ICO wrong to impose £250k fine on council for data breach, tribunal rules

The Information Commissioner’s Office should not have imposed a £250,000 fine on Scottish Borders Council for a data breach, the First-tier Tribunal (FTT) has ruled.

The ICO hit the local authority with the fine – a record for local government – in September 2012 after pension records for former employees were discovered in an over-filled paper recycling bank outside Tesco in Queensferry.

It emerged that a data processing company hired by the council had transferred the pensions records from hard copy files to CDs at the authority’s request. The company then disposed of about 1,600 manual files in the post box bins at Tesco and at another supermarket in the town.

The ICO had accused Scottish Borders of failing to put in place appropriate controls when outsourcing the destruction of confidential information.

In a ruling on the preliminary issue of the liability of the council to pay a monetary penalty, the FTT found in favour of Scottish Borders.

It did find that the arrangements with the contractor were “obviously defective” when it came to the obligations of a data controller under Schedule 1 Part 2 of the Data Protection Act when making contracts with a data processor.

“Para 11(a) [of the seventh data protection principle (DPP)] required an informed choice of processor who should be able to provide sufficient guarantees in respect of technical and organisational security measures,” the FTT said. “In place of this there was no more than a sincere but somewhat generalised attempt for reassurance some six years earlier.”

The FTT said that no action to ensure compliance was possible under para 11(b). “To some extent, but not fully, the contract for processing was evidenced in writing. However para 12(a)(ii) which requires a clause in the contract that the processor is to act only on instruction from the controller was simply not complied with. The same applies to para 12(b).”

It concluded that the arrangements made by the council for processing the pension records in July and August 2011 were in contravention of the Act.

The tribunal also concluded that the contravention was serious. This was because:

  • The duties in relation to data processing contracts in paras 11 and 12 of schedule 1 were “at the heart of the system for protecting personal data under DPA. It is fundamental that the data controller cannot be allowed to contract out its responsibilities”; and
  • The contravention was “not an isolated human error. It was systemic”.

The FTT rejected the council’s contention that the case was merely the action of a rogue employee who had failed to follow his employers’ guidance by not obtaining the data processor’s signature to a standard form ‘confidentiality/dislcosure’ agreement.

The tribunal agreed with the counsel for the ICO (Robin Hopkins of 11KBW) that the focus should be on the contravention when assessing whether it was of a kind likely to cause substantial damage or substantial distress.

"We accept the importance of this especially because at some stages of the investigation confusion may have resulted from focusing on what happened at the paper recycyling bins ('the trigger incident')," it explained. "There will be some cases in which the contravention and the trigger incident are one and the same but the case put against Scottish Borders is not one of the them."

But the tribunal went on to conclude that the contravention was not of a kind likely to cause substantial damage or substantial distress. “No doubt some breaches of the seventh DPP in respect of some data might be of such a kind,” the FTT said. “In this case, it seems to us that the fact that the data processor was a specialist contractor with a history of 25-30 years of dealings with Scottish Borders carries weight. He was no fly by night. The council had good reason to trust the company.”

The FTT added: “Focusing on the contravention we have been unable to construct a likely chain of events which would lead to substantial damage or substantial distress.

“What did happen was of course startling enough. Again, though, looking at the facts of the case, what did happen was in our view a surprising outcome, not a likely one. The overwhelmingly likely result of the summer 2011 arrangements, it seems to us was that the data processor would arrange for the files to be properly destroyed – to the extent that we would not describe any other outcome as likely.”

The tribunal was not persuaded by evidence put forward by the ICO in relation to possible identity theft.

The FTT concluded that there was no liability to a monetary penalty in this case because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress.

The tribunal said it was open to it to either allow the appeal or substitute such other notice or decision as could have been served or made by the ICO.

“On the information we have so far we were not prepared to simply allow the appeal,” it suggested, saying its concerns about Scottish Borders’ procedures in relation to contracts for data processing were too serious for that.

The FTT therefore delayed consideration of whether to issue an enforcement notice or take some other action to allow a conversation to take place between Scottish Borders and the ICO about the placing of data processing contracts and the training given to staff involved. “It may be possible for the parties to agree a way forward.”

