06 Aug 2025

Scottish Charity Fined £18,000 for Destruction of Irreplaceable Personal Records

A Scottish charity has been fined £18,000 after destroying thousands of personal records, due to poor records management. The incident highlights the critical need for strong data protection practices in sensitive service areas.

The UK Information Commissioner’s Office (ICO) has fined Scottish charity Birthlink £18,000 following the unlawful destruction of approximately 4,800 personal records, some of which may have been irreplaceable.

Among the records lost were handwritten letters, photographs from birth parents, and other deeply personal documents linked to post-adoption support services. The ICO’s investigation revealed significant failings in Birthlink’s data protection practices and records management processes, with limited understanding of legal obligations and no adequate policies in place at the time of the breach.

“These weren’t just records, they represented memories, identity, and a sense of belonging,” said Sally Anne Poole, Head of Investigations at the ICO. “This breach serves as a powerful reminder that data protection is ultimately about people.”

The incident stemmed from a decision in 2021 to destroy “Linked Records” to create space in storage. These files included sensitive and often emotionally significant items from individuals previously connected through the charity’s services. Despite initial safeguards agreed by the Board, poor documentation and a lack of controls resulted in the irreversible loss of items that should have been retained.

Concerns were raised during the destruction process, including objections to the shredding of personal photographs, but the activity continued. An inspection by the Care Inspectorate in 2023 revealed the extent of the damage, prompting the charity to self-report to the ICO.

In light of the charity’s subsequent cooperation and improvements, including the appointment of a Data Protection Officer, digital transition of physical records, and staff training, the fine was reduced from the original £45,000 to £18,000.

This case echoes the themes of the ICO’s Ripple Effect campaign, which highlights how data breaches can have profound and lasting impacts on individuals’ lives. The ICO urges all organisations, especially those working with sensitive or life-impacting data, to strengthen their records management and data protection practices.

Support and Guidance
Those who believe they may have been affected are encouraged to contact Birthlink directly for support.

The ICO provides guidance for organisations of all sizes, including small charities, on managing data responsibly. This includes practical tools, training materials, and sector-specific advice on information security and records retention.

Return to listing