Menu

Tribunal rejects administrative oversight excuse for failure to pay data protection fee

A keyboard key with a padlock graphic on it Print publication

13/06/2019

Walker Morris risk series stampIn the first decision of its kind, the information rights tribunal (the Tribunal) recently dismissed an appeal against the £4,000 penalty notice issued to paint and wallpaper manufacturer Farrow & Ball for failure to pay the required data protection fee [1]. The Tribunal dismissed the company’s plea that the penalty should be waived, and held that administrative oversight was not a reasonable excuse for non-compliance with its obligations. Walker Morris data protection experts Jeanette Burgess and Andrew Northage explain.

Background

Changes to the way the Information Commissioner’s Office (ICO) is funded came into force at the same time as the EU General Data Protection Regulation on 25 May 2018. There is no longer a requirement to notify or register with the ICO on an annual basis, but there is a legal requirement for data controllers to pay the ICO an annual ‘data protection fee’ unless they are exempt [2]. There is a three tier structure based on number of staff, annual turnover, and whether the organisation is a public authority, charity or small occupational pension scheme. The new fees range from £40 at tier 1 to £2,900 at tier 3. The ICO will treat all controllers as eligible for tier 3 (‘large organisations’) unless and until told otherwise. Once the fee is paid, the organisation is added to the ICO’s register of data controllers. The ICO has the power to serve monetary penalties on those who fail to pay.

Facts and appeal

As a data controller, Farrow & Ball was required, within a set timescale, to provide the ICO with specified information including staff and turnover figures to determine the relevant fee, and to pay the tier 3 fee of £2,900. The company missed the compliance deadline of 9 August 2018, and failed to respond to a subsequent notice of intent served by the ICO, resulting in the ICO issuing it with a £4,000 fixed penalty notice on 28 November 2018.

Farrow & Ball appealed against the penalty on the grounds that failure to pay was an innocent mistake, and requested that the Tribunal waive the penalty notice. The company argued that: a reminder was sent while the company’s representative was on holiday and a further reminder should have been issued; the ICO wrote to the company secretary but the correspondence was not recognised as important internally; and the ICO was contacted promptly once the error was spotted and the fee paid immediately. It also argued that the Information Commissioner should have exercised her discretion differently in relation to the penalty amount.

The Information Commissioner resisted the appeal, submitting that the penalty regime was established by Parliament, there was no requirement to issue reminders and, while it was accepted that the company’s failure to comply was due to an oversight, imposing a penalty was appropriate in all the circumstances. The company was a data controller prior to the new legislation coming into force, had paid the relevant fees under the earlier legislation and so should have had relevant administrative systems in place.

The Tribunal’s decision

The Tribunal accepted that Farrow & Ball’s representative was on holiday at the relevant time, that correspondence was not identified by others in the office as important, and that payment of the fee was made promptly once the default was discovered. It noted that, in appeals against fixed penalty notices issued by another civil regulator, the pensions regulator, tribunal judges have frequently adopted the approach of asking whether the defaulting party has a “reasonable excuse” for their default. Applying that approach in this case, the Tribunal concluded that Farrow & Ball had not advanced a reasonable excuse for its failure to comply. A reasonable data controller would have systems in place to comply with the relevant legislation, and Farrow & Ball had pointed to no particular difficulty or misfortune which would explain its departure from the expected standards of a reasonable data controller.

The Tribunal also upheld the amount of the penalty, reasoning that reducing it would not incentivise greater compliance in the circumstances of this case, where human error appeared to have been the main factor. In addition, Farrow & Ball had not presented any evidence of financial hardship that could affect the penalty. The appeal was dismissed and the penalty notice confirmed.

WM Comment

This decision sets a robust tone for the enforcement of penalty notices. An argument that failure to pay was an innocent mistake due to administrative oversight is likely to be given short shrift on appeal. The decision underlines the importance of implementing appropriate internal procedures and staff training and awareness programmes to ensure straightforward deadlines and payments are not missed.

Aside from avoiding being served with a penalty notice and the reputational damage and adverse headlines that could follow, payment of the required data protection fee indicates to customers and those you do business with that you take your other data protection responsibilities seriously too, including how you treat their data. According to the ICO’s Deputy CEO, members of the public and other companies check the register of data controllers before they decide to do business. Note that earlier this year the ICO began listing those organisations issued with a penalty notice for non-payment.

Walker Morris has a highly experienced team which is able to advise on all aspects of data protection compliance. Should you have any queries arising from this briefing, or require any assistance with the creation of suitable internal policies and procedures, please contact Jeanette or Andrew, who will be very happy to help.

__________________

[1] Farrow & Ball Limited v The Information Commissioner (EA/2018/0269)
[2] The Data Protection (Charges and Information) Regulations 2018

Contacts