The UK’s First-tier Tribunal (Information Rights) has overturned a monetary penalty issued by the Information Commissioner’s Office (ICO) against the Scottish Borders Council. The £250,000 penalty related to the unsecure disposal of hard copies of council records containing personal data and had been issued by the ICO in September 2012. The Tribunal found that the breach was not "of a kind likely to cause substantial damage or substantial distress" as required under section 55A of the Data Protection Act 1998 (DPA). In addition, the Tribunal held that the contravention was not a serious enough contravention of a data controller's duty to uphold the data protection principles, and thus no liability arose such that a monetary penalty notice could be served on a data controller.
The SBC had hired a third party supplier to scan hard copies of pension files containing personal data onto CDs. The supplier hired by SBC had put about 1,600 pension files into recycle bins at a couple of supermarkets, which were then found by a local member of the public and subsequently taken into police custody. No actual harm was found to have resulted.
Before a monetary penalty can be assessed, the breach must either be deliberate or something that a controller either knew or ought to have known would result in substantial damage or distress and then failed to prevent. The issuance of a monetary penalty by the ICO is discretionary.
The SBC had no formal data processing contract with its data processor and had sought little reassurance as to data security measures. The Tribunal found that although a serious contravention had occurred, based on all of the relevant circumstances, it was not of a kind likely to cause substantial damage or substantial distress. Therefore no monetary penalty could be imposed on the SBC. The Tribunal also found that a monetary penalty notice is subject to a civil standard of probability rather than a criminal standard of proof.
The personal data exposed included name, address, date of person, national insurance number and salary, and in certain cases, bank account details, nominated beneficiaries and reason for leaving, including references to ill health. The Tribunal found that none of the data was "sensitive personal data" which under the DPA deserves more robust protection. In addition the SBC had failed to enter into a data processing agreement with the third party supplier as required under the DPA.
The Tribunal acknowledged that a substantial amount of personal data was exposed and that the breach of the DPA was serious and systematic. The Tribunal also found that proof of actual substantial damage or distress is not required for the ICO to be able to issue a monetary policy notice. However, in looking at the relevant circumstances, the Tribunal found in this case that it was unlikely that substantial distress or substantial damage would be caused since such harm but be more than a mere probability. The Tribunal also noted that "it is fundamental that a data controller cannot contract out of its responsibilities" under the DPA and that data controller duties in relation to data processing contracts in the DPA lie at the heart of the data protection system.