Scottish law firm launches data protection defence team

May 12, 2014

A Scottish law firm has launched a dedicated data protection defence team to advise on monetary penalty notices issued or threatened by the Information Commissioner’s Office.

The firm, bto solicitors, previously advised Scottish Borders Council on its successful challenge to a £250,000 fine imposed by the ICO for a data breach that involved pension records of former employees being left in a recycling bank outside a Tesco supermarket. The First-Tier Tribunal ruled in favour of the local authority in August 2013.

The team comprises Paul Motion, a partner and Solicitor Advocate, Laura Irvine, an associate and criminal Solicitor Advocate, and Lindsay Urquhart, an associate.

Motion said: “This new service from bto provides our clients with a direct response to the huge fines which can now be handed out by the ICO, not only under the Data Protection Act, but under regulations governing spam texts, spam emails and unsolicited marketing phone calls.

“The ICO has used its powers to impose significant fines mainly on public bodies, especially local authorities and health boards, but it has also fined charities, individuals and private companies.”

He added: “We are finding that in most cases the alleged breaches have occurred accidentally, but the ICO seemingly pays no attention to this in deciding whether to fine or how much the penalty should be. ICO investigations are not a comfortable experience. Too late we find that businesses have disclosed material adverse to their interests which they didn’t have to disclose, or made admissions they might not have made with the benefit of prior legal advice.

“Considering the significant fines that the ICO can impose, it is vitally important that organisations limit their exposure as early as possible following a breach and control the material they are handing over.”

Irvine meanwhile said: “The sentencing guidelines where there has been a fatality following a health and safety breach state that the starting point for a fine is £100,000. I am not seeking to minimise the potential for damage and distress following the loss of data, but the fines issued by the ICO, very often on public sector bodies, often seem way out of proportion by comparison.”

Event: bto solicitors is holding a seminar in Glasgow on 14 May on how to deal with ICO investigations following a data breach. More information can be found here.