Enforcement action in respect of GDPR data deletion requirements is rare in the UK and the EU, and even more so when the issue is excessive deletion. But on 28 July, the Information Commissioner’s Office (ICO) issued an £18,000 fine to Birthlink, a Scottish charity, for the unlawful destruction of approximately 4,800 personal records, some of which were irreplaceable.
The incident
Birthlink has operated the Adoption Contact Register for Scotland since 1984, helping adopted individuals and others affected by adoption reconnect with biological relatives. In early 2021, faced with physical storage constraints, the charity decided to destroy certain manual files relating to completed reconnections.
However, due to an absence of proper policies and board oversight, untrained staff were left to make critical decisions. This resulted in the unauthorised destruction of physical documents, including up to 10% that were irreplaceable such as handwritten letters, photographs, and birth certificates.
The breach went unnoticed until August 2023, when a Care Inspectorate review revealed the destruction of sensitive records. Birthlink then reported the incident to the ICO on September 2023, over two years late.
GDPR failures and the ICO’s enforcement action
Birthlink failed to implement even the most basic organisational safeguards and admitted that there was limited understanding of the UK GDPR within the organisation. At the time they had not implemented any data protection policies or procedures and its staff had not received any data protection training.
The ICO found multiple breaches of the UK GDPR. These included:
- a failure to comply with the UK GDPR’s integrity and confidentiality obligations which require appropriate security measures to be in place;
- not meeting accountability obligations, as Birthlink could not demonstrate compliance or show that it had assessed the risks involved; and
- no lawful basis for the processing, combined with poor transparency and record-keeping.
The ICO initially proposed a £45,000 fine but reduced it to £18,000, considering Birthlink’s financial position and the remedial actions taken, including appointing a data protection officer and digitising records. The fine was calculated based on Birthlink’s support costs (£211,700) rather than total income. In its decision, the ICO explained it had taken a similar approach to calculating fines against public authorities by considering their administrative budget. £18,000 amounts to approximately 8.5% of those costs, highlighting the severity of the breach and reinforcing that even small, well-meaning organisations are expected to meet GDPR standards.
Key takeaways
Deletion requires careful thought too
This case serves as a rare example of a GDPR breach caused by excessive deletion rather than over-retention. It highlights the need for organisations to carefully evaluate not only when data should be deleted, but also what must be preserved, in particular when only manual records exist. Deletion, if mishandled, can result in irreversible harm and serious compliance failures.
Security includes people and processes — not just technology
The decision is a useful reminder that security isn’t limited to technical safeguards, it also encompasses organisational measures such as staff training, internal policies, and governance structures. Birthlink’s failure to implement these safeguards significantly impaired its ability to prevent or respond to the breach.
The importance of keeping a record of processing activities
The ICO also highlighted Birthlink’s lack of proper record-keeping. In particular, without a record of processing activities, the charity was unable to confirm what data had been destroyed or who was affected. Birthlink was also unable to notify affected individuals and had to rely on them to come forward to identify missing information. The ICO has stated that the true extent of the actual loss will never fully be known.
The human impact of data protection
This case reflects the ICO’s growing focus on the real-world impact of data breaches, as seen in their Ripple Effect campaign. Birthlink has acknowledged the severity of the breach, admitting that some destroyed records may have been the only link to a person’s ancestry. If anything, this penalty serves as a reminder that data protection is more than a mere compliance exercise as personal data breaches can cause lasting and significant personal harm.
Many thanks to Ana Casanueva for her assistance in preparing this post.