Recent enforcement action by the Information Commissioner’s Office (ICO) against a UK adoption charity has highlighted the vital importance of robust record management in the charity sector.
What happened?
The charity concerned maintains the Adoption Contact Register for Scotland and provides post-adoption support and advice.
It stored adoption related paper documents in filing cabinets, which included items such as handwritten letters from birth parents, baby photographs and other sensitive personal information not recorded elsewhere, which would be irreplaceable if lost.
In April 2021, the charity unlawfully destroyed documents containing the personal information of approximately 4,800 individuals; it is estimated that up to 10% of the destroyed documents were irreplaceable.
The data loss was uncovered in September 2023 following a Care Inspectorate review, following which the charity reported the breach to the ICO, over two years late.
The ICO decided that the charity had infringed data protection law and imposed a fine of £18,000.
What do charities need to do?
This case highlights the need for charities to:
- understand what personal information they hold, where it is stored, who it is shared with, for how long it is retained and the potential impact on individuals if personal information is lost
- identify the lawful bases relied on for processing personal information, including when destroying personal information
- maintain a record of their processing activities (unless exempt from doing so)
- implement appropriate organisational measures to ensure the security of personal information, including against accidental or unlawful destruction or loss. This includes locking cabinets, implementing a clear desk policy, locking computer screens when leaving your desk and providing regular training to staff
- implement appropriate data protection policies and procedures, including a data retention policy and data destruction policy
- where a data breach is likely to result in a risk to people’s rights and freedoms, report the breach to the ICO without undue delay and where feasible within 72 hours of becoming aware of it. Charities need to remember that a breach of security resulting in the accidental or unlawful destruction or loss of personal information can be a reportable data breach
- comply with the principles of how personal information should be handled and demonstrate compliance with those principles
This case is a reminder that Trustees must take proactive steps to ensure data protection is embedded in their charity’s risk management and compliance frameworks.
If your charity would benefit from expert advice on reviewing data protection policies or managing subject access requests, our Data Protection team is here to help. Please don’t hesitate to get in touch for tailored support.
_________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
