15 January 2013

The First-Tier Tribunal has dismissed the first ever appeal against a monetary penalty notice.

The Central London Community Healthcare NHS Trust sought to appeal against a £90,000 monetary penalty notice, imposed after it was found they repeatedly faxed sensitive patient data to the wrong fax number. The appeal was dismissed.

The following points in the decision are worth note:

  • The Tribunal can consider appeals both as to whether any penalty should have been imposed and as to amount;
  • The Tribunal rejected arguments that its jurisdiction is limited to unreasonable or perverse decisions by the Commissioner;
  • The Trust argued that where public bodies were under a de facto obligation to report a breach (because of administrative guidelines requiring this), the Information Commissioner did not have power to impose a monetary penalty in response to that breach: the Tribunal rejected this;
  • The early payment discount is available only if the organisation does not appeal.

The decision also sheds helpful light on an internal ICO document which sets out the method of deciding the appropriate monetary penalty:

  • Once a decision is made to impose a monetary penalty, the case is placed into one of three bands:
    • Serious (£40,000 - £100,000)
    • Very Serious (£100,000 - £250,000)
    • Most Serious (£250,000 - £500,000)
  • The midpoint of the band is selected, and then aggravating/mitigating factors are applied to determine the final level of the penalty to be imposed.

The decision can be found here.