Charity Fined After Irreplaceable Records Destroyed: Lessons for Your Organisation
Posted on in Data Protection
Losing personal records can be more than inconvenient – it can be costly. A recent Information Commissioner’s Office (ICO) decision shows exactly how high the stakes can be. Beyond the financial hit, this enforcement action demonstrates how seriously the ICO treats data protection failures – and how quickly trust can be damaged.
What happened?
The Scottish charity Birthlink was fined £18,000 due to 4,800 personal records being destroyed. It is estimated that up to ten percent of these may be irreplaceable. The investigation found the charity had limited knowledge of data protection obligations and lacked cost-effective and easy-to-implement policies and procedures. This knowledge could have prevented the destruction.
What is the key takeaway message?
This fine highlights the importance of organisations understanding their data protection obligations, particularly when it comes to what constitutes personal data and retention periods. Proactive compliance could have avoided the breach, accompanying fine, and disproportionate operational time dealing with the ICO investigation.
What went wrong?
Birthlink is an adoption charity that has operated an Adoption Contact Register since 1984. The Register enables adopted people, birth parents, and others to register their details with a view to being “linked” and potentially reunited.
In January 2021, Birthlink reviewed whether they could destroy “linked records” due to space running out in the charity’s filing cabinets where they were stored. “Linked records” include handwritten letters from birth parents, photographs, and copies of birth certificates. In August 2023, the Birthlink Board became aware that irreplaceable items had been destroyed. This only came to light two years after the Care Inspectorate carried out a short-notice inspection in September 2023.
“Poor understanding”
The ICO investigated this breach and found there was a limited understanding of data protection law at the charity. Sally Anne Poole, the ICO’s head of investigations, said: “The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers.” She went on to say, “It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of its data protection and records management process.”
The charity had not implemented relevant policies and procedures or appropriately trained its staff.
The initial fine
The charity self-reported the data breach. The ICO imposed a £45,000 fine and later reduced it to £18,000, to promote compliance with data protection and deter others from “making similar mistakes”.
What is the ICO and what does it do?
The ICO is the UK’s largest independent body that has been set up to uphold information rights. It has various enforcement powers, such as:
1. Issuing notices that require you to provide certain information.
2. Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.
3. Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.
Tainting your reputation
ICO decisions are published online and often attract significant attention. For charities, this visibility can have serious consequences – potentially undermining public trust and affecting your ability to raise vital funds. Donors, partners, and beneficiaries may reconsider their support if your organisation is perceived to mishandle personal data.
Litigation risk
The ICO cannot award compensation to individuals affected by a data breach, but the individuals may seek compensation via the Courts. If you receive a letter of claim, you are required, by the Courts, to respond within a certain timeframe, and you could be penalised on costs for non-compliance with the Court rules. If you do not respond, then the Claimant may bring proceedings against you without delay.
Most cases settle, but addressing data protection matters proactively will avoid the need to instruct lawyers to assess the risk of proceedings against you and respond to a letter of claim.
Protecting your charity from a similar data breach
It is imperative to understand what constitutes personal data. You can read the ICO guidance here, and you may decide to seek additional support from a lawyer.
The ICO’s investigation found the charity had “lacked cost-effective and easy-to-implement policies and procedures, which would have likely prevented the destruction”. You should ensure you have clear policies for classifying and managing records. You should keep a central log of manual and electronic systems, know where records are stored, and act quickly if they go missing. Regularly reviewing and updating your records and training your staff will also help you.
Tozers’ expert Data Protection Team can help you comply with the regulatory framework by:
· Providing advice and guidance.
· Drafting bespoke data protection policies and compliance documents, including data retention policies.
· Providing training to staff.
Why choose Tozers for data protection support?
Our Team excels in providing tailored advice to Charities across Data Protection, Corporate and Commercial, Employment, Litigation, and Intellectual Property matters. We also assist charities with governance and constitutional matters, restructures, charity law and compliance, mergers, collaborations, and dealing with the Charity Commission, such as serious incident reports. Our expertise supports organisations in achieving their charitable objectives and maximising their impact for the communities they serve. We are a corporate Partner of CharityComms and are listed on their supplier directory.
As a top firm for client satisfaction, we have built a reputation as good listeners who can help break down complex legal jargon into words you can understand and are experts at advising on your specific situation.