The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after
patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.
The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”
All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.
What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.
Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.
Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.
On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago
what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?
We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”
Perhaps we have indeed now arrived at that point.
EDIT, 7 August 2012:
The Trust are indeed appealing the MPN, and the Information Tribunal has listed it for a three-day-hearing in December. This will be a major case.