http://www.localgovernmentlawyer.co.uk/index.php?option=com_content&view=article&id=12833%3Anhs-trust-fails-in-first-ever-appeal-over-ico-fine-for-data-breach&catid=174&Itemid=99
The First-tier Tribunal has rejected the first ever appeal against a
monetary penalty imposed by the Information Commissioner for a breach of
data protection laws.
The Central London Community Healthcare NHS Trust (CLCH) had appealed
a £90,000 monetary penalty notice served by the Information
Commissioner in April 2012.
James Reilly, chief executive of the trust, said: "We have received
the verdict from the tribunal and are giving it serious consideration.
We won't be commenting further until we have completed this
consideration with our legal advisers."
The ICO welcomed the ruling. David Smith, Deputy Commissioner and
Director of Data Protection at the watchdog, said: "Monetary penalty
notices are an important and effective tool for ensuring compliance. We
do not take the decision to issue an organisation with a financial
penalty lightly and will only consider this in response to serious data
breaches that could cause substantial damage or distress to the
individuals affected."
The breach related to an arrangement the trust had in place where it
faxed, each weekday evening, highly sensitive patient data relating to
its palliative care unit to St John’s Hospice.
CLCH used an agreed fax protocol for sending the inpatient lists,
which were used to assist doctors providing out of hours care. This
required the palliative care unit to telephone the hospice to check that
the fax had been received.
However, the person responsible for faxing the lists to the hospice
had not received adequate training on the faxing process and had not
been trained to receive management approval for any variation in the
protocol.
In March 2011 the administrator became aware that the list needed to
be sent to an additional fax number at the hospice. However, the
protocol was not updated with the extra number, nor was approval
obtained from her manager.
The administrator (or a stand-in) then sent the inpatient list on 45
separate occasions to a fax number which it had not been given by the
hospice. The individual did check that the fax to the original number
had been received but not the ones to the second number.
The error came to light when a member of the public rang to say he
had been receiving the lists, but had shredded them. The trust was
subsequently unable to trace the caller and could not confirm precisely
what had happened to the data.
The trust voluntarily reported the breach to the Information Commissioner’s Office. After an investigation, the ICO fined the trust £90,000 on 27 April 2007 under its power in s. 55A of the Data Protection Act.
The level of fine, it was subsequently revealed, was in the ‘serious’
band (£40-100,000) in the ICO’s framework for determining the
appropriate amount for a penalty. The other bands are ‘very serious’
(more than £100,000 but less than £250,000) and ‘most serious’ (more
than £250,000 up to the maximum of £500,000).
CLCH, which had already conceded that a financial penalty was
warranted but had asked the Information Commissioner to consider a lower
penalty figure, appealed to the FTT. The case was heard over three days
in December 2012.
The Trust argued that the monetary penalty notice was not in
accordance with the law. It also claimed that to the extent that the
notice involved an exercise of discretion by the Information
Commissioner, it ought to have exercised that discretion differently.
CLCH put forward its case under nine headings, although one ground of appeal was withdrawn during the hearing. These were that:
- The Information Commissioner had – in determining that it was
satisfied that a monetary penalty notice might be imposed – unlawfully
and in breach of section 55(3A) of the DPA relied on matters that came
to his attention as a result of a s. 51(7) ‘consensual’ assessment.
- The IC failed to take proper account of its own policy on imposing
monetary penalties where a data controller voluntarily reports and
incident.
- The IC exercised his decision wrongly in deciding that a monetary
penalty was appropriate. In particular it was argued that the evidence
did not explain on what basis the discretion to impose a penalty was
exercised.
- The IC failed to take proper account of the mitigating features
identified in the monetary penalty notice, including that the trust was a
‘first time offender’ as far as security breaches were concerned.
- The IC imposed a penalty despite an indication by the case officer
early in the course of the investigation that he did not consider the
case would be worth of a fine. There was no subsequent change in
circumstances to justify the change of position.
- The IC’s change of position gave rise to an inference that the IC
must have taken account of irrelevant considerations in deciding to
impose a monetary penalty. (This was the ground that was withdrawn)
- The IC failed at any stage to explain the principles by reference to
which he proposed to calculate the amount of the penalty, thereby
depriving the trust of an opportunity to make meaningful representations
on the issue.
- In setting the amount of the penalty, the ICO gave insufficient
credit to the trust for the various mitigating features in the case.
- The trust had offered to pay £72,000 (the sum applicable under the
early payment discount scheme) on the footing that this payment would be
without prejudice to the right to appeal, and that the payment would be
refunded by the ICO if the appeal succeeded. The ICO’s refusal to
accept the offer had effectively put the trust to a choice between
taking the benefit of the discount for prompt payment or exercising its
right to appeal.
