The UK Information Commissioner’s Office (the “ICO”) experienced a surprising setback recently after the Information Rights Tribunal (the “Tribunal”) ruled that a fine of £250,000 issued by the ICO in relation to a breach of the Data Protection Act 1998 (the “DPA”) by Scottish Borders Council (the “Council”) was excessive. The Tribunal overturned the ruling and stating that the £200,000 already paid by the Council should be returned to it, the £50,000 balance having already been waived due to early payment of the fine.
The fine was imposed after the pension records of former employees of the Council were found in an over filled paper recycle bank in a supermarket car park. The authorities were alerted by a member of the public and the Council was subsequently fined under by the ICO under the authority granted to them by s55A of the DPA. The Council had employed an outside company to digitise the records but had failed to seek appropriate guarantees about how the personal data would be kept secure. The ICO Assistant Commissioner Ken MacDonald described this situation as a “classic case of an organisation taking their eye off the ball when it comes to outsourcing.” The Council chose to pay the fine, thus securing their 20% discount for early payment, but also appealed the decision to impose the fine.
The fact that the early payment discount was allowed as well as an appeal is a bit of a surprising combination. The early payment suggests an admission of guilt whilst the appeal obviously challenges the decision. Nevertheless despite the fact that the two do not seem to be entirely compatible, both were accepted. Given that the purpose of the early payment discount is to discourage appeals and so decrease the expenditure and time involved in going to the Tribunal there does not seem to be any benefit to the ICO in allowing the early payment discount and the appeal and it is questionable whether the intention was ever to leave both options available. Therefore it can probably be expected that in future steps will be taken to ensure that the early payment discount is only available when no appeal is forthcoming.
The ICO can issue a fine where there has been a contravention likely to cause substantial damage to individuals and that the contravention was either deliberate or that the person knew or ought to have known that the contravention would occur and that such a contravention would be of a kind likely to cause substantial damage or distress. The ICO stated that Scottish Borders Council had had no contract with the third party that they had appointed to digitise their records, they had sought no guarantees on technical and organisational security protecting their records and that they did not make sufficient attempts to monitor how the data was being held and that it was for these reasons that they were found by the ICO to be liable to pay the fine.
The Tribunal agreed with the ICO that by not taking steps to ensure that the third party was properly dealing with the information they had committed a serious breach of their data protection obligations. However the Tribunal found that the ICO was unable to show that this breach was likely to lead to substantial damage or substantial distress to the individuals affected and had therefore failed to meet this requirement of the test. This decision of the Tribunal would perhaps not be supported by people who had their pension details left in such a public place, an experience that many may well have found to be distressing.
This decision helps to clarify the circumstance in which a monetary penalty notice can be issued and highlights the need for both aspects of the test to be met before a monetary penalty notice will be justified. It may also lead to an increase in the number of appeals (often alongside prompt payment of the relevant fine).
Although the fine was overturned this case still serves as a warning to organisations who are allowing third parties to handle private information that appropriate safeguards must always be put in place and followed through and the Council has taken steps to address the gaps in their system since this issue came to light.