In August 2013 the First Tier Tribunal - General Regulatory Chamber published the reasons for its decision earlier in the year to overturn a fine of £250,000 imposed by the Information Commissioner's Office on the Scottish Borders Council for a serious Data Protection Act breach. The decision gives useful guidance on the approach which may now be taken by the Information Commissioner when assessing the appropriate level of fine for a breach of the data protection legislation, especially in light of the guidance the Information Commissioner's Office itself published in April 2013. It is also a reminder of the steps a data controller must take with regard to security arrangements in contracts with data processors.
The data protection breach arose out of a security failure by a subcontractor of the Scottish Borders Council who had been engaged to scan employee records. Original files containing the employee records were found in and around a recycling waste paper bin outside a Tesco store. The Information Commissioner had concluded this was a serious breach of the security obligations of the data controller – the Scottish Borders Council – and had imposed a fine of £250,000, against which the Council appealed.
The Tribunal concluded that the standard of proof to be applied by the Information Commissioner's Office as to whether or not a fine should be imposed was the ordinary civil standard of proof rather than the higher criminal standard of proof.
They also concluded that there had been a breach of the Seventh Principle in that appropriate security measures were not in place. Whilst there was a contract between the Council and the subcontractor, there was no clarity as to how the hard copy files were to be treated after they had been scanned, there was no assessment of the security measures being used by the subcontractor prior to putting in place the latest contract between the parties and there was no action to ensure compliance with the data controller's obligation to implement appropriate security measures. There was, accordingly, a breach of the data protection obligations as regards security measures.
The appropriate level of fine
The Tribunal agreed that the breach was, indeed, serious; the Council could not be allowed to contract out of its security obligations and the breach was systemic rather than an isolated human error. In fact, the Council had no effective means of ensuring compliance with its security obligations in many arrangements with subcontractors.
Whilst the breach was serious, the Tribunal disagreed with the Information Commissioner on the question as to whether or not this serious breach was of a kind likely to cause substantial damage or substantial distress. There was little likelihood that the data would really fall into the public domain and/or that it would be used to effect identity theft. In the circumstances, the Tribunal concluded that whilst the breach was serious, it was not of a kind likely to cause substantial damage or substantial distress. This means that no fine could be imposed. However, interestingly, the Tribunal said that it was not prepared to simply allow the appeal by the Scottish Borders Council. Instead, it said that in light of the seriousness of the breaches it was going to consider issuing an enforcement notice or taking some other action, but would delay doing so to enable the Scottish Borders Council and the Information Commissioner's Office to reach an agreement over the terms of data processing arrangements to be put in place by the Council and on the appropriate training to be given to staff.
- The Information Commissioner's Office will have to consider the likelihood of serious loss when deciding whether or not to impose fines for breach of the data protection legislation.The Information Commissioner's Office failed to establish this in the case in point and the fine was overturned by the Tribunal. However, the point is established that the burden of proof to be applied by the Information Commissioner's Office is a civil one and not a criminal one and therefore it may be much harder to overturn fines imposed by the Information Commissioner's Office in the future.
- It is a timely reminder that data controllers cannot outsource their obligations under the data protection legislation and, in particular, must approach selection of a subcontractor bearing in mind the obligations and must carry out periodic reviews of the arrangements to ensure that appropriate security measures are in place. It is not sufficient to rely simply on a contractual obligation on the subcontractor.
For further information please contact one of the authors as detailed on the right.