ICO wins round one of penalty challenge, but can it win round two?

The ICO has won the first appeal against a fine issued to an NHS Trust, but a second could pose a greater challenge

The first appeal against a monetary penalty imposed by the Information Commissioner’s Office (ICO) has been dismissed by the Information Rights Tribunal, but no surprises there.

If the Tribunal – which has heard many freedom of information cases involving the ICO – had found otherwise, the ruling would have set an important precedent, which potentially would have given rise to more appeals against ICO penalties.

The appeal was made by the Central London Community Healthcare (CLCH) NHS Trust against a monetary penalty of £90,000 imposed in April 2012.

The penalty relates to patient lists from the Pembridge Palliative Care Unit, intended for St John’s Hospice, that were sent to the wrong recipient 45 times over a three-month period in 2011.

In its appeal, the CLCH argued that the ICO had acted unlawfully by imposing the penalty when the Trust had reported the data breach voluntarily.

Lawyers for the CLCH said contrary to section 55A(3A) of the Data Protection Act (DPA), the ICO took into account the matters discovered during a consensual assessment when deciding to impose a penalty, and for that reason the penalty was not in accordance with the law and should be quashed.

The Trust’s lawyers also argued that the ICO failed to take into account the overriding policy to encourage cooperative working with the ICO, failed to give credit for the Trust’s transparency and cooperation, and failed to take into account that the Trust was a first-time offender.

Parliament’s intention in introducing the monetary penalties is to penalise wrongdoers rather than just identify serious contraventions

Information Rights Tribunal rules in ICO's favour

But the Information Rights Tribunal said in its decision that the aim of the statutory bar under section 55A(3A) is to prevent the ICO from using information obtained through the educational/advisory process to impose a penalty on a data controller as this would deter data controllers from taking part in good practice audits.

The Tribunal said that where the ICO is notified of a serious contravention under the DPA and conducts an investigation, that investigation is not conducted with a view to performing an educational/advisory function. Instead, it is an investigation to assess whether the case calls for regulatory action.

The Tribunal said that had the legislators intended to exclude the ICO’s power to issue a penalty in all cases where the contravention had been voluntarily reported, an exclusion would be expressly indicated in the legislation.

The Tribunal also noted that the Trust was, in effect, compelled to notify of such a breach under NHS guidance, so it may not be accurate to describe its actions as purely “voluntary”, and that parliament’s intention in introducing the monetary penalties is to penalise wrongdoers rather than just identify serious contraventions.

According to the Tribunal, there can be no serious dispute that the ICO has the power to investigate contraventions in its enforcement capacity and not just in the guise of an educator. “Any other conclusion would result in serious violence to the legislation,” it said in its decision.

The argument around whether a voluntary notification of a serious breach of the DPA precludes the ICO from investigating with the view to issuing a penalty is not the only principle at issue, but it does form the heart of the CLCH’s appeal.

How will the ICO fair if NHS Trust appeals?

The Central London Community Healthcare NHS Trust may have lost round one, but for many that was a foregone conclusion. What could be more significant is round two – if the CLCH decides to appeal.

But it is still not clear whether or not the Trust will take the matter to the next stage as it is still considering the Tribunal’s verdict.

“We won’t be commenting further until we have completed this consideration with our legal advisers,” said CLCH chief executive James Reilly in a statement.

The Trust has 28 days in which to make an appeal, so by mid-February it should be clear if there will be a second round, in which the ICO could face a much more serious challenge to its monetary penalties in this and other cases where data controllers have reported breaches of the DPA voluntarily.

Read more on Privacy and data protection