In August 2013, the First-tier Tribunal (FTT) published its reasons for overturning a fine of £250,000 imposed by the UK Information Commissioner’s Office (ICO) on the Scottish Borders Council (SBC) for a serious breach of the Data Protection Act (DPA) 1998. We reported the case and detailed the duties under the DPA for Trustees and scheme administrators on 16 October 2012 (see article here).
The SBC had contracted with a data processing company to transfer information from 1,600 hard copy files to CDs and to dispose of the hard copies on the completion of this task. However, the hard copy records were discarded around recycling bins and found by a member of the public. The records contained personal data relating to pension scheme members, such as names, addresses, national insurance numbers, salary information and bank account details. The data processor had also returned the digitised files to the SBC by standard post on unencrypted CDs. The SBC had failed to put in place an appropriate data processing contract with sufficient guarantees in respect of the Seventh Data Protection Principle set out by the Data Protection Act. The fine was issued in September 2012. SBC appealed and the fine was overturned by the FTT.
The Reasoning of the First-tier Tribunal
Although the Tribunal agreed that the SBC had committed a “serious” breach of the DPA, it did not believe that it was one which was “likely to cause substantial damage or substantial distress.”
Was there a contravention of the data protection principles?
The seventh data protection principle provides that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” In order to comply with this principle, the data controller must select a data processor that provides sufficient guarantees with regards to the way that it handles data. The data controller must also take reasonable steps to ensure that the data processor acts in accordance with those guarantees. In addition, processing must be carried out under a written contract requiring the processor to comply with obligations set out in the seventh principle and act only under the controller’s instructions.
The Tribunal found that there had been a contravention of the seventh principle as the measures necessary for the proper protection of information had not been implemented. Although there had been a contract between the data controller and the data processor, it did not discuss the security measures that the processor would put in place to ensure the privacy of the information and it failed to require the processor to act in accordance with seventh principle requirements. Furthermore, the contract was not fully evidenced in writing and did not contain sufficient information to allow for compliance with the seventh principle.
Was the contravention serious?
The breach was regarded as serious for two reasons. Firstly, it was held that the Council could not be allowed to contract out of its data protection responsibilities. Secondly, the FTT found that the contravention was systematic as opposed to an isolated error as the Council did not have an arrangement in place which would ensure compliance with data protection principles when it entered into contracts with subcontractors.
Was the contravention likely to cause substantial damage or substantial distress?
The FTT held that it was unable to construct a “likely” chain of events which would lead to substantial damage or distress as the outcome of the situation was surprising rather than likely. There are a number of reasons that the contravention of data protection principles was surprising in this scenario. Firstly, the data processor was a specialist contractor with a longstanding relationship with the SBC. This meant that the SBC had good reason to trust that it would comply with data protection principles and destroy sensitive information on completion of the project. Furthermore, the data processor had initially arranged for a large paper waste company to destroy hard copy files once they had been digitised. Although this arrangement had been terminated in 2008, the SBC was unaware of this change.
In order to impose fines for the contravention of data protection principles, the ICO will now have to consider whether the breach did lead or was likely to lead to identity theft or another type of invasion of privacy that caused the data subject substantial distress or substantial damage. This case also highlights the fact that data controllers cannot outsource their data protection responsibilities and must carry out regular reviews and assessments to that effect. Furthermore, the FTT made it clear in its judgement that each case is to be decided on its particular facts.
Future reforms – European Regulations to introduce enhanced data protection
Draft EU Regulations if passed into law, would require member states to implement a number of stringent data protection policies. Some of the measures being considered include:
- Specific obligations imposed directly on data processors;
- Substantive changes to certain key definitions, especially in respect of “consent” and the scope of personal data of a data subject;
- Detailed obligations to implement the necessary measures and carry out the required procedures in relation to the processing of personal data;
- An obligation on data controllers to issue a notification following any breach of data protection
- A range of sanctions for the breach of data protection requirements and an increase in the maximum fine available.
Trustees and Scheme Administrators should ensure existing contracts with third parties comply with the DPA and include data security clauses, this is even more important if the contracts are historical as you may not be aware of changes in the third party’s business.