The Information Commissioner’s Office (ICO) has this week taken action against Birthlink, a Scottish charity, for infringements of data protection law in relation to the destruction of a large volume of personal records, some of which may be irreplaceable.
A monetary penalty of £18,000 has been imposed on the charity, which aims to enhance and promote the wellbeing of adults who have been affected by adoption with a Scottish connection or have experience of the care system in Scotland. This centres around events in 2021, when paper records of people who had been supported by the charity’s post adoption service and linked on the Adoption Contact Register were destroyed, with no log kept of what or whose records were destroyed. Due to historic record keeping practices, it is not possible to know precisely how many people have been impacted by this, or who those people are.
This raises a number of important issues in terms of compliance with data protection law and how records are managed and maintained.
Definition of data breach
When we think about a data breach, often we think about data having been compromised so it lands in the hands of an unauthorised person, such as breaches as a result of the recent cyber attacks on a number of large UK retailers. However the definition of a personal data breach is much wider than that. The UK GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This case highlights that the definition of a data breach also includes circumstances where data is destroyed when it should have been maintained, whether that is by accidental or deliberate means.
Retaining paper records
The records which were destroyed were paper records, stored in filing cabinets which the charity sought to create space in. The ICO identified that Birthlink had failed to implement a data retention policy, a data destruction policy, any sufficient internal approval process for the destruction of so called “Linked Records” and any data protection training for staff. They further found that having these in place in this case could have been implemented at minimal cost and would have, in all likelihood, prevented the unauthorised destruction of the records.
Having such measures in place may be all the more important where paper files are kept, some of which are original copies. For example, protecting an original handwritten letter is important to ensure that it isn’t lost or destroyed as this specific copy can have large sentimental value. It is important to have clear retention periods which are appropriate for the type of personal data and to comply with the principle of storage limitation, which involves not keeping personal data for longer than it is needed and being able to justify how long data is kept. In the case of paper records, once the retention period is over, records should be destroyed securely, such as being shredded.
Ripple effect
The Head of Investigations at the ICO touched on the profound effect that a case such as this can have on the human beings involved at the heart of it and how this can continue to affect lives long after the breach occurs. It stated that Birthlink ought to have been aware of the high risk of damage and distress likely to be caused to its service users if Linked Records were destroyed without authorisation or were otherwise lost. This highlights the importance of robust record keeping practices, particularly where information with a high degree of sensitivity is involved.
Conclusion
The ICO concluded that Birthlink should have implemented appropriate policies, procedures and training to demonstrate compliance with UK GDPR. This might have ensured that staff were clear on their responsibilities in relation to the data they were handling, and allowed for paper records to be kept secure and minimising the risk of a data breach. These policies ought to have been created against the backdrop of privacy by design; ensuring their approach reflected the particular circumstances. A starting point for assessing an organisation’s level of compliance and robustness of measures could be undertaking a gap analysis which identifies the level of compliance across that organisation. Once this has been completed, a strategy can be put in place to build appropriate policies, procedures and adequately train staff.
Please contact our specialist Data Protection team if you would like advice and assistance with areas of data protection compliance including policies and procedures and data protection training. Contact us on 03330 430350.
