This post was written by Cynthia O’Donoghue.
The First-Tier Tribunal General Regulatory Chamber for Information Rights has dismissed the first appeal against a Monetary Penalty Notice issued by the UK Information Commissioner’s Offices (ICO) for a serious violation of the Data Protection Act 1998 (DPA). The ICO had issued the Central London Community Healthcare NHS Trust (the Trust) with a Monetary Penalty Notice of £90,000 for repeatedly faxing sensitive patient data relating to its palliative care unit to an incorrect fax number. The ICO issued the notice for a breach of the 7th Data Protection Principle, which requires the implementation of appropriate technical and organisational security measures.
The Trust appealed the penalty on the basis that the ICO erred in law when it issued the monetary penalty as the Trust had gone through an ICO assessment following the self-reported breach. Under the DPA any organisation that goes through an ICO assessment cannot be issued a penalty notice based on the outcome of the assessment. The ICO had argued that it would be absurd not to issue a monetary penalty notice where there was a serious breach of the DPA merely because an organisation had self-reported. The first tribunal found that the process undergone by the Trust following its report of the breach was not an ”assessment,” rather it was an investigation, notwithstanding that the Trust worked with the ICO to remediate its procedures. In order not to diminish the impact of self-reporting, the tribunal did emphasise in its analysis that the ICO does take into account organisations’ self-reporting when the level of the fine is assessed.
When issuing Monetary Policy Notices, the ICO typically exercises its discretion by discounting any penalty by 20% if the fine is paid within a set time period. Prior to the hearing the Trust had offered to pay £72,000 (the sum applicable under the early payment discount scheme) on the basis that this payment would be without prejudice to the right to appeal, and that the payment would be refunded by the ICO if the appeal succeeded; but the ICO refused. The Trust raised this on appeal, arguing that the ICO should have exercised its discretion differently rather than putting the Trust in the position of either paying the discounted amount and foregoing the appeal, or appealing and forfeiting the discount. The first tribunal refused to treat the discount as having been preserved during the appeal process, since the discount scheme sought to encourage early payment and early resolution, finding that as the Trust chose not to accept the terms, it was “its loss” when the appeal failed.
The tribunal’s ruling illustrates the importance of the procedure undertaken by the ICO when issuing Monetary Penalty Notices, and that the risk of appeal and loss of any incentive to resolve a matter expediently rests with the party deciding to appeal.