Will the ICO’s 'big stick' approach backfire long-term?

The ICO claims to be about helping organisations to do the right thing, yet it punishes those that report breaches. Is this really a good policy?

The Information Commissioner’s Office (ICO) claims to be about helping organisations to do the right thing, yet it punishes organisations that report breaches. But does this make sense? Is this really a good policy?

The best-known case is the Brighton and Sussex University Hospitals NHS Trust, which was hit with a £325,000 monetary penalty earlier this year after reporting a breach.

At the time, the trust said it would challenge the ICO and appeal against the fine to the Information Tribunal, but backed down in June, opting instead to pay a reduced fine of £260,000.

However, another unnamed trust understood to be in a similar position of being hit with a fine after going to the ICO is pushing forward with its challenge.

The trust has lodged an appeal against the penalty with the Information Tribunal, with the case set to start in early December.

This will be the first of the NHS trusts hit by penalties to challenge the ICO, and, if it wins the appeal, it will set an interesting precedent that could prompt appeals by other trusts also fined after coming forward.

But Information Commissioner Christopher Graham appears to be set on using the Brighton and Sussex University Hospitals NHS Trust and the coming Information Tribunal hearing to demonstrate his power and authority.

He told attendees of a recent Westminster eForum in London that while the ICO is about engaging with business, enabling organisations to keep data safe, empowering individuals to assert their rights, and educating people around data protection, it is also about enforcement.

The penalty against the Brighton and Sussex University Hospitals NHS Trust related to the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives, sold on internet auction site eBay in October and November 2010.

The trust disputed the ICO’s findings that it was negligent in the case, but the Information Commissioner is adamant that the ICO’s investigation – conducted after the trust reported the issue – revealed that, as data controller, it was “not in the least bit in control”.

In the case of the Brighton and Sussex University Hospitals NHS Trust, Graham said: “It was serious stuff containing sensitive personal information – now you don’t get off that just by saying 'Oops, we made a mistake'.”

The Information Commissioner warned that balancing all the other roles of the ICO is enforcement. “There is a big stick in the cupboard – the fact that we are not waving it around all the time doesn’t mean it isn’t there, and won’t be used in appropriate circumstances,” he said.

Yet it is balance that the trust that is appealing to the Information Tribunal for and will be the basis of its appeal next month.

Stewart Room, partner at Field Fisher Waterhouse, a legal firm working on the appeal for the trust, told the Westminster eForum that in terms of “black letter law” any situation where the Information Commissioner performs an assessment or there has been an assessment notice, is an exception to the rule requiring monetary penalties.  

“The regulator can coerce an organisation to participate in an assessment notice and they will not be fined. Or he can also go to an organisation and say I want to carry out an audit, and if they sign up for that and he discovers bad stuff, they are not fined,” he said.

Yet, said Room, when an organisation in exactly the same position where there is a concern about compliance with the Data Protection Act goes to the ICO to report its concerns, it is fined.

He believes this should be tested in court because “there is a very good argument to say that the process following a voluntary report of an incident is an assessment and is therefore subject to the carve out on the financial penalty.”

This will all be argued out in front of the Information Tribunal in December, and turns on different interpretations of the law.

While a victory for the NHS trust challenger could have some interesting implications for others in a similar position, victory for the ICO will undoubtedly have at least one negative effect of discouraging organisations from reporting data breaches.

Organisations are unlikely to seek advice about data breaches if they see a pattern of fining, said Room. “There is a genuine legal issue here and also a genuine concern,” he said.

Win or lose, the case raises some important questions about the ICO as an effective regulator and whether its stance in this case is good long-term policy in terms of building a relationship with UK data controllers.

Victory for the Information Commissioner may help bolster his authority and prove once and for all he is willing and able to use his “big stick” - but it may also undermine any trust in the ICO.

Read more on Privacy and data protection