A genealogy website operated by the Scottish government has disclosed the names of thousands of people adopted as children.
The Scotland’s People site made available the records of adoptions dating back more than 100 years, records that included the adopted child’s first name and new surname. While the Information Commissioner’s Office has not received a formal breach report, its officials were contacted by National Records of Scotland (NRS), an official arm of the Scottish government that runs the website.
The mother of an adopted child had stumbled upon the Scotland’s People records after finding her child’s full details on the site, BBC Scotland News reported. “The whole adoption register was there online for everybody to see,” she said. “I was horrified.”
The mother feared that the availability of the information would allow people to track down adopted children by looking up their new surnames.
“It’s every adoptive parent’s worst nightmare that their child’s adoptive name, which has been carefully shielded through the court process, could be made public,” the mother said. “There’s also a massive concern for adults who don’t know they’ve been adopted.”
NRS removed the details of the records after the mother voiced concerns for her child’s safety. “There has been no personal data breach, but we have made the Information Commissioner’s Office aware of the complaint raised and the action we are taking as a precautionary step while we review the way we make this information available,” an NRS spokesperson said.
The revelation comes after data accessed in a hostile cyber-attack on the Electoral Commission obtained the data of 40 million voters, and the details of Northern Ireland police officers were exposed in a “monumental” data breach. While the release of adopted children’s information did not happen because of a breach, it is the latest instance of personal details being revealed or accessed without the person’s knowledge or consent.
“It is important that organisations holding sensitive personal data ensure it is handled in line with data protection law,” an ICO spokesperson said.