The Information Tribunal’s judgment in the successful appeal by Scottish Borders Council shows that the ICO needs to focus on the contravention itself, not an incident which might arise from it
looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one
Sections 55A-E of the Data Protection 1998 (DPA), inserted by the Criminal Justice and Immigration Act 2008, provide for the Information Commissioner (IC) to serve a data controller with a monetary penalty notice (MPN) to a maximum of £500,000 if
- he is satisfied that there has been a serious contravention of the controller’s obligations to comply with the data protection principles in Schedule One of the DPA, and
- the contravention was of a kind likely to cause substantial damage or substantial distress, and
- the contravention was either deliberate or the controller either knew or ought to have known that there was a risk that the contravention of its occurring and that it would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
In its judgment, handed down today, on what is effectively* a successful appeal by Scottish Borders Council, the First-tier Tribunal (Information Rights) (“FTT”) has given guidance on, what is required in order for the IC to be satisfied that a serious contravention was likely to cause substantial damage or substantial distress. In particular, the FTT has clarified that, where the DPA talks about a “serious contravention”, the IC must focus on that, and not on any incident which might follow.
The Monetary Penalty Notice
The events giving rise to the original MPN (still currently on the IC’s website) are laid out by the FTT in the first two paragraphs of the judgment
Outside Tesco in South Queensferry there are some bins for recycling waste paper. They are of the “post box” type. On 10 September 2011 a member of the public found that one of the bins was overflowing. The material at the top, easily accessible, consisted of files containing pension records kept by a local authority (“Scottish Borders”). It turned out that a data processing company had transferred the information from hard copy files to CDs at Scottish Borders’ request. The data processor had then disposed of about 1,600 manual files in the post box bins at Tesco and at another supermarket in the town.
The police took into their possession all those files which they could reach. They then secured the bins and, with the cooperation of Scottish Borders, it was ascertained that the files concerned had now either been pulped without manual intervention or were now back in the safe keeping of the council.
The IC imposed an MPN of £250,000, finding that there had been a serious contravention of the obligation to comply with the seventh data protection principle (DPP7) which states that
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
and that, where, as here, processing of personal data is carried out by a data processor on behalf of a data controller, the latter must choose as the former one who provides sufficient guarantees in respect of its data security measures, and ensure that such processing is carried out under a suitable written contract (I paraphrase).
The contravention here was the failure by the Council to ensure that it engaged an appropriate data processor (to dispose of the pensions records) in an appropriate way (by means of an adequate contract, properly monitored and adequately evidenced in writing).
The IC said that contravention was likely to cause substantial damage or substantial distress (query, which?) to those whose confidential data was seen by a member of the public and that
If the data has been disclosed to untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud and possible financial loss
Arguments and findings
The FTT found that there was a contravention. The Council had a long-standing (some 25-30 years) agreement with the data processor but it appears that the contractual arrangement was largely based on informal agreements and assurances. Although it was to an extent evidence in writing, this was still inadequate. Accordingly
the arrangements made by Scottish Borders for processing pension records in July and August 2011 were in contravention of the DPA
Further, the FTT was satisfied that the contravention was serious
the duties in relation to data processing contracts in paras 11 and 12 of schedule 1 are at the heart of the system for protecting personal data under DPA. It is fundamental that the data controller cannot be allowed to contract out its responsibilities [and] the contravention was not an isolated human error. It was systemic
However, counsel for the IC, the redoubtable Robin Hopkins, reminded the FTT that they must focus on the contravention which gave rise to the MPN. In this case, this was distinguishable from the events described in the first two paragraphs of the judgment: the contravention was the breach of DPP7, not the discovery of the data. On this basis, the FTT did not accept that the contravention had been of a kind likely to cause substantial damage or substantial distress. Evidence was taken from David Smith, Deputy IC, and the IC developed an argument focusing on the risks of identity theft, but the FTT seems to have felt that the evidence was either unconvincing (regarding the likelihood of identity theft) or still focused wrongly on what it calls the “trigger point” (the disposal/finding of the files in the bin) rather than the contravention itself. As to the latter
it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company.
Focussing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress. What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one.
This illustrates a fundamental point, but one, it seems, of great significance. It will, no doubt, be seized upon eagerly by any data controller in receipt of a notice of intent to serve an MPN. (It was also, I should acknowledge, anticipated by observations by Tim Turner and Andrew Walsh, both former ICO employees). However, the FTT do stress that although this case did not involve a contravention of a kind likely to cause substantial damage or substantial distress
No doubt some breaches of the seventh DPP in respect of some data might be of such a kind
I said earlier this was “effectively a successful appeal”. It was in fact an appeal on a preliminary issue (on the liability of the Council to pay an MPN) and under the Data Protection (Monetary Penalties) Order 2010 the FTT may either allow the appeal or substitute such other notice or decision which could have been served or made by the IC. The FTT’s concerns about the Council’s procedures in relation to data processing contracts were “too serious” for them simply to allow the appeal, and they are – pending discussions between the IC and the Council – considering whether to issue an enforcement notice.
Notwithstanding the outcome of those discussions, this is an important judgment to be read alongside the unsuccessful MPN appeal by the Central London Community Healthcare NHS Trust. Until an MPN case gets appealed further we will not have binding authority, but the lines are perhaps becoming a bit clearer for data controllers, and, indeed for the ICO.
There were some interesting comments and observations by the FTT on “other issues canvassed in the course of [the] appeal but which it has not been necessary to resolve”. I hope to post a follow-up about these in due course.