Birthlink fined £18,000 for deletion of sensitive adoption records

When we think of data privacy regulation, we naturally focus on the obligation to refrain from collecting information, but this case is a reminder that the law also demands that certain data remain under the organization’s management. This is the first case dealing with data loss under the UK GDPR. 

The UK ICO fined Scottish charity Birthlink £18,000 after it lost thousands of highly sensitive records in 2021 and reported the loss in 2023. The data includes files related to adoption and post-adoption support services, historical information that could not be recovered, and profoundly affects individuals seeking details about their biological families.  

The regulator stated that Birthlink failed to implement basic data protection measures and lacked sufficient awareness of its responsibilities under the UK GDPR. While the fine was lower than others issued by the ICO, the regulator pointed out that the harm in this case was substantial, given the personal and emotional importance of the records.

‍