In a recent appeal by a pharmacy, Doorstep Dispensaree Limited ("Doorstep"), against a Monetary Penalty Notice and an Enforcement Notice issued against it by the Information Commissioner's Office (the "ICO"), Doorstep was partially successful, specifically against the level of fine imposed by the ICO under the Monetary Penalty Notice. The decision of the First-Tier (Information Rights) Tribunal (the "Tribunal") provides guidance that is applicable to other cases involving monetary penalties imposed by the ICO for data protection breaches.
Doorstep's data breach
Doorstep operates as both a 'closed' online pharmacy and as a retail pharmacy. Following the execution of a search warrant by the Medicines and Healthcare Products Regulatory Agency ("MHRA") at Doorstep's premises relating to a different matter, the ICO was notified that 47 stacked, unlocked crates had been recovered from the yard at the premises, and that all of these contained personal data and special category personal data relating to Doorstep's pharmacy business. Approximately half a million records were said to have been recovered.
On 17 December 2019, the ICO issued Doorstep with a Monetary Penalty Notice and an Enforcement Notice under the Data Protection Act 2018 (the "DPA 2018"), and imposed a fine of £275,000. The ICO's Director of Investigations said "the careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss".
In setting the level of fine, the ICO only considered the contravention from 25 May 2018 – the date from which the GDPR came into effect in the UK.
The Tribunal's decision
On 10 February 2020, Doorstep appealed and the fine was reduced from £275,000 to £92,000, but the Enforcement Notice was upheld.
The first issue – where does the burden of proof lie?
Doorstep argued that the burden of proof lay with the ICO as the regulator. The ICO argued that the burden of proof was neutral, but that in any event, it was a secondary issue because the Tribunal had to carry out a full review of the merits and make new findings in fact.
The Tribunal said that when reaching its decision, it was not required to undertake a review of the reasonableness of the ICO's decision, but must decide whether it would reach the same decision itself on the basis of the evidence before it. However, it followed a Court of Appeal decision that said, "careful attention" must be paid to the reasons given by the ICO (as the original decision-maker) because Parliament had entrusted it to make decisions.
The Tribunal broadly agreed that the initial burden of proof rests with the ICO, which must prove that the infringement has taken place. However, once evidence of infringement has been introduced, the evidential burden shifts to the controller or processor of the personal data.
The second issue – what is the standard of proof?
Both sides agreed that the civil standard of proof (on the balance of probabilities) applied to the Enforcement Notice. But Doorstep argued that the criminal standard of proof (beyond a reasonable doubt) applied to the Monetary Penalty Notice. This is because it was said to have consequences and attributes similar to a criminal sanction. The ICO disagreed.
The Tribunal agreed with the ICO and decided that the civil standard of proof also applied to the Monetary Penalty Notice. The Tribunal gave several reasons for reaching this view, including that: in contrast to other legislative examples, the language of the relevant section of the DPA 2018 did not refer to the creation of 'an offence'; and although the level of fine that may be imposed is significant, there was no question of a deprivation of liberty.
The Tribunal also said that the DPA 2018 creates two distinct penalty regimes: (i) the Monetary Penalty Notice regime, an appeal against which is made to a civil tribunal and is brought under the same statutory provisions as other appeals under the relevant section of the DPA 2018; and (ii) the second penalty regime that is framed by reference to a criminal process as set out in ss.196 – 200 of the DPA 2018, and which uses the language of criminal offences and convictions.
The third issue – was the level of monetary penalty imposed appropriate?
Doorstep argued that the ICO had incorrectly relied on an assertion by the MHRA about the number of documents that it had found. The Tribunal noted that the ICO had only viewed a sample of the documents itself, and relied on an audit carried out by the MHRA that estimated the number of documents recovered as being over half a million. Doorstep also argued that the ICO had failed to take into account its ability to pay the fine and level of financial hardship.
Doorstep's solicitor had carried out an audit of the documents and identified that there were fewer than 75,000 in total, not all of which contained personal data and only a proportion of which contained special category data. Doorstep relied on this audit as evidence that any breach of the GDPR was much less serious than the ICO assessed it to be.
The Tribunal reduced the Monetary Penalty Notice to £92,000, a reduction of approximately two thirds. It accepted Doorstep's own audit evidence and said that the ICO had relied on evidence that was produced during an investigation by the MHRA for a different purpose. Therefore, "it lacks important details about the nature of the personal data concerned, not least an accurate calculation of the number of documents recovered".
However, having considered all of the available evidence, the Tribunal was satisfied that imposing a Monetary Penalty Notice was appropriate because the contraventions identified were sufficiently serious. The Tribunal also concluded that issuing a Monetary Penalty Notice was an effective, proportionate and dissuasive response to Doorstep's contraventions.
In relation to Doorstep's alleged lack of ability to pay, the Tribunal agreed with the ICO that a person responsible for a serious contravention of the GDPR should not avoid a monetary penalty solely on the basis of their financial position, since such a practice would undermine a key purpose of the legislation. However, the judge said that financial hardship remained important when considering mitigation.
Key learnings from this case
Monetary Penalty and Enforcement Notices under the GDPR and DPA 2018 are still relatively new – at the time of writing, the ICO has only issued 46 of the former and 19 of the latter. Therefore, the guidance in this judgment is helpful in order to better understand how the level of any fine ought to be assessed, and the factors that a Tribunal will take into account when reviewing the evidence.
It is essential for a controller or processor to determine the exact number of documents that contain personal or special category data following any breach, especially if they are seeking to challenge the ICO's position. However, the outcome in this case will also likely prompt the ICO to be more thorough in its own investigations and evidence-gathering from now on rather than relying on evidence obtained by other organisations.
Notwithstanding that, given that the potential fines under the GDPR can reach as high as €20 million or 4% of annual global turnover, controllers and processors will welcome the fact that the judgment acknowledges that financial hardship ought to be taken into account in mitigation, even if a fine cannot be avoided altogether.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.