Upper Tribunal to hear first appeal over ICO fine for data breach

The Upper Tribunal will next week hear for the first time a case involving the imposition of a monetary penalty notice by the Information Commissioner’s Office for a breach of the Data Protection Act.

The ICO fined the Central London Community Healthcare NHS Trust £90,000 in April 2012 over a data breach where highly sensitive patient data relating to its palliative care unit was sent on 45 separate occasions to the wrong recipient.

The trust appealed to the First-tier Tribunal over the imposition of the monetary penalty, putting eight separate grounds of challenge forward.

However, the FTT rejected the appeal, saying – amongst other findings – that it was satisfied the ICO had reached a figure within a range of reasonable figures it could have considered.

The tribunal suggested that on the facts of the case the Information Commissioner could have taken a more penal approach to the amount in question.

The Upper Tribunal will hear the NHS trust’s appeal over 16 and 17 October.

In August 2013 the FTT ruled that the ICO should not have imposed a £250,000 fine on Scottish Borders Council for a data breach. The case involved the disposal of 1,600 manual files containing ex-employees’ pension records in post box bins at Tesco and another supermarket in Queensferry.

Although finding that the council's arrangements with its external contractor were "obviously defective" and that the contravention was serious, it also decided that the contravention was not of a kind likely to cause substantial damage or substantial distress.

The tribunal formally cancelled the monetary penalty notice last week after Scottish Borders and the ICO reached agreement about the placing of data processing contracts and the training given to staff.