The Right Way to Let Go: Lessons from the Birthlink Data Deletion Case
Why Deletion Can Feel Terrifying
Many often think of data protection as being about holding data securely. But there comes a time when deletion or anonymisation must happen. There is an entire lifecycle of information that needs to be looked after and that includes knowing how long you must/should keep data, what to do when data hits its retention and having mechanisms in place for destroying/deleting or anonomysing data, depending on what you have decided must happen. But we can't keep it 'just in case' or keep it 'forever' or for how long we feel we should keep it.
Things do get a little complex from here. You cannot just delete an email or a file and assume it has gone for good. Or delete it from the desktop bin and assume it can't be retrieved.
Under the GDPR, anonymous means data that has been changed so that no individual can be identified, directly or indirectly. Once information is truly anonymised, it is no longer considered personal data and falls outside the scope of data protection law.
Deleted, on the other hand, means the personal data has been permanently erased or destroyed so it cannot be recovered or used again.
GDPR does not give a detailed definition of either term, but the principles are clear. If you or anyone could still identify someone, even with a bit of effort or cross-referencing, it is not anonymised. And if the data can be restored, it is not really deleted.
To fill those gaps, we look to guidance. The ICO’s guidance on anonymisation (About this guidance | ICO) gives practical interpretations.
The guidance is not law, but ignoring it can still land you in difficulty. Enforcement may not always feel consistent, but regulators do define the boundaries of what’s viewed as fair and proportionate. Like it or not, they’re the ones who investigate, interpret, and ultimately decide when those boundaries have been crossed.
Both anonymisation and deletion could each fill a full training session on their own. But in very simple terms, do not assume that pressing delete means data cannot be retrieved, and do not assume that because you cannot identify anyone, nobody else could.
Digital information behaves differently, and this is where IT expertise and collaboration are essential.
That sense of dread many organisations feel is real. What if you delete too early? What if you lose something irreplaceable? What if the regulator comes knocking?
Yet fear should not stop you. The Birthlink case is a very clear reminder that deletion must be done responsibly, not avoided altogether.
The Facts of the Case
Birthlink is a Scottish charity that managed the Adoption Contact Register and held both manual and digital records, including highly sensitive 'linked records' used to help adopted people trace family connections.
Between January and April 2021, Birthlink decided to destroy a large volume of manual records stored in filing cabinets to free up office space.
This was done without full authorisation, without any formal risk or impact assessment, and without keeping proper documentation of what was being destroyed.
Some of the material was irreplaceable, handwritten letters, photographs, and personal documents of emotional and historical importance.
The destruction was also not reported to the ICO at the time, despite the legal duty to report personal data breaches within 72 hours where there is a risk to individuals’ rights and freedoms. The ICO was only informed more than two years later.
Following investigation, the ICO found that several core GDPR principles had been breached, including integrity and confidentiality, accountability, security, and breach notification.
Although the initial penalty proposed was £45,000, this was reduced to £18,000 after taking into account Birthlink’s charitable status, cooperation, and the steps taken afterwards to address the failings.
In essence, the data was deleted but without oversight, without control, and without appreciation for the sensitivity or lasting value of what was being destroyed.
What Went Wrong and What We Can Learn
From the ICO’s decision, several clear lessons stand out for any organisation that handles personal data:
Lack of governance and oversight Decisions about destruction were made informally, with little senior approval or documentation. Always ensure formal authorisation for large-scale data deletion and keep records of who approved it.
No data protection policies or training At the time, Birthlink had no retention or destruction policy, and staff were not adequately trained in GDPR principles. Policies and ongoing training are essential for safe, consistent practice.
No risk or impact assessment There was no consideration of how deletion might affect individuals, or whether the records held sentimental or irreplaceable value. Always carry out a data protection impact assessment before processing, in this case deleting a large amount of sensitive data.
Inadequate record keeping There was no clear record of what had been destroyed, making it impossible to identify who was affected. Keep a destruction log showing what was deleted, when, by whom, and on what authority.
Delayed breach notification The destruction of personal data was itself a breach, yet it was not reported within the required timeframe. Treat unauthorised destruction as a data breach and assess quickly whether notification is needed.
Underestimating the human impact The ICO highlighted the emotional harm caused by losing records tied to people’s identity and family history. Data represents real people. Deletion must be handled with care and empathy.
No retention periods or understanding of wider obligations Perhaps one of the most overlooked points in this case was the lack of defined retention periods and awareness of other applicable legal requirements.
Recommended by LinkedIn
Setting retention periods is not as simple as choosing a number. You must check whether there are other laws that dictate how long you should retain data and that takes research, professional input, and sometimes specialist advice.
If there are no specific legal obligations, look to regulatory or professional requirements, for example, those set by the NHS for medical records, CIPD for employee records, or other industry bodies.
If none apply, think practically about potential legal claims or complaints where evidence might be needed, such as employment disputes, discrimination cases, or safeguarding issues. Protecting your organisation’s legitimate interests can be a valid reason for setting a reasonable retention period.
And remember, DPOs can guide you in the right direction, but we are not experts in every law or regulation outside data protection. Part of accountability means checking the rules that apply to your organisation and documenting how you reached your retention decisions.
In Birthlink’s case, there were existing regulatory retention requirements that should have been followed. To be fair, the organisation may not have been aware of them at the time, but as the ICO noted, lack of awareness is not a defence.
Deletion as an Act of Respect
One of the strongest messages from this case is that deletion is not just a technical task. It is an act of respect.
When we hold personal data, we act as protectors, almost like bodyguards. Our role is to protect it, manage it, and eventually let it go in a controlled and thoughtful way.
Deletion done carelessly can cause deep distress. The Birthlink case showed that harm is not only procedural but emotional and personal.
Every deletion exercise should be treated as part of a wider duty of care:
How to Delete with Confidence
If you want to make deletion a normal, confident, and compliant part of your organisation’s practice, these are good steps to start with:
Why Birthlink Was Fined and What It Tells Us
Birthlink was not fined simply for deleting data. It was fined for how it did it.
There was no formal retention schedule, no risk assessment, no documented authorisation, no training, no policy, and no timely notification of the breach.
In short, the deletion lacked governance, accountability, and respect for the people whose data was lost.
The case also highlights something many organisations overlook: GDPR is not the only law that matters. Depending on your sector, there may be national recordkeeping duties, safeguarding requirements, or specific professional standards that sit alongside GDPR.
Understanding those frameworks is just as important as knowing the articles and recitals. It is all part of treating people’s information with respect.
Deletion done properly is a sign of maturity. It shows that an organisation understands not just how to collect and store data, but how to manage it responsibly throughout its full lifecycle.
Letting Go with Confidence
Deletion does not have to be scary. It just needs to be thoughtful, documented, and respectful.
The Birthlink case is a lesson in what happens when those principles are missing.
Good data protection is not about hoarding information or deleting it in fear. It is about balance, care, and understanding the human side of what we hold.
So let’s not forget the, often overlooked, principle of storage limitation. This isn’t just about compliance or avoiding fines. It’s about respect. Respect for people, for their stories, and for the trust they place in you. Remember storage limitation, and act like it matters.
#DataProtection #UKGDPR #InformationGovernance #DataPrivacy #DataDeletion #GDPR #DataRetention #StorageLimitation #AccountabilityPrinciple #DataLifecycle #DataManagement #ComplianceCulture #EthicalDataUse #ICO #EDPB #DataGovernance #RiskManagement #ResponsibleBusiness #DigitalTrust #InformationSecurity #GoodGovernance #LeadershipInPrivacy #InformationLeaders #RecordsManagement