This post was written by Cynthia O’Donoghue.
A judgement of the Upper Tribunal of the UK Information Rights Tribunal (the Tribunal), in the case of Central London Community Healthcare Trust v Information Commissioner  UKUT 0551 (AAC), has ruled that organisations which voluntarily report incidents of data security breaches to the ICO do not gain automatic immunity from penalty fines in relation to that breach.
The Tribunal rejected the appeal of the Central London Community Healthcare Trust (the Trust) against an ICO decision to serve a monetary penalty notice of £90,000 in 2012. The monetary penalty notice was issued following a data breach which involved 45 separate fax messages containing lists of palliative care inpatients, including particularly sensitive and confidential data like medical diagnoses, being sent to the wrong recipient – a member of the public – instead of a hospice, over a period of two months. While the Trust did not deny the breach, they argued the ICO was wrong to issue a monetary penalty notice on the grounds that it had self-reported the breach notifying the ICO.
Upper Tribunal Judge Nicholas Wikeley ruled, “The logical implication of the Trust’s construction of the legislative scheme is that a data controller responsible for a deliberate and very serious breach of the DPA would be able to avoid a monetary penalty notice by simply self-reporting that contravention and co-operating with the Commissioner thereafter. Such an offender would be in a better position than a data controller acting in good faith, but unaware of a breach, who could be subject of a monetary penalty notice because a third party reported the matter to the Commissioner. Such an arbitrary outcome would necessarily undermine both the effectiveness of, and public confidence in the regulatory regime.”
Commentators have been quick to point out that in spite of this ruling, the benefits of informing the ICO about serious data breaches continue to significantly outweigh the risks associated with being served a fine. Deputy Information Commissioner David Smith commented that the UK regulator does look favourably on companies that self-report data breaches even though the act of reporting does not give automatic immunity from fines. Furthermore, informing the ICO directly gives organisations the chance to justify their case and have some influence over the rectification measure the ICO may impose through their enforcement regime. To this extent, self-reporting must be seen as a mitigating factor that the ICO consider when determining the level of monetary penalty notices they issue.