Will the London Marathon databreach trigger the ICO’s powers to issue a monetary penalty notice? If so, the ICO is in a tricky position, if he is seen to be effectively “fining” such a high-profile charity, and delivering that money to central government coffers.
Reports emerged on 23 April that the personal data of runners in this year’s London Marathon had inadvertently been disclosed on the organiser’s website. It appears that names, home addresses and email addresses were exposed. The BBC says
The details were accessible all day to anybody logging on to the site…Marathon organisers apologised and said the mistake had been rectified
A data controller must observe its various obligations under the Data Protection Act 1998 (DPA). London Marathon Ltd appears to be the data controller in this instance, and it donates any surplus income to The London Marathon Charitable Trust. Last year the charity received £4.6m from the company. Some of the income came from the entrance fees of the runners themselves.
The seventh principle of the DPA says
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
A breach of that principle may attract the attention of the regulator of the DPA – the Information Commissioner (ICO). The ICO has various options open to him in the event that he finds that a serious contravention has taken place. In some instances he will require a data controller to sign an undertaking to improve its practices, but since 2010 he has had the power, under section 55A of the DPA to issue a monetary penalty notice (MPN), to a maximum of £500,000. To date he has issued fourteen, largely to local authorities, and the maximum penalty has been £140,000.
The ICO has issued guidance [PDF] on the issuing of MPNs, which expands on the statutory factors which would trigger exercise of the power:
there has been a serious contravention… of a kind likely to cause substantial damage or substantial distress…[and] the data controller…knew or ought to have known… that there was a risk that the contravention would occur, and
…that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but…failed to take reasonable steps to prevent the contravention
The BBC reports that the ICO has said
This is something the Information Commissioner will need to look in to to see how it has come about.
It’s the reasons these things come about that determine the course of the investigation.
Every case is different and we will certainly be making enquiries.
If the ICO does issue a MPN the money paid goes into the consolidated fund – the government’s own bank account. It is one thing to fine a local authority, and, as I have argued before, politically sensitive to fine, say, an NHS body, but it would be a enormously brave act for the ICO to fine an organisation for disclosing the personal data of thousands of the very people whose amazing efforts have contributed to the funds which would have to be depleted to pay the fine. Even more so when one sees the huge contributions being made to the charity supported by one runner who tragically died in this year’s race.