In August we confirmed that, for the first time, a fine imposed by the ICO had been overturned on appeal at the Information Tribunal. The Tribunal has now published the reasoning behind its decision and it makes interesting reading for any organisation facing the risk of a monetary penalty notice.
In September 2012 the ICO fined Scottish Border Council £250,000 for a breach of the Data Protection Act after employee pensions records relating to more than 600 employees of the council were discovered in a recycling bin. The council had appointed an external service provider to digitise its records. The ICO ruled that it had "failed to seek appropriate guarantees on how the personal data would be kept secure" and considered that this was a classic example of an organisation "taking its eye off the ball" when it outsourced a contract.
On 19 July 2013, the Information Tribunal overturned the fine but it has only now provided the reasoning behind its decision. In coming to its decision, the Tribunal considered the fact that the external service provider was a specialist contractor and the council had a long standing business relationship of between 25 to 30 years with the external service provider.
These facts meant the Tribunal determined the council had a good reason to trust the external service provider to securely destroy hard copy data, once digitised, despite there being no Data Protection Act compliant contract in place.
The Information Tribunal found "there was no liability to a monetary penalty in this case, because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress."
This closely follows the provisions of section 55A of the Data Protection Act, which provides that the ICO is entitled to impose a monetary penalty notice if the following conditions are met:
there is a serious breach of the Act;
the breach is likely to lead to substantial damage or substantial distress; and
the breach was deliberate or the data controller should have known about the risk of a breach and failed to take reasonable steps to prevent the breach from occurring.
The Information Tribunal's decision in the Scottish Borders Council case emphasises the need for all of these conditions to be met before a fine can be imposed. Any organisation facing a monetary penalty notice should carefully scrutinise each condition and determine whether there is a reasonable chance of challenging an ICO finding that all of the conditions are met.
It is particularly interesting that the Tribunal did not consider the potential loss and disclosure of pensions records to be a loss that is likely to lead to substantial damage or substantial distress. Organisations that suffer a data breach should carefully examine the type of data that has been lost or disclosed unlawfully to assess whether substantial damage / distress are likely to arise. Even in cases involving significant volumes of data, if individuals are unlikely to suffer any financial loss or embarrassment due to the breach, then the ICO will not be able to impose a fine.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.