The Tribunal rejected the appeal of the Central London Community
Healthcare Trust (the Trust) against an ICO decision to serve a monetary penalty notice of
£90,000 in 2012. The monetary penalty notice was issued
following a data breach which involved 45 separate fax messages
containing lists of palliative care inpatients, including
particularly sensitive and confidential data like medical
diagnoses, being sent to the wrong recipient – a member of
the public – instead of a hospice, over a period of two
months. While the Trust did not deny the breach, they argued the
ICO was wrong to issue a monetary penalty notice on the grounds
that it had self-reported the breach notifying the ICO.
Upper Tribunal Judge Nicholas Wikeley ruled, "The
logical implication of the Trust's construction of the
legislative scheme is that a data controller responsible for a
deliberate and very serious breach of the DPA would be able to
avoid a monetary penalty notice by simply self-reporting that
contravention and co-operating with the Commissioner thereafter.
Such an offender would be in a better position than a data
controller acting in good faith, but unaware of a breach, who could
be subject of a monetary penalty notice because a third party
reported the matter to the Commissioner. Such an arbitrary outcome
would necessarily undermine both the effectiveness of, and public
confidence in the regulatory regime."
Commentators have been quick to point out that in spite of this
ruling, the benefits of informing the ICO about serious data
breaches continue to significantly outweigh the risks associated
with being served a fine. Deputy Information Commissioner David
Smith commented that the UK regulator does look favourably on
companies that self-report data breaches even though the act of
reporting does not give automatic immunity from fines. Furthermore,
informing the ICO directly gives organisations the chance to
justify their case and have some influence over the rectification
measure the ICO may impose through their enforcement regime. To
this extent, self-reporting must be seen as a mitigating factor
that the ICO consider when determining the level of monetary
penalty notices they issue.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Information Commissioner’s Office published guidance on the difference between data controllers and data processors under the Data Protection Act 1998.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”