The Tribunal rejected all of these grounds. Key elements of the ruling include:
- The FTT rejected the Information Commissioner’s submission that it
should adopt a “narrow, essentially supervisory” approach to the
discharge of the ICO’s functions.
- The tribunal has power to allow the appeal and/or substitute such other notice or decision as could have been served.
- Where the tribunal is asked to consider the amount of a penalty, the
tribunal can increase as well as decrease the amount, as well as accept
the Information Commissioner’s figure. If the tribunal was inclined to
increase the penalty where the IC did not ask for a higher figure, then
as a matter of procedural fairness, the data controller should be given
the opportunity to be heard or make written representations before
making a final decision.
- A voluntary notification of a serious breach does not preclude the
Information Commissioner from investigating the breach with a view to
issuing an MPN as well as taking other enforcement action.
- The ICO had not disregarded its own policy. The ICO’s Notification of Data Security Breaches to the Information Commissioner’s Office
was not a statutory policy and if there was any tension between that
and the statutory policy (MPN guidance), then the latter should be
followed. In any event the tribunal did not consider that such tension
was present in this case.
- From the evidence it was clear that the Information Commissioner had
ensured that the various elements of s. 55A – there was a serious
contravention, the contravention was of a kind likely to cause
substantial damage or distress etc. – were met. The IC had taken full
account of the facts and circumstances of the contravention and any
representations made to him, as required by the MPN guidance.
- The trust’s mitigating features were features the tribunal found the
IC could not give much weight. “In any case they are almost all post
facto events and nothing about the wrongdoing”.
- The case officer had not committed the ICO to any position. On the
balance of probabilities, he did not give any serious indication or
assurance that there would be no fine or monetary penalty notice in the
case which in any way excluded the watchdog from deciding to issue an
MPN. Even if an indication had been given, this was at the beginning of
the investigation and was based on an initial notification of the extent
and seriousness of the breach and on the evidence could not be
considered as a change of position.
- The tribunal was satisfied that the ICO had reached a figure within a
range of reasonable figures it could have considered. Indeed, it seemed
to the tribunal on the facts that in this case the IC could have taken a
more penal approach to the amount in question.
- It was clear that the ICO did take all factors/features into account
such as voluntary reporting of the incident, voluntary co-operation
through the investigation and voluntary reporting the incident to the
data subjects. The MPN was also clear and took into account the
behavioural issues referred to by counsel for the trust.
- It could be argued that there was an insufficient approach to
assessing the financial impact of the fine. However the trust was give
the opportunity to challenge the approach. Its chief executive did not
do this, nor did he make the case that a penalty of £90,000 would reduce
service availability or other hardship. “So the IC cannot be criticised
for not considering the matter further or appearing to give it
increased weight for which no evidence is provided.” The tribunal noted
that no evidence was provided as to the effect on service delivery of a
penalty of this size. It also noted that the penalty was likely to be
only a small percentage of turnover.
- The failure of the IC to accept the trust's early payment offer
outside the basis of the MPN guidance did not seem to amount to an error
of law and/or wrong exercise of discretion. “At most the MPN guidance
is a quasi judicial obligation on the IC to provide a discount on
specific terms. He did so in this case. The Trust chose not to accept
the terms and it is its loss when an appeal fails.” A discount for early
payment is offered under other regimes like parking and minor road
traffic offences. However, the tribunal was not aware that an offender
can reserve his position if he decides to appeal. For these reasons the
tribunal was not prepared to restore the discount.
The issues around the operation of the early payment scheme, where
the payer gets a discount, are set to be looked at in another challenge
to an ICO monetary penalty that is being brought by Scottish Borders Council. This case is expected to be heard in the Spring.
The ICO's Smith also said about the ruling: "We follow a thorough
process when reaching any decision. The Tribunal have recognised this
and commended us on our approach. The ruling removes any doubt that we
cannot take action when an organisation self-reports a serious data
breach. While we do look favourably on organisations that contact us
after a serious breach, and take this into account when setting the
amount of any penalty, self-reporting a breach to the ICO cannot be seen
‘as a get out of jail free’ card."
He added: "We are also pleased the Tribunal supported the early
payment system we operate is in line with other regulatory bodies,
confirming that organisations cannot have their cake and eat it by
paying the discounted rate, while reserving the right to appeal.”
Anya Proops of 11KBW was counsel for the Information Commissioner.
Timothy Pitt-Payne QC, also of 11KBW, acted for the appellant NHS trust.
Philip Hoult
|
No comments:
Post a Comment