Charity fined £18,000 after shredding 'irreplaceable' adoption files 

A Scottish charity has been fined £18,000 after it destroyed “irreplaceable” records, including photographs and letters linked to adoptions.

The Information Commissioner’s Office (ICO) investigated charity Birthlink after it got rid of approximately 4,800 personal records, up to 10% of which may be “irreplaceable”.

Handwritten letters and photographs from birth parents were among the “deeply personal pieces” shredded in a bid to save space.

The ICO found systematic data protection failures at the Edinburgh-based charity and concluded that poor records management means the true extent of the actual loss will never fully be known.

The report found that Birthlink lacked “cost-effective and easy-to-implement policies and procedures” that would likely have prevented the destruction.

In January 2021, Birthlink reviewed whether it could destroy “Linked Records” as space was running out in the charity’s filing cabinets where they were stored.

Linked Records are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.

Following a board meeting in February 2021, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed.

Due to poor record keeping, it is estimated some records were destroyed on April 15, 2021, with a further 40 bags destroyed on May 27, 2021.

In August 2023, following an inspection by the Care Inspectorate, Birthlink’s board became aware that irreplaceable items had been destroyed as part of the overall record destruction and reported the incident to the ICO.

The investigation found that the charity had a limited understanding of data protection law at the time of the breach, had not implemented relevant policies and procedures, and had not appropriately trained its staff.

It was also found that despite concerns being raised about shredding people’s photographs and cards at the time of destruction, the task continued.

In addition, poor record keeping meant Birthlink were unable to identify people affected by the breach.

After considering representations from the charity, the ICO reduced the fine from £45,000 to £18,000.

Since the breach occurred, the charity has implemented improvements including digitally recording and storing all physical records, appointing a data protection officer and initiating staff training.

“This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs,” said Sally Anne Poole, head of investigations at the ICO.

“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history – some now lost for eternity.

“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process.”

Ms Poole said the ICO welcomed the improvements the charity had put in place.

Birthlink is a charity specialising in post-adoption support and advice, for people who have been affected by adoption with a Scottish connection.

Since 1984, the charity has owned and maintained the Adoption Contact Register for Scotland.

The Register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members.

Anyone concerned about the loss of personal information can contact Birthlink’s support service through dataprotection@birthlink.org.uk

Abbi Jackson, interim chief executive at Birthlink, apologised for the breach saying it was a “grave error”.

She said: “Birthlink offers its deepest and most sincere apology for the destruction of post-adoption support records, including deeply personal, irreplaceable documents. We recognise and profoundly regret any loss and distress this may have caused.”

“Documents which are deeply personal, things which matter hugely to people’s histories and sense of identity, were not handled with the respect and thought that they deserved.

“That is inexcusable. We want to assure everyone who’s interacted with Birthlink, that we are doing everything in our power to ensure this can never happen again,” she added.

Birthlink says it has introduced new policies and a series of data protection systems to make sure that personal information is kept safe and secure.

The charity has also implemented regular staff training around data protection and the safeguarding of deeply personal information which may have significant importance to people affected by adoption.

She added: “We have set up a helpline for anyone concerned about the loss of their personal information. We also have a range of services in place which may be able to help support people with their individual situation.

“Birthlink offers a sincere and unreserved apology to anyone affected by what’s happened, and we encourage anyone with concerns to contact us.”

Follow STV News on WhatsApp

Scan the QR code on your mobile device for all the latest news from around the country