The Information Commissioner’s Office (ICO) has issued an £18,000 fine against Birthlink, an Edinburgh-based charity that maintains the Adoption Contact Register for Scotland and provides specialized support for people affected by adoption.
The case involves the negligent destruction of thousands of highly sensitive documents and provides a lesson on the importance of accountability under the UK General Data Protection Regulation (UK GDPR).
Jump to:
- Destruction of the ‘linked records’
- Discovery of the issue
- Alleged violations
- The final penalty
- The importance of accountability
Destruction of the ‘linked records’
The ICO’s case against Birthlink centers on the “linked records”: Manual paper files created when a successful link had been made between individuals on the adoption contact register.
Linked records included:
- Original birth certificates
- Handwritten letters from birth parents to their children
- Photographs of babies
- Other sensitive adoption-related information.
In April 2021, a decision was made to create more space in the filing cabinets by destroying thousands of linked records (either 4,800 files or files relating to around 4,800 individuals).
The ICO describes this destruction as “unauthorized”, because it allegedly occurred without formal board approval or any data retention or destruction policies in place. The staff involved also allegedly lacked data protection training and did not keep records of exactly which files were destroyed.
Discovery of the issue
The issues around the destruction of the linked record came to light over two years after the decision was made, in August 2023. The Care Inspectorate conducted an inspection of Birthlink and discovered what it called “a significant loss of crucial information”.
The inspection triggered an internal investigation by Birthlink and, ultimately, a data breach notification to the ICO.
Alleged violations
Birthlink’s actions led to multiple alleged infringements of the UK GDPR, including:
- Article 5 (1) (f): Integrity and confidentiality: this principle requires that personal data is protected against accidental or unlawful destruction.
- Article 32: Security of processing, which is linked to the integrity and confidentiality principle: organizations must implement technical and organizational measures to keep personal data secure.
- Article 5 (2): The “accountability” principle: because Birthlink had no relevant policies, records of processing activities (RoPA), or data protection officer at the time, the charity couldn’t demonstrate its accountability with the UK GDPR.
- Article 33: Personal data breach notification: shredding the linked records was deemed a data breach, and Birthlink took two years and five months to report it, well outside of the prescribed 72-hour reporting window.
The final penalty
The ICO arrived at a final penalty of £18,000. Determining the penalty was a multi-step process.
- The ICO first considered a fine of £45,000 in its initial “notice of intent”.
- After Birthlink made representations, the ICO reduced the penalty to £36,750. This amount was based on the high seriousness of the breach, but took into account that it was negligent and not intentional.
- The final penalty was set at £18,000 due to Birthlink’s financial hardship.
The ICO was convinced that a fine of £36,750 would irretrievably jeopardize the vital services that the charity provides.
The commissioner said it took the same approach to fining Birthlink as it would to fining a public sector body, i.e. using Birthlink’s support costs for the purposes of calculating the fine, rather than the higher amount reflecting its total income (i.e., turnover).
Note that in its March 2024 case against the YMCA, the Commissioner justified a much smaller fine of £7,500 against a much larger charity by applying its “public sector” policy, which generally follows a more lenient approach to punishing UK GDPR violations among public sector bodies. This policy was reportedly not applied to Birthlink.
The importance of accountability
A key problem throughout the Birthlink case appears to have been a lack of accountability. Birthlink appears to have lacked the policies, processes, and oversight necessary to ensure data protection compliance.
Failing to demonstrate accountability is a problem in itself. Your organization could be violating the UK GDPR if it cannot show that it has trained its staff, assessed data protection risks, and recorded its data processing activities.
And in this case, we can see the result of a failure to maintain adequate processes: A data breach affecting thousands of people in highly vulnerable positions, and a substantial fine against a small non-profit.
