Tribunal: Organisations must choose between paying discount on data protection fines or pursuing appeals

Out-Law News | 25 Jan 2013 | 2:16 pm | 4 min. read

Organisations that are ordered to pay a fine for breaking UK data protection laws cannot take advantage of an "early payment discount" offer and simultaneously pursue an appeal against the imposition or amount of that fine, an Information Rights Tribunal has ruled.

The Tribunal ruling came in the first ever appeal it has had to consider against a decision by the Information Commissioner's Office (ICO) to serve a 'monetary penalty notice' (MPN) to an organisation over a serious breach of the Data Protection Act (DPA).

Under the DPA the ICO has the power to issue fines of up to £500,000 for serious breaches of the Act. It has issued guidance on the procedures it follows when determining whether to serve a MPN and what amount of penalty it thinks is appropriate. Under the guidance organisations can pay 20% less of the amount of fine they are levied with if they pay the reduced amount within 28 days of the MPN being served.

The Tribunal said, though, that the terms of the guidance do not permit organisations that have been issued with a MPN to pay a discounted penalty and to also appeal against the imposition or amount of the penalty served itself.

"The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter," the Tribunal said in its appeal ruling. (35-page / 200KB PDF) "There is no provision for a without prejudice payment."

It said that the ICO was within its right to refuse to accept an early discounted payment of £72,000 from the Central London Community Healthcare NHS Trust to settle a MPN it had issued to the Trust. The Trust had refused to drop its appeal against the £90,000 penalty the ICO had levied on it in April 2012 upon payment of the discounted amount.

"At most the MPN guidance is a quasi judicial obligation on the IC to provide a discount on specific terms," the Tribunal said. "He did so in this case. The Trust chose not to accept the terms and it is its loss when an appeal fails."

The ICO had elected to fine the Trust £90,000 after the body had reported that approximately 45 separate fax messages containing the lists of inpatients had been sent to the wrong recipient during a period spanning more than two months. The lists, sent from Pembridge Palliative Care Unit, contained "confidential and sensitive personal data" that set out medical diagnoses, information about patients' domestic situation and resuscitation instructions for "many" of those individuals listed who "were receiving palliative care," the ICO said at the time.

In making its appeal the Trust admitted that the breach merited the imposition of a MPN by the ICO, according to the Tribunal's ruling. However, it challenged the process the ICO had followed when arriving at that decision as well as the level of penalty it was issued with. 

The Trust raised several grounds of complaint, including that the ICO was wrong to impose a monetary penalty notice on it because it had voluntarily reported the data breach to the watchdog. It said that a reading of the Data Protection Act and the ICO's guidance on notification of data security breaches (NDSB) supported its view.

The ICO had argued, though, that it would be "absurd" if organisations that had been guilty of a serious breach of data protection laws could avoid a penalty for that offence merely by reporting the incident to it.

The Tribunal said that the ICO had acted within its legal right to take enforcement action despite the Trust self-reporting the breach. It further found that the ICO had not acted in contradiction to its NDSB guidance and that, in any case, the guidance was not binding on the watchdog. The guidance stated that the ICO would not normally issue fines over data security breaches in cases where organisations took "recommended action", where there was no "other reasons to doubt future compliance" or where there was no "need to provide reassurance to the public".

The Trust also argued that the ICO had not taken sufficient account of "mitigating factors" that it believed merited more serious consideration than the watchdog had given when determining whether a MPN was justified in the case.

However, the Tribunal said the ICO had come to its decision to issue a monetary penalty notice following a fair consideration of all factors and by following a lawful process. It formed this view despite finding that the watchdog had issued a "misleading" 'notice of intent' (NOI) to the Trust during that process. It further rejected claims that the ICO had failed to suitably explain the principles behind the way it calculated the level of penalty it levied

The Tribunal said the Trust was obliged to adhere to NHS rules requiring it to report the data breach to the ICO and that therefore its self-reporting of the incident was not "voluntary" as the body had claimed. The act of self-reporting itself was not one which merited a reduction being made to the level of penalty the ICO imposed and neither did other actions the Trust had taken in relation to the breach merit a reduction, the Tribunal ruled.

"[The breach] was reported over a month after the breach was discovered," the Tribunal said. "Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing."

The Trust had argued that it would have been more appropriate for a fine of £40,000 to be levied on it for the breach. It said the amount the £90,000 fine that the ICO levied did not account for the "potential impact on services" that such a level of fine would have.

However, the Tribunal said that the Information Commissioner had "exercised his discretion properly" when calculating the level of fine and ruled that it was appropriate in this case. It even suggested that the watchdog could "have taken a more penal approach to the amount in question" on its view of the facts of the case.