The Scottish charity, Birthlink, received an £18,000 fine from the Information Commissioner’s Office (ICO), the UK regulator for data protection. Due to the serious nature of the breach, the ICO initially considered fining the charity £45,000 but reduced this after considering representations from the charity.
What happened?
Birthlink is a charity specialising in post-adoption support and advice for people affected by adoption with a Scottish connection.
Since 1984, Birthlink has maintained the Adoption Contact Register for Scotland. This Register enables adopted people, birth parents, birth relatives, and relatives of an adopted person to register their details with a view to being ‘linked’ and potentially reunited.
Birthlink reviewed whether it could destroy physical ‘linked records’, as the charity needed space in its filing cabinets where these records were stored. ‘Linked records’ are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.
It was agreed by Birthlink’s Board of Trustees that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record-keeping, the charity destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable.
Following an inspection by the Care Inspectorate, the charity's Board became aware of the data breach and self-reported the issue to the ICO in accordance with legislative notification requirements.
What did the ICO say?
The ICO's investigation found:
- There was a limited understanding of data protection law within the charity at the time of the breach;
- The charity had not implemented relevant policies and procedures;
- The charity had not appropriately trained its staff;
- Despite concerns being raised about shredding photographs and cards at the time of destruction, the task continued;
- Poor record-keeping meant Birthlink was unable to identify people affected by the breach (which is a legislative requirement when a breach is deemed high risk for affected individuals).
What did the Care Inspectorate say?
Birthlink's Care Inspectorate report from August/September 2023 suggests that there were governance and leadership issues within the charity at the time the breach was identified. In particular, the Care Inspectorate identified:
- Quality assurance and record-keeping had not been consistently effective within the charity;
- A lack of monitoring and progression of training and development of staff and the management team over a significant period;
- The service did not take a comprehensive approach to risk management and planning in respect of the data deletion;
- There was no clear leadership response or related actions in response to the breach; and
- The size of the Board had reduced over previous years, and there was recognition that recruitment was needed to expand the diversity of Board membership.
The Care Inspectorate noted that the loss of information about people's birth history and family meant there was a high risk that people's sense of identity would be significantly compromised, creating a risk for the service in achieving its fundamental aims and objectives.
It was also noted that clear guidance was not given to staff to enable them to provide a transparent organisational response to individuals contacting the service who were affected by the loss of records. This has the potential to erode trust and confidence in the services provided.
How has Birthlink responded to the breach?
Birthlink has published an apology on its website, alongside a note of the steps taken to ensure that a breach like this does not happen again, including:
- Recruiting a Board member with specialist knowledge in information governance and data protection;
- Reviewing information governance and data protection standards within the organisation;
- Implementing data protection policies, DPIAs, and staff training;
- Implementing a breach reporting procedure;
- Auditing and indexing physical records, and moving to digital technology.
What can charities learn from this?
1. Ensure good governance and leadership
Ensure that the Board of Trustees has a good understanding of data governance obligations and risks. Consider whether the Board is sufficiently diverse and holds the required skills around data governance, security, and privacy.
2. Delegation and oversight
The Board retains ultimate responsibility and control. It is not enough to make the decision; the Board needs to be confident that its decision-making is carried out properly by delegated staff and volunteers. Effective delegation involves clear communication, proper documentation, and robust oversight mechanisms to ensure accountability and effective risk management.
3. Understand your data
It is vital that organisations audit their data to understand what they hold, why they hold it, and what it is used for. This enables charities to ensure they are using data lawfully, to complete RoPAs and privacy notices, and to put in place appropriate procedures for retention, security, and sharing.
4. Mandatory staff training
Staff must understand their duties under data protection law and be able to identify and manage breaches, information rights requests, and security matters. Training should be mandatory and refreshed regularly.
5. Implement written policies and procedures
The ICO commented that having "cost-effective and easy-to-implement policies and procedures" would likely have prevented the destruction of the documents by Birthlink.
6. Be ready to respond to a breach
Staff should know how to identify a breach and who to escalate it to (and to do so immediately). Charities should consider having incident response teams who know how to manage a breach, including ensuring that staff liaising with service users and supporters know how to answer questions and concerns.
7. Have considered retention procedures
Under data protection law, information must only be kept for as long as it is needed. This requires careful consideration of what each data record is needed for, with reference to factors such as service delivery, financial and tax requirements, and legal obligations.
At MFMac, we have specialist data protection lawyers who operate in the charity and third sector, enabling us to provide tailored advice and assistance. We regularly conduct data audits, provide staff training, prepare bespoke policies and procedures, and advise Trustees on their duties.
