Commissioner’s Office has walked straight into a major row up after issuing its first ever fine for the destruction of personal data – in breach of UK GDPR – with some data protection professionals questioning not only the timing of the penalty but whether an obvious cock-up warranted such action in the first place.

The case centres around post-adoption support charity Birthlink, which supports adults with a Scottish connection who have been affected by adoption.

According to the ICO investigation, Birthlink discussed destroying “linked records” at a board meeting on January 26 2021, as it was running out of space in its filing cabinets.

The following week, the charity’s board concluded that there were no barriers to their destruction, provided that it maintained adoption and care files for 75 to 100 years and only shredded replaceable records.

In a follow-up management meeting on April 13 of the same year, the charity confirmed that the linked records would be destroyed on April 15, while a meeting on May 25 concluded that a further 40 bags of linked records would be shredded two days later.

However, in August 2023, following an inspection by Scottish government body Care Inspectorate, Birthlink discovered that irreplaceable items had in fact been destroyed and reported the incident to the ICO.

The ICO’s investigation found that at the time of the breach, Birthlink had a limited understanding of UK GDPR and not implemented any data protection policies or procedures or appropriately trained its staff. A finding the charity has since accepted, with interim chief executive Abbi Jackson acknowledging that the destruction of the files was “a grave error”.

The regulator originally imposed a penalty of £45,000 on the charity but reduced it to £18,000, which it said “will appropriately reflect the representations from Birthlink on financial hardship whilst ensuring the penalty is effective, dissuasive and proportionate”.

ICO head of investigations Sally Anne Poole said: “This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.

“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history – some now lost for eternity.

“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process.

“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”

However, the ruling has triggered much gnashing of teeth on LinkedIn, with some experts comparing this tough stance on a tiny charity with the ICO’s refusal to act over the MoD’s “egregious data breach” which put up to 100,000 Afghans at risk of grave harm and possibly even caused death.

LinkedIn comments included: “One thought, the MoD”, “How much did you fine the MoD, Information Commissioner’s Office? Was it more or was it less?” and “So when’s it the MoD’s turn?”

Perhaps unsurprisingly, the ICO did not answer.

Others, meanwhile, have questioned why the ICO did not apply its controversial public sector approach to the case, which would have resulted in a reprimand, even though it did so for the much larger YMCA private charity last year.

This did elicit a response from the ICOm which commented: “We did not apply the public sector approach to this case, but followed our Data Protection Fining Guidance to calculate and issue the fine.”

However, Mischon de Reya senior data protection specialist Jon Baines said: “Thanks, but that doesn’t answer *why* one very wealthy charity benefitted (hugely) from the approach, while another (very much on its uppers) didn’t.”

For its part, Birthlink has since conducted a review of information governance and data protection across the organisation, introduced new policies and data protection systems and implemented regular staff training.

Interim CEO Abbi Jackson said: “Birthlink offers its deepest and most sincere apology for the destruction of post-adoption support records, including deeply personal, irreplaceable documents. We recognise and profoundly regret any loss and distress this may have caused.”

Jackson admitted that “a lack of knowledge about data protection legal requirements existed at Birthlink at the time of the breach” and that there were “inadequate systems in place to keep vitally important information safe”.

“Documents which are deeply personal, things which matter hugely to people’s histories and sense of identity, weren’t handled with the respect and thought that they deserved. That’s inexcusable. We want to assure everyone who’s interacted with Birthlink that we’re doing everything in our power to ensure this can never happen again.”

Picture credit: ICO