The UK First Tier Tribunal issued a decision on August 21 that the Information Commissioner’s Office (ICO) was wrong to impose a £250,000 fine on Scottish Borders Council in relation to an incident where pension records of former Council employees were discovered overflowing from recycling bins outside a local supermarket. The Tribunal held that the contravention, while serious, was not of a kind likely to cause substantial damage or substantial distress, which is a requirement for imposing such a penalty. The decision may have implications for the ICO’s approach to imposing monetary penalties in the future.
The hard copy records had been discarded by a data processor which had scanned the records to transfer them onto CD at the Council’s request. The records typically included name, address, date of birth, national insurance number, and salary. In some cases the files also contained bank account details, a signature, a nominee to receive benefits in the event of death, and reason for leaving. None of the information qualified as “sensitive personal data” under the Data Protection Act 1998. The data processor had provided services to the Council and its predecessors for 25-30 years. The Council was unaware that the data processor had changed its practices around data disposal in 2008 and now had no secure destruction arrangements in place.
The ICO’s power to impose monetary penalties arises where there is a serious contravention which is likely to cause substantial damage or substantial distress. The contravention must be deliberate or one where the controller knew or ought to have known that there was a risk of such a contravention and failed to take reasonable steps to prevent it.
The Tribunal agreed that there had been a serious contravention. The Council did not have an appropriate contract in place with the data processor and had not ensured that the processor provided sufficient guarantees in respect of security measures. However the Tribunal took the view that the ICO had focused on the trigger incident (i.e., the disposal at the recycling bins) rather than the contravention itself (the failure to have appropriate arrangements in place), and the contravention itself was not “likely” to lead to substantial damage or distress. One reason was that “the council had good reason to trust” its processor based on their long relationship. The Tribunal was also unconvinced by the ICO’s evidence on the likelihood of identity theft arising from the incident. It is this aspect of the decision which may have implications for the threshold for the imposition of fines in cases of data breaches which do not involve sensitive data.
The Tribunal indicated that it was not prepared to simply allow the Council’s appeal given the seriousness of its concerns about the Council’s procedures in relation to data processing contracts. The Tribunal has the power to substitute another decision (for example, serve an Enforcement Notice), and it may still do so, but it is delaying consideration of this to allow the Council and the ICO to seek to agree a way forward.
The Tribunal decision includes a number of interesting comments under the heading “Unfinished Business.” In particular, it suggests consideration should be given as to whether self-reporting is a relevant factor in the exercise of the penalty discretion – in the UK it is not mandatory to report a breach, but ICO decision notices indicate that a failure to self-report is regarded as an aggravating factor when determining the penalty it imposes.