Managing the retention of personal data records has always been challenging for organisations. The main issues usually involve protecting records from unauthorised access and securely removing or destroying them once the retention period has expired.
The recent ICO decision in the Birthlink case highlights the importance of keeping records when they are still necessary and within the required retention period, rather than destroying them too soon.
Birthlink is an adoption support charity based in Edinburgh that has also maintained the Adoption Contact Register for Scotland since 1984. The organisation was recently fined £18,000 (reduced from an initial fine of £45,000) by the ICO after it was found that Birthlink had wrongfully destroyed an estimated 4,800 records, around 10% of which were deemed to be irreplaceable.
Breach summary and ICO findings
- Birthlink’s decision to destroy the records followed a Board meeting in 2021 in which the need to clear physical storage space was emphasised. It was agreed that there were no reasons to prevent the destruction of records and that the organisation’s retention periods only applied to certain files.
- Birthlink aimed to only destroy replaceable records but due to poor record keeping, irreplaceable records were also destroyed in the process. Despite a member of staff raising concerns at the time about shredding photographs and other records, it was reiterated that “it needed to be done.”
- Following a Care Inspectorate inspection in 2023, Birthlink became aware of the destruction of irreplaceable records and self-reported the breach to the ICO.
- The ICO investigation found, “at the time of the breach there was a limited understanding of data protection law at the charity, which had not implemented relevant policies and procedures or appropriately trained its staff.”
- It was stated that had Birthlink initially implemented “cost effective and easy to implement” policies and procedures, this breach could have been prevented.
What this means for your organisation?
Although this was a serious breach, the ICO fine was reduced from £45,000 to £18,000 due to the charity implementing various improvements following the incident. These included:
- The appointment of a Data Protection Officer
- A comprehensive review of information governance processes and the introduction of a clear policy framework
- The implementation of a digital recording and storage system for all physical records
- The incorporation of regular staff training
This case demonstrates the importance of ensuring your organisation’s data protection processes and policies are continuously kept in line with UK Data Protection legislation.
The appointment of a Data Protection Officer by Birthlink was seen to be a positive improvement, which highlights the role of a DPO in reducing data protection compliance risks in the organisation.
With Hope and May’s Outsourced DPO service, we can assist you with effectively incorporating measures tailored specifically to your organisation, to help prevent such situations from occurring while supporting to preserve what may be irreplaceable.
If you would like to enquire about our services, please contact us on info@hope-may.com
