Tribunal halves fine for disclosure of sensitive information in planning case

The First-tier Tribunal has upheld the Information Commissioner’s decision to impose a monetary penalty on Basildon Borough Council for publishing sensitive personal information about a family in planning application documents that were made publicly available online.

However, in Basildon Borough Council v Information Commissioner & (Part Allowed : Data Protection Act 1998) [2018] UKFTT 2017_0124 (GRC) the FTT halved the penalty from £150,000 to £75,000, saying the ICO had not given sufficient weight to certain points in mitigation and not taken into account others.

The ICO had alleged that Basildon had contravened the seventh data protection principle (DPP7) from Schedule 1 of the Data Protection Act 1998.

The background to the case was that the council had received an application in June 2015 for the variation of conditions attached to a grant of planning permission for land in the Green Belt.

A planning statement set out why the variation was being sought. This included details about the applicant’s family, including disability requirements, mental health issues, the names of all family members, their age and the location of the site. This meant it included sensitive personal data as defined by the 1998 Act.

The application and planning statement were uploaded on 16 July 2015 onto Basildon’s online planning portal. However, there were no redactions.

The unredacted planning statement was removed from the portal on 4 September 2015. The council reported the matter a few days later to the ICO as a data protection breach.

An ICO investigation subsequently concluded that publication of the unredacted planning statement was not deliberate. Instead the error had occurred because of inadequacies in the council’s procedures for ensuring that planning documentation was uploaded to its portal in line with its policy.

The Commissioner found that these inadequacies were:

  • The council had in place no adequate procedure governing the redaction of statements by planning technicians;
  • It did not provide any (or any adequate) training to planning technicians on the redaction of statements;
  • It had in place no guidance or procedures for a second planning technician or senior officer to check statements for unredacted data (and specifically sensitive personal data) before they were returned to the administrator to be uploaded to the online planning portal;
  • It had in place no guidance for the administrator to check statements for unredacted data before they were uploaded to the online planning portal.

The ICO found that the contravention was serious and of a kind likely to cause substantial damage or substantial distress. It decided to issue a monetary penalty and considered that £150,000 was appropriate and proportionate.

Basildon appealed. It argued before the FTT that:

  1. it did not contravene DPP7;
  2. alternatively, if it did, the conditions for issuing a monetary penalty under section 55A DPA were not met, and
  3. alternatively, if the Commissioner was entitled to impose a monetary penalty, the amount of this penalty was too high.

The council’s core submission was that it was, as a local planning authority, required, by statute and regulation, to make personal data, including sensitive personal data, submitted to it as part of planning applications, available for public inspection as part of the process of public scrutiny of the planning process. This meant that the publication of the personal data and sensitive personal data in this case was in accordance with DPP1.

In relation to the first appeal submission the Tribunal considered that Basildon’s submission was “manifestly ill-founded and that the issue was a matter of settled law conveyed in decisions that were binding on the First Tier Tribunal”.

The FTT said the authorities cited by the Commissioner unequivocally stated that domestic legislation had to be read restrictively in the light of obligations imposed by EU Directives. “Indeed, where domestic legislation clashes directly with EU legislative obligations then the domestic legislation will be struck down.”

The Tribunal added that it “was somewhat surprised, given this situation, that Basildon sought to argue the point contained in the first appeal submission.”

The FTT said it understood some of the logic behind Basildon’s contention that there could have been no breach of DPP1 in this case and that, therefore, the measures to check that there was no such breach were unnecessary (and thus there could have been no breach of DPP7).

However, the Tribunal felt that this focus on DPP1, and the argument that it had not been breached, was “something of a distraction”.

The  monentary penalty notice issued in this case was not for a breach of DPP1, it said, but for a breach of DPP7 – the obligation to have in place appropriate technical and organisational measures to ensure that there is no unauthorised or unlawful processing of personal data. “The bald and unavoidable fact of this case is that Basildon did have a procedure for checking what personal data contained within planning applications should go up online but, on their own admission, it was completely overlooked on this occasion. That failure was clear prima facie evidence of inadequate measures - in contravention of DPP7.”

