NHS trust fails in first ever appeal over ICO fine for data breach

The First-tier Tribunal has rejected the first ever appeal against a monetary penalty imposed by the Information Commissioner for a breach of data protection laws.

The Central London Community Healthcare NHS Trust (CLCH) had appealed a £90,000 monetary penalty notice served by the Information Commissioner in April 2012.

James Reilly, chief executive of the trust, said: "We have received the verdict from the tribunal and are giving it serious consideration. We won't be commenting further until we have completed this consideration with our legal advisers."

The ICO welcomed the ruling. David Smith, Deputy Commissioner and Director of Data Protection at the watchdog, said: "Monetary penalty notices are an important and effective tool for ensuring compliance. We do not take the decision to issue an organisation with a financial penalty lightly and will only consider this in response to serious data breaches that could cause substantial damage or distress to the individuals affected." 

The breach related to an arrangement the trust had in place where it faxed, each weekday evening, highly sensitive patient data relating to its palliative care unit to St John’s Hospice.

CLCH used an agreed fax protocol for sending the inpatient lists, which were used to assist doctors providing out of hours care. This required the palliative care unit to telephone the hospice to check that the fax had been received.

However, the person responsible for faxing the lists to the hospice had not received adequate training on the faxing process and had not been trained to receive management approval for any variation in the protocol.

In March 2011 the administrator became aware that the list needed to be sent to an additional fax number at the hospice. However, the protocol was not updated with the extra number, nor was approval obtained from her manager.

The administrator (or a stand-in) then sent the inpatient list on 45 separate occasions to a fax number which it had not been given by the hospice. The individual did check that the fax to the original number had been received but not the ones to the second number.

The error came to light when a member of the public rang to say he had been receiving the lists, but had shredded them. The trust was subsequently unable to trace the caller and could not confirm precisely what had happened to the data.

The trust voluntarily reported the breach to the Information Commissioner’s Office.

After an investigation, the ICO fined the trust £90,000 on 27 April 2012 under its power in s. 55A of the Data Protection Act.

The level of fine, it was subsequently revealed, was in the ‘serious’ band (£40-100,000) in the ICO’s framework for determining the appropriate amount for a penalty. The other bands are ‘very serious’ (more than £100,000 but less than £250,000) and ‘most serious’ (more than £250,000 up to the maximum of £500,000).

CLCH, which had already conceded that a financial penalty was warranted but had asked the Information Commissioner to consider a lower penalty figure, appealed to the FTT. The case was heard over three days in December 2012.

The Trust argued that the monetary penalty notice was not in accordance with the law. It also claimed that to the extent that the notice involved an exercise of discretion by the Information Commissioner, it ought to have exercised that discretion differently.

CLCH put forward its case under nine headings, although one ground of appeal was withdrawn during the hearing. These were that:

  1. The Information Commissioner had – in determining that it was satisfied that a monetary penalty notice might be imposed – unlawfully and in breach of section 55(3A) of the DPA relied on matters that came to his attention as a result of a s. 51(7) ‘consensual’ assessment.
  2. The IC failed to take proper account of its own policy on imposing monetary penalties where a data controller voluntarily reports and incident.
  3. The IC exercised his decision wrongly in deciding that a monetary penalty was appropriate. In particular it was argued that the evidence did not explain on what basis the discretion to impose a penalty was exercised.
  4. The IC failed to take proper account of the mitigating features identified in the monetary penalty notice, including that the trust was a ‘first time offender’ as far as security breaches were concerned.
  5. The IC imposed a penalty despite an indication by the case officer early in the course of the investigation that he did not consider the case would be worth of a fine. There was no subsequent change in circumstances to justify the change of position.
  6. The IC’s change of position gave rise to an inference that the IC must have taken account of irrelevant considerations in deciding to impose a monetary penalty. (This was the ground that was withdrawn)
  7. The IC failed at any stage to explain the principles by reference to which he proposed to calculate the amount of the penalty, thereby depriving the trust of an opportunity to make meaningful representations on the issue.
  8. In setting the amount of the penalty, the ICO gave insufficient credit to the trust for the various mitigating features in the case.
  9. The trust had offered to pay £72,000 (the sum applicable under the early payment discount scheme) on the footing that this payment would be without prejudice to the right to appeal, and that the payment would be refunded by the ICO if the appeal succeeded. The ICO’s refusal to accept the offer had effectively put the trust to a choice between taking the benefit of the discount for prompt payment or exercising its right to appeal.

