The Tribunal rejected the appeal of the Central London Community
Healthcare Trust (the Trust) against an ICO decision to serve a monetary penalty notice of
£90,000 in 2012. The monetary penalty notice was issued
following a data breach which involved 45 separate fax messages
containing lists of palliative care inpatients, including
particularly sensitive and confidential data like medical
diagnoses, being sent to the wrong recipient – a member of
the public – instead of a hospice, over a period of two
months. While the Trust did not deny the breach, they argued the
ICO was wrong to issue a monetary penalty notice on the grounds
that it had self-reported the breach notifying the ICO.
Upper Tribunal Judge Nicholas Wikeley ruled, "The
logical implication of the Trust's construction of the
legislative scheme is that a data controller responsible for a
deliberate and very serious breach of the DPA would be able to
avoid a monetary penalty notice by simply self-reporting that
contravention and co-operating with the Commissioner thereafter.
Such an offender would be in a better position than a data
controller acting in good faith, but unaware of a breach, who could
be subject of a monetary penalty notice because a third party
reported the matter to the Commissioner. Such an arbitrary outcome
would necessarily undermine both the effectiveness of, and public
confidence in the regulatory regime."
Commentators have been quick to point out that in spite of this
ruling, the benefits of informing the ICO about serious data
breaches continue to significantly outweigh the risks associated
with being served a fine. Deputy Information Commissioner David
Smith commented that the UK regulator does look favourably on
companies that self-report data breaches even though the act of
reporting does not give automatic immunity from fines. Furthermore,
informing the ICO directly gives organisations the chance to
justify their case and have some influence over the rectification
measure the ICO may impose through their enforcement regime. To
this extent, self-reporting must be seen as a mitigating factor
that the ICO consider when determining the level of monetary
penalty notices they issue.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).