Birthlink was seeking to save space with destruction of old photos and files.
The Scottish charity Birthlink has been fined £18,000 by the ICO after it destroyed approximately 4,800 personal records.
Saying around ten percent of which may be irreplaceable, the charity destroyed the items after it ran out of physical space in its filing cabinets.
Files of Cases
The files were known as ‘Linked Records’ and were files of cases where people had already been linked with the person they sought and included handwritten letters from birth parents, photographs, and copies of birth certificates.
It determined that replaceable records could be destroyed and later became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction and reported the incident. This included shredding people’s photographs and cards.
The ICO’s investigation found there was a limited understanding of data protection law at the charity, which had not implemented relevant policies and procedures or appropriately trained its staff.
The ICO said that a fine was reduced from £45,000 to £18,000 after improvements were implemented, including digitally recording and storing all physical records, appointing a Data Protection Officer and initiating staff training.
Ripple Effects
In a statement, Sally Anne Poole, head of investigations at the ICO, said: “This case highlights - perhaps more than most - that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.
“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