The ICO confirmed it would not be appealing the tribunal's decision. A spokesman for the watchdog said: “We have read the tribunal’s ruling confirming that the monetary penalty served on Scottish Borders Council, following a serious breach of the Data Protection Act, has been overturned. We are disappointed with the result, but, after considering the full details of the reasons behind its decision, we will not be appealing the tribunal’s ruling that was based on the specific circumstances of this case."

He added: “We do not take the decision to issue a monetary penalty lightly and follow a thorough process before serving an organisation with a penalty notice. The tribunal agreed with us that the breach, which led to over 600 pension records being found in an overfilled paper recycling bank in a supermarket car park, was a serious one, but we were unable to satisfy them that it was likely to lead to substantial damage or substantial distress being caused to the individuals affected. We will now consider whether this decision has any wider implications.”

Scottish Borders paid the original fine in a bid to obtain the early payment discount of 20%. It will now be refunded the whole sum.

A joint report between the council and the ICO on the progress made on improving processes and systems since the data breach - and a timetable for outstanding actions - will be submitted to the tribunal by 10 September.

David Parker, Leader of Scottish Borders, said he was delighted with the outcome.

"To issue such a high monetary penalty on a public authority in this economic climate was excessive, especially when the breach was self-reported and officers took all appropriate steps on the discovery of this incident and co-operated fully with the ICO at all times," he claimed.

"Data and information security is a priority at SBC - and I am confident that the work taking place across the council to address any issues will be acknowledged appropriately in the future."

The only previous appeal of an ICO fine, by the Central London Community Healthcare Trust, was rejected by the FTT in January 2013.

The trust has appealed to the Upper Tribunal, with a hearing due shortly.

Further information from the FTT decision in the Scottish Borders case

In a section of the judgment called Unfinished business, the tribunal said:

“It is almost always a mistake to give in to the temptation to comment on other issues canvassed in the course of an appeal but which it has not been necessary to resolve. However, in a comparatively new legal regime it may be helpful to draw attention to some other potential difficulties to allow time for contemplation before their resolution.

(a) Deliberate contraventions – We have indicated that one of the two forms of “mens rea” or “guilty mind” which can found liability for a monetary penalty is that the contravention should be “deliberate”. In a number of the materials before us it seems to be assumed that this involves knowingly breaking the law rather than deliberately doing an action which is a contravention. It has never been suggested that “contravention” in section 13 DPA requires a claimant to prove that a defendant knew they were breaking the law. It may also be that taking this view makes it difficult to apply the alternative “mens rea” to acts which are deliberate.

(b) The significance of actual harm – It is clear that there may be liability for a penalty based on potential or, to be more correct, likely harm. There is no need to demonstrate actual harm. It would follow that the extent of the likely harm would be a factor to consider in fixing the amount of a penalty. Scottish Borders argued that insufficient attention had been paid to the fact that, in the end, so far as anyone can tell, no one suffered from the contravention in this case. In oral evidence advanced by the ICO, it was suggested that this did not matter. It may be necessary at some future stage to explore the rationale for saying that the extent of harm caused cannot be reflected in the amount of the penalty or in the exercise of the penalty discretion.

(c) Admissions and self reporting – It is traditional for penalties to be discounted where liability is not contested. One point made by Scottish Borders in this appeal was that insufficient credit had been given for their willingness to respond to the trigger incident and to report it to ICO. Although the argument was not developed before us the ICO did not seem to suggest that self reporting was an irrelevant factor in the amount of a penalty. Rather, …..the way to deal with it was to increase the penalty of a data controller who did not self report. At some stage, it may be necessary to consider whether this novel approach gives adequate prominence to a factor, which seems to be agreed to be relevant, in the reasons given for the amount of any penalty. It may also be asked whether self reporting is a relevant factor in the exercise of the penalty discretion.

(d) Early payment scheme – The ICO operates an early payment scheme. There is a discount of 20% if payment is made within 28 days. In the ICO’s response to this appeal, it was submitted that any data controller who makes an early payment under the scheme “effectively forfeits its right to appeal”. Scottish Borders took strong exception to this suggestion. At some stage the question may have to be answered as to whether this approach constitutes an unfair obstacle to access to the judiciary.”