Britain's data protection watchdog has fined Scottish charity Birthlink £18,000 for destroying approximately 4,800 personal records containing irreplaceable adoption documents to create space within their filing cabinets.

The Information Commissioner's Office penalty follows the April 2021 destruction of "linked records" that included handwritten letters from birth parents, photographs and sensitive personal information relating to Scottish adoptions.

Birthlink, which maintains Scotland's Adoption Contact Register, failed to report the data breach until September 2023 - more than two years after the destruction occurred. The charity only notified the ICO after a Care Inspectorate inspection highlighted the loss.

Birthlink lacked basic data protection policies, retention schedules and staff training when the destruction occurred.

"This case highlights that data protection is about people and how a data breach can have far-reaching ripple effects," said Sally Anne Poole, ICO Head of Investigations.

Birthlink estimated the number of files destroyed based on the following assumptions:  24 drawers of filing cabinets containing Linked Records were destroyed; and each drawer contained approximately 200 records.

Staff recalled there being “no thorough check of what was on the files” – they were “just ripped out and put in bags.”

The 40 bags of shredded records affected an estimated 4,800 individuals, though the actual number remains "incalculable" due to poor record-keeping practices. Up to 10 per cent of files contained irreplaceable items that represented "deeply personal pieces in the jigsaw of a person's history."

In its notification to the Commissioner, Birthlink admitted that “Amongst the documents shredded were irreplaceable handwritten letters from parents to their children who were adopted away from them. Photographs of babies were destroyed. The significance of these documents cannot be underestimated. People will no longer have access to them.”

The ICO found Birthlink infringed multiple UK GDPR provisions, including the integrity and confidentiality principle, accountability requirements, security of processing obligations and breach notification duties.

The charity's board approved record destruction without understanding the contents or implementing proper safeguards. Staff were “uncomfortable shredding people’s photographs and cards” but were told “it needed to be done”.

Birthlink argued financial hardship, prompting the ICO to reduce the penalty from an initial £45,000. The charity has since implemented comprehensive data protection measures including digital record storage, staff training and appointing a data protection officer.

Birthlink’s interim chief executive Abbi Jackson acknowledged that the destruction of the files was “a grave error”.

“Birthlink offers its deepest and most sincere apology for the destruction of post-adoption support records, including deeply personal, irreplaceable documents,” she said.

“We recognise and profoundly regret any loss and distress this may have caused.”

Jackson admitted that “a lack of knowledge about data protection legal requirements existed at Birthlink at the time of the breach” and that there were “inadequate systems in place to keep vitally important information safe”.

“Documents which are deeply personal, things which matter hugely to people’s histories and sense of identity, weren’t handled with the respect and thought that they deserved.

“That’s inexcusable. We want to assure everyone who’s interacted with Birthlink that we’re doing everything in our power to ensure this can never happen again.”