ICO fines charity for destroying personal data

July 2025

We often talk about the risks of holding onto personal data for too long. The need to make sure data is destroyed when it’s no longer required and how the impact of a data breach could be far worse if it involves personal records which shouldn’t have kept. But now we have a case where it’s the destruction of records which caused a data breach.

The Scottish charity Birthlink has been fined £18,000 by the ICO for destroying approximately 4,800 records, some of which were irreplaceable photographs and letters.

The findings make for sobering reading. A catalogue of errors; lack of accountability, lack of policies and procedures, no appropriate data protection training and a failure to report a data breach for more than two years.

Who are Birthlink and what do they do?

Birthlink has maintained the Adoption Contact Register for Scotland since 1984. This is a service for adopted people or their relatives, and for birth parents or their relatives. It enables people to register their details with the hope of being ‘linked’ and potentially reunited.

Where a link is made, records are classified at “Linked Records”, and the personal data contained within such records can include sensitive documents such as:

Original birth certificates
Adoption Contact Register application form
Correspondence between Birthlink and service users
Other information relevant to the adoption
Irreplaceable items (e.g. handwritten letters from birth parents and birth families, photographs and other sensitive personal information)

These are physical documents relating to adopted people’s individual circumstances, which the charity held in filing cabinets.

What went wrong?

In January 2021 Birthlink was running out of space in the filing cabinets the Linked Records were stored in, so assessed whether they could destroy them. After a board meeting it was agreed there were no barriers to the destruction of the records, that retention periods should apply and only replaceable records should be destroyed.

However, it’s evident from the enforcement notice this was very badly managed. Due to poor records management, bags of paperwork were destroyed without a full understanding of what the documents entailed. To make matters worse, despite concerns being raised at the time about shredding people’s photographs and letters, the destruction continued.

More than two years later and following an inspection by the Care Inspectorate, the Board became aware irreplaceable items had in fact been destroyed. It was only then the data breach was reported to the ICO.

And the woeful tale continues. Poor record keeping means not only will the extent of what was destroyed never be fully known, Birthlink have also been left unable to identify people affected by the breach.

Key findings

Routinely in an article like this I’d write a bit about the key findings, but in this case I think they speak for themselves. You’ll not be surprised to learn Birthlink says there was limited knowledge of their data protection obligations at the time this breach took place.

Sally Anne Poole, Head of Investigations at ICO, said:

“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.

“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”

Key learnings

It’s too easy to see the mistakes here, and easy to pour scorn on Birthlink. However, all organisations will recognise taking a robust approach to data retention can be challenging to deliver in practice.

Many organisations face a careful balance between destroying personal data they have no justification for holding on to, and making sure they continue to retain records they still need to keep. Robust records management procedures, secure storage and archiving, clear data retention periods, and clear authorisation when the time comes for destruction are crucial – especially when handling sensitive information.

Sometimes a specific law tells us how long certain records should be kept, or personal data needs to be retained to meet contractual obligations. Often we need to consider people’s reasonable expectations – would they expect us to be still holding on to their personal details or not?

In the case of Birthlink, the answer was almost undoubtedly, yes, people would have expected irreplaceable records to be retained, or perhaps returned to them, rather than destroyed.

I can’t stress enough to effectively tackle data retention it needs shared ownership – clear accountability with assigned roles and responsibilities across the organisation. Good data governance is the key.

If this has given you an unwelcome nudge to revisit your approach to retention, see our 3 Steps to decide your data retention periods and our detailed Data Retention Guide.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.