In the first decision of its kind, the First-Tier Information Tribunal has set aside a monetary penalty of £250,000 issued by the Information Commissioner against the Scottish Borders council. The decision itself is challenging, not least because it calls into question the responsibility (and consequent liability) that data controllers have for the (unsuspected) acts of their data processors. It also suggests flaws in the ICO's process for deciding to issue a monetary penalty. This case represents essential reading for anyone facing ICO enforcement action for a data security breach.
On 10 September 2012, the ICO issued a monetary penalty notice for £250,000 against Scottish Borders Council for breach of the Data Protection Act. The breach arose from the following circumstances:
Scottish Borders appointed a third party (identified only as 'GS' in the notice) to digitise the pension records of its past and existing employees, pension scheme members and (in some instances) their spouses. GS had worked with Scottish Borders since 2005, with the services provided expanding over time to include destruction of the hard copy records.
In September 2011, a member of the public reported to the police finding the hard copy documents in a public paper recycling bin in a supermarket car park. According to the ICO, 676 records had been dumped at the recycling centre on that day, with a further 172 files dumped at a different recycling centre at the same time. The information contained in these records included name, address, date of birth and national insurance number together with salary and bank account information in many cases. The council was not aware that its records were being disposed of in this way and it was not clear on how many previous occasions records had been discarded in a similar fashion.
Monetary penalty notice
Although the data had not apparently been misused by any third party that may have accessed it from the recycling centre, the ICO took the view that the risk of identity theft and financial loss, together with the damage or distress caused to the data subjects by reason of their confidential information being seen by the public at the recycling centre satisfied the conditions for imposing a monetary penalty.
The ICO imposed a monetary penalty of £250,000 on Scottish Borders on the basis that i.a. Scottish Borders had failed to:
- choose a data processor that could provide suitable security guarantees;
- audit GS' implementation and maintenance of appropriate security measures in respect of the council's data; and
- manage GS. For example, the council had not instructed GS as to how to deal with the records once scanned, despite GS's requests for direction.
Further, there was no written processing agreement between the parties, obliging GS to comply with the council's instructions and to apply appropriate security measures to the data.
Appeal to the Tribunal
The Tribunal identified that the council's arrangements with GS were deficient, not least because they were not (entirely) reduced to writing. This breach was deemed by the Tribunal to be serious because of the importance within the data protection regime of proper data processing arrangements and also because "the contravention was not an isolated human error. It was systemic". The Tribunal identified that the council had no procedures in place for ensuring data protection in contracts worth less than £20,000, nor did the council provide any data protection training for managers dealing with contracts below this value. The extent of the council's measures to protect data would be to require the service provider to sign a confidentiality or non-disclosure agreement – which was not akin to a data processing agreement.
Likelihood of substantial damage or distress
To issue a monetary penalty, the ICO would need to show that there was a breach that was likely to result in substantial damage or distress to the data subjects.
According to the Tribunal, the ICO did not have to establish that the breach in fact caused harm but the potential damage resulting from a breach must be more than "merely being a possibility". The Tribunal did not see it as a likely conclusion from the council's reliance on GS (with whom it had a long-standing relationship) that the documents would end up in a supermarket recycling bin, accessible to the public.
In the Tribunal's view, the breach caused by the council was distinguishable from the 'trigger incident' – the documents being found in the recycling bin; the likelihood of the trigger event arising from the council's breach being low. In preferring one expert witness to the other, the Tribunal identified that the risk of the data being misused following the trigger event, thereby causing substantial damage or distress, was also low. The Tribunal was, therefore, unable to construct a link of likelihood between the breach and substantial damage or distress.
The Tribunal noted that "what did happen was in our view a surprising outcome, not a likely one". According to the Tribunal, the council could rightly expect GS to properly destroy its records. GS originally contracted with a paper waste disposal company to destroy the records after digitisation. The council had not been made aware that GS stopped using that sub-contractor in 2008, after which point GS had no secure arrangements for the destruction of those records. It was not expected that GS would dump the records as it did – any resulting harm caused by the council's reliance on GS was not 'likely'. As a result, the breach did not fulfil the criteria for a monetary penalty.
The causation aspect of the Tribunal decision suggests that a controller is not liable for the actual acts of its processors as long as the processor was appropriately appointed, which view is at odds with the view taken by the Tribunal earlier in the decision that "It is fundamental that the data controller cannot be allowed to contract out its responsibilities" – i.e. the council was responsible as a data controller for the processing of its personal data whether those activities were carried out by the council itself or by a processor on its behalf. With an eye on the draft Regulation, this case could provide another argument for imposing direct liability on data processors.
Lessons from the Tribunal
The Tribunal gave considerable weight to expert evidence: the ICO brought deputy commissioner David Smith and an ex-detective constable specialising in identity theft; and the council brought a director of counter fraud services and an academic in fraud studies. The ICO's experts identified the trigger event as the basis for the monetary penalty and the risk of inadequate controls on the data making the data likely to be inappropriately accessed. Conversely, the council's expert "buttresses our own [Tribunal] conclusions on likelihood" and evidenced that the dumping of the records in the recycling centre did not make substantial damage or distress likely. The Tribunal preferred the views of the council's expert, noting that he had impressive qualifications and greater relevant experience – a point specifically mentioned by the Tribunal in its decision.
If faced with a monetary penalty, it appears vital to have a good witness who can convince the Tribunal that there was little chance of the breach giving rise to substantial damage or distress.
Early payment discount
The ICO offers a discount of 20% if the monetary penalty is paid within 28 days of the notice. In this case, the council had until 11 October to pay the reduced sum of £200,000. This was also the date by which the council could appeal the notice to the Tribunal. The council queried whether it could pay the reduced penalty and still appeal to the Tribunal so as not to lose the benefit of the discount if the appeal was unfavourable to it (which the ICO thought it would do): the Tribunal did not deal with this point, instead noting that "at some stage" this issue would need to be determined.
Burden of proof
The council argued that the imposition of a monetary penalty required the ICO to show beyond reasonable doubt that the council had seriously breached the Act. The Tribunal confirmed that the civil burden of proof (i.e. the breach was more probable than not to have occurred) applies.
The extent of the harm (and its likelihood) will impact on the amount at which a penalty is fixed.
While self-reporting is promoted by the ICO, it appears that it plays no positive role in reducing the amount of any monetary penalty. Instead, the penalty may be increased for those that do not voluntarily report breaches to the ICO.
The Tribunal set aside the monetary penalty. However, as the council had breached its data protection obligations, some lesser sanction is still required. The Tribunal is able to substitute the monetary penalty with some other notice or decision that could have been served by the ICO. The Tribunal has refrained from doing so for now while the ICO and council discuss the use of formal data processing agreements and appropriate training to avoid future breaches. The parties may also agree more suitable sanctions.
As a counter-measure to the outcome in this instance, it should be remembered that the only other appeal against a monetary penalty heard by the Tribunal to date (Central London Community Healthcare NHS Trust (Case no. EA/2012/00111)) resulted in the Tribunal upholding the monetary penalty imposed by the ICO.
The original monetary penalty notice can be found here.
The Tribunal decision can be read in full here.