The Tribunal rejected the appeal of the Central London Community
Healthcare Trust (the Trust) against an ICO decision to serve a monetary penalty notice of
£90,000 in 2012. The monetary penalty notice was issued
following a data breach which involved 45 separate fax messages
containing lists of palliative care inpatients, including
particularly sensitive and confidential data like medical
diagnoses, being sent to the wrong recipient – a member of
the public – instead of a hospice, over a period of two
months. While the Trust did not deny the breach, they argued the
ICO was wrong to issue a monetary penalty notice on the grounds
that it had self-reported the breach notifying the ICO.
Upper Tribunal Judge Nicholas Wikeley ruled, "The
logical implication of the Trust's construction of the
legislative scheme is that a data controller responsible for a
deliberate and very serious breach of the DPA would be able to
avoid a monetary penalty notice by simply self-reporting that
contravention and co-operating with the Commissioner thereafter.
Such an offender would be in a better position than a data
controller acting in good faith, but unaware of a breach, who could
be subject of a monetary penalty notice because a third party
reported the matter to the Commissioner. Such an arbitrary outcome
would necessarily undermine both the effectiveness of, and public
confidence in the regulatory regime."
Commentators have been quick to point out that in spite of this
ruling, the benefits of informing the ICO about serious data
breaches continue to significantly outweigh the risks associated
with being served a fine. Deputy Information Commissioner David
Smith commented that the UK regulator does look favourably on
companies that self-report data breaches even though the act of
reporting does not give automatic immunity from fines. Furthermore,
informing the ICO directly gives organisations the chance to
justify their case and have some influence over the rectification
measure the ICO may impose through their enforcement regime. To
this extent, self-reporting must be seen as a mitigating factor
that the ICO consider when determining the level of monetary
penalty notices they issue.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
A recent High Court decision, TLT and others v Secretary of State for the Home Office  EWHC 2217 (QB) ("TLT v SoS"), paves the way for the greater recognition of distress in cases of data breaches and the misuse of private information.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).