A series of unlikely events
The fuller opinion article on the penalties imposed by the Information Commissioner for loss of personal data
In April 2010, the Data Protection Act 1998 (“DPA”) was amended using the bizarre route of s 144 of the Criminal Justice and Immigration Act 2008, at a stroke giving the Information Commissioner (“ICO”) a new power to issue monetary penalties, i.e. fines, of up to £500,000 for breaches of the DPA.
A year on from the Scottish Borders Council (“SBC”) appeal, when a £250,000 data protection fine was cancelled, the only successful DPA appeal to date, it is worth reminding ourselves of the First Tier Tribunal’s (“FTT”) written decision dated 21 August 2013, following its ex tempore ruling a month before:
“Our conclusion therefore was that there was no liability to a monetary penalty in this case because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress’.
The Information Commissioner, Christopher Graham, was clearly miffed with the outcome, evidenced by the Independent’s interview with him on 23 February 2014 where he commented on this case: “I had one of our fines struck down the other day [sic – it was in fact six months earlier] because I couldn’t prove that dumping all the pensions records in the recycling area of the local supermarket was going to cause serious damage or distress”, he complains, of an attempted prosecution of Scottish Borders Council. “I couldn’t prove that someone of malicious intent had picked up all this personal information and was going to be doing people down.”
That was, to put it mildly, an interesting take on what the FTT actually decided. So on this, the first anniversary of the appeal, we decided to reflect on the enforcement action taken by the ICO over the past year, happily coinciding with the publication of the ICO’s annual report also in July. In the annual report the ICO reiterated his plea for increased powers to send individuals to prison for stealing data, and for an integrated budget to allow him to deal with FoI and DPA work. Here we will look at the fines under the DPA and the Privacy and Electronic Communication Regulations 2003 (“PECR”), issued over the last year, and consider how, if at all, enforcement action has changed in terms of assessing likelihood of substantial damage or substantial distress. Parliament presumably set the thresholds of damage and distress required at these levels taking into account the level of fine it had just given the ICO the power to impose.
Post-SBC fines overview
In 2013-14 the ICO issued 19 monetary penalty notices: five to local authorities (two Scottish); three to public health care organisations; three to other public sector organisations; two to private companies; and one to a charity. There were also five fines issued for breaches of PECR, the regulations relating to spam texts, calls and emails.
The highest fines issued were for £200,000 and were imposed on a charity, British Pregnancy Advisory Service, and NHS Surrey. They both breached the seventh data protection principle and the data controller “lost” sensitive information about the health of data subjects. The lowest fine, of £5,000, was issued to a private company who lost personal data when an unencrypted hard drive was stolen containing customer information.
SBC appeal and likelihood
The SBC appeal involved the loss of non-sensitive personal data stemming from the breach. In the SBC appeal the FTT was unable to construct a likely chain of events which would lead to “substantial damage or substantial distress”. The FTT was also unimpressed by the submission from David Smith, the deputy commissioner, that the data might be published in a newspaper, causing substantial distress: “We simply cannot accept his suggestion for example that it was likely that a newspaper would want to publish extracts from the early leavers’ pension files, given that he does not specify how it was likely that a newspaper should obtain them in the first place.”
The real focus of the appeal was on whether the information in the pension files could be used to carry out identity fraud or theft.
The FTT preferred the evidence of the expert witness for SBC, who concluded that it was unlikely that the lost personal data concerned – names, addresses, national insurance numbers and bank details – would cause substantial damage or substantial distress. The expert had carried out extensive field work and, using the same type of information, had failed to open bank accounts, obtain credit, apply for a passport or apply for a driving licence. Therefore the evidence preferred by the FTT was that it was unlikely that this type of information could have been used to steal someone’s identity and commit fraud.
Recent fines and likelihood
Out of the 19 fines issued during the last year by the ICO, three were imposed for the loss of personal data that – like the data concerned in the SBC appeal – was not classed as sensitive, as defined by s 2 DPA. However in all three cases the ICO nonetheless felt able to assert that it was likely that the contravention would have caused substantial damage by exposing the data subjects to identity fraud and possible financial loss.
In our view, given the decision in the SBC appeal, the ICO would have struggled to demonstrate to the FTT that the contravention in these three cases was of a kind likely to cause substantial damage or substantial distress. His reasoning is not set out in the notice advising the data controllers of the fine, and as the tribunal established in the SBC appeal, it is not obvious, given the procedures followed by financial institutions nowadays.
In relation to two of the fines issued last year, to Bank of Scotland (a £75,000 fine imposed in August 2013) and Jala Transport (a £5,000 fine imposed in September 2013), copy identification documentation was lost. However from the expert field work carried out in advance of the SBC appeal, it appears that it is not possible to obtain credit or set up a fake identity without original identification documentation, e.g. a passport or driving licence. Therefore in our view the FTT would come to the same conclusion in these two cases: that it was unable to construct a likely chain of events which would lead to substantial distress or substantial damage. Glasgow City Council was fined £150,000 in June 2013, issued just prior to the decision in the SBC appeal. We are of the view that, given the decision in the SBC appeal, this fine does not meet the test set out in s 55A DPA.
Conclusion in relation to DPA breaches
So it appears to us that the ICO has not changed his approach to “likelihood” in cases involved non-sensitive personal data since the Scottish Borders appeal. Perhaps this is not surprising, given Mr Graham’s complaint of injustice in the Independent.
Spam, spam, spam, spam
In October 2013 the ICO’s fine in relation to a PECR breach was also cancelled by the FTT. The ICO appealed this decision to the Upper Tier Tribunal (UTT) and in June 2014 it upheld the FTT’s decision to overturn the monetary penalty. This related to a fine of £300,000 imposed on Christopher Niebel for breaching PECR through misuse of spam texts.
This appeal also concerned the interpretation of s 55A DPA and the phrase “was the contravention of a kind likely to cause substantial damage or substantial distress”? The focus was on whether substantial distress was likely, rather than substantial damage, as in the SBC case. The UTT agreed with the FTT that the ICO’s guidance defining distress as “any injury to feelings” was too broad. It drew a distinction between “irritation” and “distress”, holding that the texts in this case would have merely caused irritation and not substantial distress or substantial damage. This clearly irked Mr Graham as well, as the Independent article again made clear:
“We could show there was nuisance – that isn’t enough apparently,” says the commissioner. “We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.”
Conclusion in relation to PECR breaches
It appears that Parliament did not intend to allow fines of up to £500,000 to be imposed for irritating behaviour when it passed the DPA amendment in 2011, applying the monetary penalty power to PECR breaches. However Simon Hughes, the Minister of State for Justice and Civil Liberties, stated at the ICO’s Data Protection Practitioners Conference in Manchester on 3 March 2014 that he was considering plans to lower the threshold. There is no denying that it is a modern scourge, and we are almost all annoyed and irritated if we receive spam texts, automated calls and emails on a regular basis. The question is whether a nominally “civil” monetary penalty regime is effective in relation to PECR breaches.
At the start of 2013, the level of unpaid fines in the UK was £1.8 billion. The “civil” epithet may not send a sufficiently overt deterrent message to spammers. Would, for example, the ICO’s aims and the public interest be better served by using enforcement notices with threat of a criminal sanction for a breach, or by Parliament legislating to make a serious PECR breach an criminal matter, and thus grounds for seeking director disqualification as a punishment?
Paul Motion and Laura Irvine are solicitor advocates with bto solicitors, Edinburgh. They acted for Scottish Borders Council in the appeal which is mentioned.