A £250,000 fine issued by the UK Information Commissioner’s Office (ICO) in September 2012 has been overturned for the first time by the Information Tribunal. The First-Tier Tribunal (“the Tribunal”) decision overturns the ICO’s decision to fine Scottish Borders Council (SBC) for a breach of the Data Protection Act 1998 (DPA).
SBC had contracted with a data processing company to digitise its pension records and in the course of doing that the data processing company (rather astonishingly) disposed of around 1,600 hard copies of the records in recycling bins outside two local supermarkets.
The ICO can issue fines of up to £500,000 in the event of serious breaches of the DPA that are likely to cause substantial damage or substantial distress.
As a result, the ICO issued a fine of £250,000 on SBC based on the Council’s failure to properly check how the information would be kept and disposed of by the data processing company. You can find the original decision here, and read out commentary on that decision in this previous blogpost.
SBC appealed the fine to the Tribunal. Whilst the Tribunal agreed that SBC had committed a ‘serious’ breach of the DPA, the Tribunal held that there could be no monetary penalty because the breach was not of a kind “likely to cause substantial damage or substantial distress”.
The Tribunal’s reasoning
In coming to its decision, the Tribunal focused on the fact that the data processing company was a specialist contract with a history of between 25 and 30 years dealings with SBC. Accordingly, in the eyes of the Tribunal, SBC had good reason to trust that the data protection company would arrange for the hard copies of the records to be destroyed, despite no written contract being in place in accordance with the requirements of the DPA. Further, the Tribunal outlined:
Focusing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one.
Both the ICO and SBC led expert evidence on the question of whether the breach was likely to lead to identity theft and the Tribunal favoured the evidence led by SBC’s expert that any such risk was low. This evidence looked at whether, as a matter of fact, identity theft was likely to occur as a result of the breach, as opposed to the perceived impact of such breach on the data subjects concerned (ie whether a data subject was likely to suffer substantial distress by the simple fact that its personal data had been left by a bin).
Interestingly, the Tribunal was not willing to leave matters there, given the concerns the case highlighted in relation to SBC’s procedures in relation to contracts for data processing. Accordingly, the Tribunal delayed consideration of whether to issue an enforcement notice or take some other action against SBC, to allow discussions between SBC and the ICO about the placing of data processing contracts and the training given to staff involved.
Where next for monetary penalties under the DPA?
In the meantime, the decision is likely to undermine the ICO’s enforcement powers under the monetary penalty regime – a regime that was intended to provide the ICO with teeth to take appropriate action in the event of data breaches.
Whilst the Tribunal’s decision in this case is not binding on future Tribunal hearings, if the Tribunal’s approach is correct, then it appears that monetary penalties can only be issued where it can be shown that the data breach did lead or was likely to lead to identity theft or some other privacy intrusion that would cause the data subject substantial distress or substantial damage.
It will be interesting to see whether the case is the first in a series of successful appeals against ICO fines.
On August 30, 2013