The Tribunal rejected the appeal of the Central London Community
Healthcare Trust (the Trust) against an ICO decision to serve a monetary penalty notice of
£90,000 in 2012. The monetary penalty notice was issued
following a data breach which involved 45 separate fax messages
containing lists of palliative care inpatients, including
particularly sensitive and confidential data like medical
diagnoses, being sent to the wrong recipient – a member of
the public – instead of a hospice, over a period of two
months. While the Trust did not deny the breach, they argued the
ICO was wrong to issue a monetary penalty notice on the grounds
that it had self-reported the breach notifying the ICO.
Upper Tribunal Judge Nicholas Wikeley ruled, "The
logical implication of the Trust's construction of the
legislative scheme is that a data controller responsible for a
deliberate and very serious breach of the DPA would be able to
avoid a monetary penalty notice by simply self-reporting that
contravention and co-operating with the Commissioner thereafter.
Such an offender would be in a better position than a data
controller acting in good faith, but unaware of a breach, who could
be subject of a monetary penalty notice because a third party
reported the matter to the Commissioner. Such an arbitrary outcome
would necessarily undermine both the effectiveness of, and public
confidence in the regulatory regime."
Commentators have been quick to point out that in spite of this
ruling, the benefits of informing the ICO about serious data
breaches continue to significantly outweigh the risks associated
with being served a fine. Deputy Information Commissioner David
Smith commented that the UK regulator does look favourably on
companies that self-report data breaches even though the act of
reporting does not give automatic immunity from fines. Furthermore,
informing the ICO directly gives organisations the chance to
justify their case and have some influence over the rectification
measure the ICO may impose through their enforcement regime. To
this extent, self-reporting must be seen as a mitigating factor
that the ICO consider when determining the level of monetary
penalty notices they issue.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Recently two changes to legislation in Russia may have an impact on international businesses because the changes firstly affect the way in which data about Russian citizens has to be processed within Russia and secondly the periods for data retention of online communications
On the 1st October 2014 the US Food and Drug Administration announced that it had finalised recommendations to manufacturers for managing cyber security risks in order to better protect patient health data and information.
On the 28th November 2014 the Science & Technology Committee of the House of Commons published a report entitled Responsible Use of Data.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”