The First Tier Tribunal recently overturned the ICO monetary penalty to Scottish Borders and I believe their reasons for doing have left a number of problematic issues. In very brief terms, the initial CMP was issued after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park, having been dumped there by data processor. No contract was in place with the data processor and it sounded like the disposal of the files wasn’t really considered by the Council.
In summary, the FTT judgement confirmed that the information that was lost included “name, date of birth, national insurance number and salary. In some cases the files contained bank account details, a signature…”. The Tribunal accepted that there was breach of the 7th principle and that it was a serious breach. They effectively overturned the ICO’s decision on the basis that it wasn’t a breach “of a kind likely to cause substantial damage or substantial distress”. There was some typical legal analysis around the definition of “likely”, that can perhaps be boiled down to their conclusion that “it is insufficient to point to such consequences merely being a possibility”.
The tribunal also concluded that what had happened was a surprising outcome, not a likely one and indeed they further offered that they thought the safe destruction of the files was the likely outcome (“we would not describe any other outcome as likely”). Given the files weren’t actually safely destroyed that’s quite a bold assertion – we can all have our theories but sometimes the facts can speak for themselves.
The tribunal sought to make a clear distinction between the contravention/breach and the trigger incident. This is entirely understandable, indeed myself and others have previously highlighted that the ICO has sometimes appeared to be fining for the incident itself rather than the breach. The breach here was not ensuring they had selected a data processor offering sufficient safeguards and not evidencing that agreement in writing. The trigger incident was the files ending up in Tesco’s car park. It is incidents that the ICO asks to be informed of, not breaches – an incident might not always be a breach of the DPA and of course a breach doesn’t need an accompanying incident. As an aside, it would therefore be fascinating to know how the ICO would react if a Data Controller was to notify them that they hadn’t trained staff in Data Protection, or that they didn’t have a policy for using fax machines – both breaches that have previously been the subject of CMP’s when the breach resulted in a trigger incident.
The problem I have here is the Tribunal appear to be saying that they can only consider the breach itself, yet they still require the ICO to “construct a likely chain of events which would lead to substantial damage or distress”. I think that is a very difficult burden whereby the circumstances flowing from the beach are essentially not allowed to be considered.
If an unencrypted disc containing personal data of millions of people goes missing in the post, one would presume that is a breach, a serious breach and (depending on the data) one of a kind likely to cause substantial damage/distress. If the disc then turns up a day after the incident is reported to the ICO, that doesn’t make the breach disappear, but it does make the chance of damage/distress all but disappear. To me it is a serious breach that fulfils the criteria irrespective of what harm actually comes from the incident, but I wonder how would the Tribunal assess the likelihood of damage in these circumstances?
It strikes me that the Tribunal overlooked the phrasing “a breach of a kind likely to cause…”, a phrase that I think is significant as it changes the meaning of the sentence. I interpret the full phrase to essentially be saying “is this the type of breach that has the potential to cause damage/distress”. When you give processers personal data without any safeguards then you have opened the data subjects up to potential damage, so for me it is a breach of a kind likely to cause damage/distress, irrespective of what happens next.
Whether it does or doesn’t cause actual harm is probably always going to be down to the specifics of the incident that flows from the breach. If an unencrypted laptop containing witness details is stolen in a burglary, I would say that fulfils all the criteria. But if the same laptop was discovered by Police searching their colleague’s house, there would be no likelihood of damage/distress to the witnesses. But the breach remains the same and that’s a breach of a kind likely to cause damage. Similarly the chap who had his unencrypted hard drive stolen from his car– the breach occurred when he failed to encrypt his laptop, not when he had it pinched. Obviously now he has had it stolen the likelihood of mis-use is much greater, but again we must recall the assessment is of the breach itself. With breaches like these any number of outcomes could occur, some likley, some probably exceptionally unlikely, but you have no control and are entrusting the data to fate.
Trigger incidents will often flow from a breach – the unencrypted laptop containing witness details might be wiped before it’s sold on in the pub or it might end up on being sold to the local gangster to intimidate the witnesses. I would regard the latter example as extremely unlikely, but I don’t think that’s a sufficient assurance to the people whose data and security has been compromised.
I’m not sure if it’s a drafting error in the legislation but the idea a breach must carry a likelihood of significant damage or distress, as opposed to “merely a possibility” is a difficult standard to achieve. Further, the CMP is about punishing the lack of compliance, not the incident and therefore I don’t see why the ICO should be expected to speculate about the likelihood of potentially harmful scenarios.
What I also found a little odd is that the judgement didn’t even consider the issue of the significant distress, focussing solely on the question as to whether damage would occur. The issue seemed to solely come down to an assessment of whether identity fraud would be likely to take place – and as someone who works for a Pension company it’s a surprising and comforting that the tribunal doesn’t seem to hold that names, addresses, NI numbers, bank account details, signatures and salary/pension details are especially problematic fields of data.
The ICO’s amended power to issue a CMP can possibly be traced back to the furore around the infamous HMRC data loss, but based on their reasoning here, I can’t see the Tribunal would have regarded that as fulfilling the criteria for a CMP either – as effectively they would have been left with the same equation re likelihood of identity fraud.
I’d also imagine Sony and Welcome Finance, amongst others, are kicking themselves for not appealing earlier CMPs involving this type of data given the judgement here. Strangely the ICO appear unmoved by the Tribunal’s logic, as their most recent CMP again quotes the potential for identity theft.
Looking back through the ICO’s CMPs I can’t think of many where there was a real likelihood of substantial damage. The biggest fine, to BSUH being an example where it would be very difficult to construct a likely chain of events leading to damage to the data subject. I doubt the data subjects were ever told their data ended up on Ebay so nor would there technically even be distress. That outcome didn’t become likely when they undertook to destroy hundreds of harddrives without a contract – but it did become a possibility, which I think is enough to justify a CMP – even if the Tribunal doesn’t.