Wednesday, 5 December 2012
The Tribunal hears the first Civil Monetary Penalty appeal
Well, history has been made. And I was there!
What a sight. There were 3 on the bench. The ICO’s team also comprised 3 people. The Appellant’s team comprised 8 people (lawyers and supporters etc). A court attendant spent a lot of time (discretely) on a mobile device, and then there was me. There were also 10 sets of bundles of legal documents, each bundle was comprised of 5 huge ring files, all carefully annotated. What a mammoth photocopying task that must have been.
Anyway, shortly before (a very late) lunch today, and after 2 earlier days of polite and extremely detailed submissions, the Tribunal, sitting in Breams Buildings, by the Royal Courts of Justice, rose to consider its verdict. The Tribunal Chairman announced that he was reasonably confident that a decision would be published by the end of January. I would not be surprised if it were published in mid January.
What was at issue in this case was whether the ICO was right, in law, to impose a civil monetary penalty on an NHS trust after records of 59 patients were sent to the wrong person, and if the ICO did have the legal authority to do this, whether a fine of £90,000 was appropriate.
What I didn't realise, until today, was that by the time the Trust had become aware of the incident and had reported the incident to the victims, some 3/4 of the affected individuals had already died. Only 15 were still alive. By my maths, that infers that the ICO's fine represented a penalty of £6,000 in respect of each (currently affected) living individual. This certainly affects the data breach cost calculations that most people must be using.
From the arguments that were made, today, I’m expecting that the Tribunal might well issue guidance on a few other issues, too. Such as guidance on whether it is acceptable for a data controller to pay a fine early, to enjoy the benefit of the early payment discount, and then appeal it (as you can with certain parking fines).
Today, I also learnt how the ICO determines what sort of fines might be appropriate. Cases are grouped into serious, very serious and most serious categories. It wasn’t clear what characterises a serious case, or indeed what distinguishes a very serious from a most serious case, but I expect the ICO will shortly be doing something about that.
It was really interesting to learn what the starting rate for a fine for a serious case was, before aggravating and mitigating factors were taken into consideration. Readers keen to learn this starting rate can either wait until the ICO publishes its tariff, or they can ask me nicely, with a request wrapped around a bottle of gin to the usual address, and I’ll happily oblige.
Background information about the case can be obtained by searching the internet for “Central London Community Healthcare NHS Trust”, and the ICO’s enforcement notice ENF0406305.
The best soundbites were:
“The ICO believes that public bodies should be subject to higher standards of data protection than private bodies” (Anya Proops, counsel for the Commissioner)
“The ICO is on a learning course as to how it sets its monetary penalties” (Timothy Pitt-Payne QC, counsel for the appellant)
“Shambolic” (Timothy Pitt-Payne QC, counsel for the appellant, commenting on the state of guidance and decision making process that sets penalties)
“It does concern me that this is not a transparent process” (Professor John Angel, Chairman of the Tribunal, commenting on how the ICO determines what levels of fines are appropriate)
“Even those of us who have worked on the legislation for a long time struggle to understand its meaning” (Timothy Pitt-Payne QC, counsel for the appellant, commenting on the DPA)
“Now we know why no-one has run an appeal on these Monetary Penalty Notices before” (Professor John Angel, Chairman of the Tribunal, commenting on the complexity of the relevant parts of the law)