The Tribunal rejected all of these grounds. Key elements of the ruling include:

  • The FTT rejected the Information Commissioner’s submission that it should adopt a “narrow, essentially supervisory” approach to the discharge of the ICO’s functions.
  • The tribunal has power to allow the appeal and/or substitute such other notice or decision as could have been served.
  • Where the tribunal is asked to consider the amount of a penalty, the tribunal can increase as well as decrease the amount, as well as accept the Information Commissioner’s figure. If the tribunal was inclined to increase the penalty where the IC did not ask for a higher figure, then as a matter of procedural fairness, the data controller should be given the opportunity to be heard or make written representations before making a final decision.
  • A voluntary notification of a serious breach does not preclude the Information Commissioner from investigating the breach with a view to issuing an MPN as well as taking other enforcement action.
  • The ICO had not disregarded its own policy. The ICO’s Notification of Data Security Breaches to the Information Commissioner’s Office was not a statutory policy and if there was any tension between that and the statutory policy (MPN guidance), then the latter should be followed. In any event the tribunal did not consider that such tension was present in this case.
  • From the evidence it was clear that the Information Commissioner had ensured that the various elements of s. 55A – there was a serious contravention, the contravention was of a kind likely to cause substantial damage or distress etc. – were met. The IC had taken full account of the facts and circumstances of the contravention and any representations made to him, as required by the MPN guidance.
  • The trust’s mitigating features were features the tribunal found the IC could not give much weight. “In any case they are almost all post facto events and nothing about the wrongdoing”.
  • The case officer had not committed the ICO to any position. On the balance of probabilities, he did not give any serious indication or assurance that there would be no fine or monetary penalty notice in the case which in any way excluded the watchdog from deciding to issue an MPN. Even if an indication had been given, this was at the beginning of the investigation and was based on an initial notification of the extent and seriousness of the breach and on the evidence could not be considered as a change of position.
  • The tribunal was satisfied that the ICO had reached a figure within a range of reasonable figures it could have considered. Indeed, it seemed to the tribunal on the facts that in this case the IC could have taken a more penal approach to the amount in question.
  • It was clear that the ICO did take all factors/features into account such as voluntary reporting of the incident, voluntary co-operation through the investigation and voluntary reporting the incident to the data subjects. The MPN was also clear and took into account the behavioural issues referred to by counsel for the trust.
  • It could be argued that there was an insufficient approach to assessing the financial impact of the fine. However the trust was give the opportunity to challenge the approach. Its chief executive did not do this, nor did he make the case that a penalty of £90,000 would reduce service availability or other hardship. “So the IC cannot be criticised for not considering the matter further or appearing to give it increased weight for which no evidence is provided.” The tribunal noted that no evidence was provided as to the effect on service delivery of a penalty of this size. It also noted that the penalty was likely to be only a small percentage of turnover.
  • The failure of the IC to accept the trust's early payment offer outside the basis of the MPN guidance did not seem to amount to an error of law and/or wrong exercise of discretion. “At most the MPN guidance is a quasi judicial obligation on the IC to provide a discount on specific terms. He did so in this case. The Trust chose not to accept the terms and it is its loss when an appeal fails.” A discount for early payment is offered under other regimes like parking and minor road traffic offences. However, the tribunal was not aware that an offender can reserve his position if he decides to appeal. For these reasons the tribunal was not prepared to restore the discount.

The issues around the operation of the early payment scheme, where the payer gets a discount, are set to be looked at in another challenge to an ICO monetary penalty that is being brought by Scottish Borders Council. This case is expected to be heard in the Spring.

The ICO's Smith also said about the ruling: "We follow a thorough process when reaching any decision. The Tribunal have recognised this and commended us on our approach. The ruling removes any doubt that we cannot take action when an organisation self-reports a serious data breach. While we do look favourably on organisations that contact us after a serious breach, and take this into account when setting the amount of any penalty, self-reporting a breach to the ICO cannot be seen ‘as a get out of jail free’ card."

He added: "We are also pleased the Tribunal supported the early payment system we operate is in line with other regulatory bodies, confirming that organisations cannot have their cake and eat it by paying the discounted rate, while reserving the right to appeal.”

Anya Proops of 11KBW was counsel for the Information Commissioner. Timothy Pitt-Payne QC, also of 11KBW, acted for the appellant NHS trust.

Philip Hoult