Fines for data protection breaches: how serious does the breach need to be?Print publication
In overturning a fine imposed by the Information Commissioner against the Scottish Borders Council, the UK’s First-tier Tribunal (Information Rights) ruled that the breach in question was insufficiently serious to warrant a financial penalty. This begs the question: how serious does a breach need to be before a fine will be imposed?
The Council had hired a third-party supplier to scan hard copies of pension files containing personal data onto CDs. The supplier disposed of approximately 1,600 of the files into recycling bins at a supermarket, where they were discovered by a member of the public. The files were taken into police custody. No actual harm was found to have been suffered.
The power of the Information Commissioner (ICO) to award a monetary fine of up to £500,000 for data protection breaches is discretionary. However, before a monetary penalty can be assessed, the breach must either be deliberate or something that a controller either knew or ought to have known would result in substantial damage or distress and then failed to prevent.
Principle 7 of the Data Protection Act 1998 (the Act) states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
One aspect of security that is central to Principle 7 is the issue of disclosure to data processors. Data processors handle data on behalf of data controllers (the data controller in this case being the Council). Direct responsibility for compliance with the Act remains with the data controller – even where the data is handled by the data processor. This means that the data controller will be liable for any breach of security caused by the data processor acting on its behalf. The Act therefore places a duty upon the data controller to ensure that the data processor deals with the data in accordance with the Act.
In particular, there must be a contract between the data controller and the data processor. The contract must be in writing, or else must be evidenced in writing. The contract must contain obligations upon the data processor to act only on instruction from the data controller in accordance with obligations imposed on the data controller by virtue of Principle 7. A failure to have such a contract is a breach – by the data controller – of Principle 7.
In this case there was no formal contract in place between the Council and the data processor and the Council had sought very little by way of reassurance as to the data processor’s security measures. The Tribunal agreed with the ICO that there had been a serious contravention of the Act. However, it went on to find that the breach was not of a kind likely to cause substantial damage or substantial distress. For that reason a monetary penalty was not appropriate.
The personal data in question constituted names, addresses, national insurance details and salary, in some cases bank account details, nominated beneficiaries and reasons for leaving, which could include health-related reasons. However, the Tribunal found that none of the data was “sensitive personal data” under the Act, which would have warranted more robust protection.
The decision runs rather against the grain of current data protection trends which are towards enhancing data protection and security – something reflected in the current draft of the proposed EU Data Protection Regulation. However, organisations would be unwise to rely on it as carte blanche to lower their guard against data protection compliance. The Council was lucky in this case in that no harm was done. It is also worth noting that the Council had a long-term relationship with the supplier, some 25 years, and therefore trusted it – that though is no excuse for failing to put in place a proper data processing agreement.
Organisations need to ensure that they have robust data protection policies and procedures in place which are properly embedded and followed, to ensure that they do not risk sanctions from the ICO.