In short, and in a unanimous 35 page decision, the ICO won hands
down. Data controllers, be aware. Be very aware.
What happened? Sensitive medical details were faxed to the
wrong address on 45 separate occasions. In total, information about 58 people
was unlawfully disclosed. After first agreeing to pay a Civil Monetary Penalty,
and hoping that it would be less than £90,000, the NHS Trust then found 9
reasons why it should not pay the penalty once the Commissioner had formally
decided that they should pay £90,000 (with a 20% discount for early payment). The
Trust subsequently dropped one of these reasons, while the Tribunal dismissed
the other 8.
Anya Proops, Counsel for the ICO argued that: "The primary purpose of the statutory penalty regime embodied in section 55A is not to ensure that contraventions are voluntarily reported when they occur but rather to penalise data controllers in circumstances where they deliberately or negligently/recklessly commit serious contraventions of the legislation, thereby promoting compliance with the Act (by that public authority and others)."
Anya Proops, Counsel for the ICO argued that: "The primary purpose of the statutory penalty regime embodied in section 55A is not to ensure that contraventions are voluntarily reported when they occur but rather to penalise data controllers in circumstances where they deliberately or negligently/recklessly commit serious contraventions of the legislation, thereby promoting compliance with the Act (by that public authority and others)."
The Tribunal agreed. The key findings are:
"We ...find
that a voluntary notification of a serious breach of the DPPs does not preclude
the IC from investigating the breach with a view to issuing an MPN as well as
taking other enforcement action.
[In relation to the other grounds of appeal] we find that the IC’s decision was in accordance with the law, and/or properly involved the exercise of his discretion."
[In relation to the other grounds of appeal] we find that the IC’s decision was in accordance with the law, and/or properly involved the exercise of his discretion."
Expect to see a wave of emails inviting you to attend emergency briefing sessions on the decision. From my perspective, there are 3 lessons that should be learnt:
Don’t use fax machines to send sensitive personal data.
Pay whatever penalty the Commissioner decides.
Think very carefully before mounting an expensive appeal
which, if you are a public authority, may well only deprive service uses of even more
vital resources.
Source:
http://www.panopticonblog.com/wp-content/uploads/2013/01/Central-London-NHS-Trust-v-IC-EA20120111.pdf
Image credit:
http://static.guim.co.uk/sys-images/Guardian/About/General/2009/7/15/1247686103377/Supreme-Court-of-UK-001.jpg
http://static.guim.co.uk/sys-images/Guardian/About/General/2009/7/15/1247686103377/Supreme-Court-of-UK-001.jpg
.