Following an appeal to the First Tier Tribunal, the Scottish Borders Council has become the first organisation to successfully challenge a fine issued by the Information Commissioner’s Office (ICO) under the Data Protection Act 1998.
The Tribunal’s decision provides some interesting insight into how the Tribunal interprets the rules governing monetary penalty notices (MPNs). If the Tribunal’s interpretation is correct, it raises a question mark over the extent to which the MPN regime actually provides the ICO with effective enforcement powers to take action against breaches of the DPA.
The SBC had contracted with a data processor (GS) to digitise its pension records. Under the arrangement, GS would collect pension records from the SBC and scan them onto a CD. This arrangement had gone on for a number of years, albeit no written contract was in place.
In September 2011, a member of the public found that the paper recycling bins at his local Tesco supermarket were overflowing. The SBC pension records were clearly visible. Upon realising that the records contained personal data, the member of the public contacted the police, who attended the scene, removed those records that were accessible and secured the recycling bins. 676 files had been disposed of at the public recycling bin on that day. A further 172 files had been disposed of at another recycling bank on the same day.
The files contained personal information including the name, address, national insurance number and date of birth of pension scheme members (and, in some cases, their spouses). Nearly half of the records contained salary and bank account information.
Prior to the incident in question, GS had scanned a further 8,000 records. This was usually done on a three yearly basis. GS would collect the files from SBC, scan the files at its place of business, and then post the digitised files back to the SBC on unencrypted discs using standard post. The SBC was not aware that GS had been disposing of the paper records at paper recycling banks. Prior to 2008, GS used a large paper waste company to destroy records, but the SBC was not aware that no secure arrangements were in place after that date.
The SBC terminated its contract with GS upon being notified of the breach. It is not believed that any data subject suffered any loss or identity theft.
The ICO’s Decision
Under s 55A of the DPA, the ICO can issue fines of up to £500,000 for serious breaches of the DPA that have caused, or are likely to cause, substantial damage or substantial distress.
In its decision notice, the ICO found that the SBC was in breach of the seventh data protection principle (the obligation to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data) and paragraphs 9, 10, 11 and 12 of Part II of Sch 1 to the DPA (which are relevant to the seventh principle).
In particular, the ICO noted that:
· the SBC had failed to choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures to be taken by GS;
· the SBC had not put in place regular monitoring to ensure GS’s compliance with these standards, or to establish whether GS offered secure destruction facilities; and
· no written contract was in place (in breach of paragraph 12 of Part II of Sch 1), and no clear instructions were issued to GS in relation to the processing to be carried out.
Having established that serious breaches of the DPA took place, the ICO went on to conclude that the breach was likely to cause substantial damage or substantial distress to data subjects whose confidential information was seen by a member of the public that had no right to see that information.
The data subjects in question would also be “justifiably concerned that their data may have been further disseminated even if those concerns do not actually materialise.” If the data had been disclosed to “untrustworthy third parties” then it is likely that further distress would be caused by exposing them to identity fraud and possible financial loss.
As a result, the ICO issued a fine of £250,000. At the time, this was the highest fine issued to a data controller outside the NHS.
Appeal to the Tribunal and the Tribunal’s Reasoning
The SBC appealed to the Tribunal.
Whilst the Tribunal agreed that the SBC had committed a “serious” breach of the DPA, the Tribunal held that there could be no monetary penalty because the breach was not of a kind “likely to cause substantial damage or substantial distress.” It was necessary to focus on the likeliness arising from the breach of the DPA itself, not the trigger event giving rise to the security breach.
In coming to its decision, the Tribunal focused on the fact that the data processing company was a specialist contractor with a history of between 25 and 30 years dealings with the SBC.
Accordingly, in the eyes of the Tribunal, the SBC had good reason to trust that the data protection company would arrange for the hard copies of the records to be destroyed, despite no written contract being in place in accordance with the requirements of the DPA.
Further, the Tribunal outlined:
‘Focusing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one.’
Both the ICO and the SBC led expert evidence on the question of whether the breach was likely to lead to identity theft. The Tribunal favoured the evidence led by the SBC’s expert that any such risk was low.
This evidence looked at whether, as a matter of fact, identity theft was “likely” to occur as a result of the breach of the DPA in question, as opposed to the perceived impact of such breach on the data subjects concerned. In other words, when considering whether or not substantial damage or substantial distress was likely to occur, it is not enough that a data subject might (whether justified or not) suffer substantial distress simply by knowing that its personal data had been left in a public place. According to the Tribunal, the ICO would need to show that as a direct result of the original breach of the DPA itself, there was a genuine and likely risk that identify theft would occur.
The Tribunal therefore concluded that:
‘The overwhelmingly likely result of the summer 2011 arrangements, it seems to us was that the data processor would arrange for the files to be properly destroyed – to the extent that we would not describe any other outcome as likely.’
In the absence of any previous audit by the SBC of GS’s processes and procedures or detailed contractual provisions, it is not clear how the Tribunal reached the conclusion that the likely outcome is that the files would be properly destroyed, particularly given that the Tribunal agreed that the SBC was in breach of its obligations in relation to the seventh principle.
Whilst the MPN was overturned, given the concerns the case highlighted in relation to the SBC’s procedures in relation to contracts for data processing, however, the Tribunal was not prepared to leave matters there. Accordingly, the Tribunal delayed consideration of whether to issue an enforcement notice or take some other action against the SBC, to allow discussions between the SBC and the ICO about the placing of data processing contracts and the training given to staff involved.
Where Next for Monetary Penalties under the DPA?
The decision is likely to undermine the ICO’s enforcement powers under the monetary penalty regime – a regime that was intended to provide the ICO with teeth to take appropriate action in the event of data breaches.
The Tribunal’s decision in this case is not binding on future Tribunal hearings. However, if the Tribunal’s approach is correct, it appears that monetary penalties can be issued only where it can be shown that the data breach did lead or was likely to lead to identify theft or some other privacy intrusion that would cause the data subject substantial distress or substantial damage.
This would mean that the sanction of issuing an MPN may not be available where there was a serious breach of the DPA but, due to good fortune, the chance of identity theft (or some other incident that could cause substantial damage or substantial distress) arising in that particular case was low. In such circumstances, the ICO would be left only with its pre-MPN powers of enforcement notices and requiring data subjects to give undertakings.
How would the same Tribunal interpret a CD of personal information that goes missing in the post? The chances of that CD falling into the hands of someone who might then use it to carry out identity theft are probably in a similar range to that same person happening to be in a Tesco car park ten miles outside Edinburgh. Indeed, in the SBC case, no reference is made to GS returning the files by post on any unencrypted CD (another potential breach) when assessing whether or not an MPN should be issued.
Yet it is exactly this sort of incident (and the perceived lack of effective enforcement powers) that led to the ICO being granted the power to issue MPNs.
In the ICO’s press release in January 2010 welcoming the new power to issue MPNs, the ICO gave the following example of an incident that might give rise to an MPN:
Example – Distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise
That statement is at odds with the Tribunal’s approach in the SBC case. If the Tribunal’s decision is correct, then it seems that the powers introduced in 2010 may not give the ICO the enforcement powers it craved. It will be interesting to see whether the case is the first in a series of successful appeals against ICO fines.
Martin Sloan is an associate in the IP, Technology and Outsourcing group at Brodies LLP. Email: firstname.lastname@example.org Twitter: @lawyer_martin