Monday, 21 January 2013

ICO wins historic civil monetary penalty appeal

All credit to the Panoptican blog for being the first to report on the result of the historic Central London NHS Trust appeal before the Information Rights Tribunal. This is an appeal about the power of the ICO to issue civil monetary penalties. The decision ought to be published on the Tribunal's website shortly.

In short, and in a unanimous 35 page decision, the ICO won hands down. Data controllers, be aware. Be very aware. 

What happened? Sensitive medical details were faxed to the wrong address on 45 separate occasions. In total, information about 58 people was unlawfully disclosed. After first agreeing to pay a Civil Monetary Penalty, and hoping that it would be less than £90,000, the NHS Trust then found 9 reasons why it should not pay the penalty once the Commissioner had formally decided that they should pay £90,000 (with a 20% discount for early payment). The Trust subsequently dropped one of these reasons, while the Tribunal dismissed the other 8.

Anya Proops, Counsel for the ICO argued that: "The primary purpose of the statutory penalty regime embodied in section 55A is not to ensure that contraventions are voluntarily reported when they occur but rather to penalise data controllers in circumstances where they deliberately or negligently/recklessly commit serious contraventions of the legislation, thereby promoting compliance with the Act (by that public authority and others)."

The Tribunal agreed. The key findings are:
"We ...find that a voluntary notification of a serious breach of the DPPs does not preclude the IC from investigating the breach with a view to issuing an MPN as well as taking other enforcement action.

[In relation to the other grounds of appeal] we find that the IC’s decision was in accordance with the law, and/or properly involved the exercise of his discretion."

Expect to see a wave of emails inviting you to attend emergency briefing sessions on the decision. From my perspective, there are 3 lessons that should be learnt:  
Don’t use fax machines to send sensitive personal data.
Pay whatever penalty the Commissioner decides.
Think very carefully before mounting an expensive appeal which, if you are a public authority, may well only deprive service uses of even more vital resources.


Image credit: