18 July 2014
One year on, has the ICO learned from the Scottish Borders Appeal?
In April 2010, the Data Protection Act 1998 (DPA) was amended using the bizarre route of Section 144 of the Criminal Justice and Immigration Act 2008, at a stroke giving the Information Commissioner (ICO) a new power to issue Monetary Penalties i.e. fines, of up to £500,000 for breaches of the DPA. A year on from the Scottish Borders appeal, when a £250,000 data protection fine was cancelled, the only successful DPA appeal to date, it is worth reminding ourselves of the First Tier Tribunal’s (FTT) decision dated 21st August 2013:
‘Our conclusion therefore was that there was no liability to a monetary penalty in this case because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress’.
The Information Commissioner, Christopher Graham was clearly miffed with the outcome, evidenced by the Independent’s interview with him on 23 February 2014 where he commented on this case:
‘I had one of our fines struck down the other day (sic – it was in fact six months earlier..) because I couldn’t prove that dumping all the pensions records in the recycling area of the local supermarket was going to cause serious damage or distress,’ he complains, of an attempted prosecution of Scottish Borders Council. ‘I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down.’
That was to put it mildly an interesting take on what the FTT actually decided. So on this, the first anniversary of the appeal, we decided to reflect on the enforcement action taken by the ICO over the past year, happily coinciding with the publication of the ICO’s annual report two weeks ago. In the annual report the ICO reiterated his plea for increased powers to send individuals to prison for stealing data and for an integrated budget to allow him to deal with FOI and DPA work. Here we will look at the fines issued over the last year and consider how, if at all, enforcement action has changed in terms of assessing likelihood of damage or distress.
Post - SBC fines overview
In 2013/14 the ICO issued 19 Monetary Penalty Notices: 5 to local authorities (2 Scottish); 3 to public health care organisations; 3 to other public sector organisations; 2 to private companies and 1 to a charity. There were also 5 fines issued for breaches of PECRs, the regulations relating to spam texts and emails.
The highest fines issued were for £200,000 and were imposed on a charity, British Pregnancy Association, and NHS Surrey. They both breached the seventh data protection principle and ‘lost’ sensitive information about the health of data subjects. The lowest fine of £5,000 was issued to a private company who lost personal data when an unencrypted hard drive was stolen containing customer information.
SBC appeal and likelihood
In the SBC appeal the FTT was unable to construct a likely chain of events which would lead to ‘substantial damage or substantial distress’. The FTT was also unimpressed by the submission from David Smith, the Deputy Commissioner, that the data might be published in a newspaper causing substantial distress:
‘We simply cannot accept his suggestion for example that it was likely that a newspaper would want to publish extracts from the early leavers’ pension files given that he does not specify how it was likely that a newspaper should obtain them in the first place’.
The real focus of the appeal was on whether the information in the pension files could be used to carry out identity fraud or theft.
The FTT preferred the evidence of the expert witness for Scottish Borders Council who concluded that it was unlikely that the loss the personal data concerned - names, addresses, NI numbers and bank details - would cause substantial damage or substantial distress. The SBC expert had carried out extensive field work and, using the same type of information, had failed to open bank accounts, obtain credit, apply for a passport or apply for a driving licence. Therefore the evidence preferred by the FTT was that it was unlikely that this type of information could have been used to steal someone’s identity.
Recent fines and likelihood
Out of the 19 fines issued during the last year by the ICO, three were imposed for the loss of personal data that – like the SBC appeal data - was not classed as sensitive. However in all three cases the ICO nonetheless felt able to assert that it was likely that the contravention would have caused substantial damage by exposing the data subjects to identity fraud and possible financial loss.
In our view given the decision in the SBC appeal, the ICO would have struggled to demonstrate to the FTT that the contravention in these three cases was of a kind likely to cause substantial damage or substantial distress.
In relation to two of the fines issued last year, to Bank of Scotland (a £75,000 fine imposed in August 2013) and Jala Transport (a £5,000 fine imposed in September 2013), copy identification documentation was lost. However from the expert field work carried out in advance of the SBC appeal, it appears that it is not possible to obtain credit or set up a fake identity without original identification documentation. Therefore in our view the FTT would come to the same conclusion in these two cases: that it was unable to construct a likely chain of events which would lead to substantial distress or substantial damage. Glasgow City Council was fined £150,000 in June 2013, issued just prior to the decision in the Scottish Borders case. We are of the view that, given the decision in the Scottish Borders Council appeal, this fine is also not sustainable.
So it appears that the ICO has not changed his approach to “likelihood” since the Scottish Borders appeal. Perhaps this is not surprising given Mr Graham’s complaint of injustice in the Independent.
Spam, Spam, Spam, Spam
In June 2014 the ICO also failed to persuade the Upper Tier Tribunal (UTT) to overturn the only other successful appeal against the imposition of a monetary penalty to date. This successful appeal was decided in October 2013 and related to a fine of £300,000 imposed on Christopher Niebel for breaching PECR through misuse of spam texts.
This appeal also concerned the interpretation of DPA s55A and the phrase “was the contravention of a kind likely to cause substantial damage or substantial distress”. The discussion in relation to distress is interesting. The UTT agreed with the FTT that the ICO’s guidance defining distress as “any injury to feelings” was too broad. They drew a distinction between ‘irritation’ and ‘distress’ holding that the texts in this case would have merely caused irritation and not substantial distress or substantial damage. This clearly irked Mr Graham as well, as the Independent article made clear:
“We could show there was nuisance – that isn’t enough apparently,” says the commissioner. “We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.”
The Data Protection Act 1998 and underlying Directive are about the protection of an individual’s “personal” data. So it should come as no surprise to find that the Tribunals are making it clear they expect a realistic approach to assessment of the human consequences of data breaches and PECR breaches. The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation.
Paul Motion is a solicitor advocate with BTO solicitors Edinburgh. He acted for Scottish Borders Council in the appeal which is mentioned.