The Tribunal said the failure in this particular case had been compounded by a lack of training and guidance and a lack of ‘safety net’ procedures to catch incorrect decision making by an initial decision taker.

“All these points were established during the Commissioner’s investigation and were not significantly challenged by Basildon," the FTT added. "The Tribunal thought that it was of significance that Basildon was quite unable to identify the member of staff who examined the planning application in this particular case and who passed it on to be published, unredacted, online. The Tribunal considered this to be evidence of inadequate procedures. In the Tribunal’s view these systemic failures meant that there was a significant increase in the risk of the same error being repeated.”

On the second ground of appeal, the FTT said it had no hesitation in concluding that the statutory conditions under s.55A DPA were met – that is that the contravention of DPP7 in this case was such that there was an ongoing risk of the unjustified publication of sensitive personal data and that, in turn, was likely to cause substantial damage or substantial distress.

“Adopting the same analysis, the Tribunal also unhesitatingly concluded that Basildon ought to have known that its lack of adequate systems and procedures meant that there was a risk of the processing of personal data in contravention of the DPA and that such a contravention would be of a kind likely to cause substantial damage or substantial distress," the FTT added.

It said it was "inarguable" that Basildon failed to take reasonable steps to prevent the breach of DPP7 and, indeed, the council did not at any point contend that it had taken such reasonable steps before the triggering incident had been reported to the Commissioner.

The FTT did agree, however, that the monetary penalty imposed was too high, concluding that the ICO had taken into account the mitigating points but not given them sufficient weight:

  • Although Basildon’s procedures for checking planning applications for personal data, and for making rational and DPA-compliant decisions in relation to that personal data, were inadequate the council did at least have some procedures in place and this distinguished them from a body with no such procedures at all.
  • The Tribunal also noted that it only had evidence before it that Basildon’s inadequate procedures had directly affected a relatively small group of 17 people.
  • The personal data in the triggering case had only been online for a relatively short period and Basildon had self-reported the matter to the Commissioner promptly.
  • The planning application form did inform applicants of the possibility of the publication of the information provided in the application and did provide a telephone number for further advice on what this might mean in practice.

The FTT also took into account two points that did not appear to have been considered by the Commissioner:

(a) The PARSOL Planning and Building Control Information Online Guidance notes (which provides advice to, amongst others, planning authorities on the online publication of planning applications and which was developed in collaboration with the Commissioner and published in August 2006) was "poorly drafted and clearly needs urgent revision". It contained some sections which could easily be read as advising that planning authorities may simply post unredacted planning applications online. "Other provisions of the Guidance do indicate that the DPA must be taken into account but the Guidance is clearly ambiguous, if not misleading."

(b) The Tribunal in this judgement had been critical of the way in which Basildon focused on the single triggering incident in many of its submissions rather than on the systemic failures implicit in a breach of DPP7. However in the Tribunal’s view the Commissioner also fell into this error in the preliminary analysis set out in the Monetary Penalty Decision Record which led to the recommendation of a £150,000 penalty. "For example, all of the aggravating features noted by the panel relate to the individuals involved in the triggering incident rather than to the wider risks flowing from the systemic DPP7 breach. It is correct that much of this analysis had been corrected to look at the wider issues in the MPN itself but the monetary penalty adopted is the same as the one recommended in the Decision Record and there is no indication that the monetary penalty was reviewed in light of the altered analysis."

The Tribunal went on to note that unlike fines imposed in the criminal justice system there was no independent body such as the Sentencing Council providing a definitive list of relevant aggravating and mitigating factors and a matrix of appropriate fines.

It also noted that the Commissioner was seeking to establish her own ‘database’ of penalties and pertinent factors to be taken into account and this was referred to in the Decision Record, “though it might be argued that that it is not entirely appropriate for the investigator and enforcer of MPNs to be the body that also effectively sets the level of the penalties”.