Key takeaways
Court of Appeal Clarifies Burden in ICO Penalty Appeals
Appellants must prove case when challenging fines
ICO Reasoning Carries Significant Weight in Decisions
Expert analysis influences tribunal discretion on penalties
Data Controllers Urged to Strengthen Compliance Measures
Proactive risk management essential to avoid severe sanctions
Authors
Background
Doorstep Dispensaree Ltd (DDL) is a pharmacy supplying medicines to care homes. It engaged a company named Joogee Pharmacy Ltd (JPL) to dispose of documentation containing medical information of care home patients. A Mr Budhdeo was the sole director and shareholder of both companies. The property used by JPL was owned by DDL.
In July 2018, the Medicines & Healthcare Products Regulatory Agency (MHRA) investigated the document management practices of DDL and JPL. The MHRA found various examples of poor practice in relation to the approach of DDL (as the data controller) to data rights including the storage of large quantities of documents containing personal data, a good portion of which was special category data, in unlocked boxes in a publicly accessible area of JPL’s premises.
Breaches of the UK GDPR
The MHRA reported its findings to the Information Commissioner’s Office (ICO). In addition to breaches of Articles 13 and 14 of the UK GDPR, DDL was found to have failed to process personal data in a manner that ensured appropriate security (Article 5(1)(f)), to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing had been performed in accordance with the UK GDPR (Article 24(1)) and to implement appropriate security technical and organisational measures to ensure a level of security appropriate to the risk (Article 32(1)). The ICO described the breaches as “extremely serious” and considered that they demonstrated a “cavalier attitude to data protection”.
Monetary penalty notices
The ICO is entitled to issue monetary penalty notices for data breaches under section 155(1) of the Data Protection Act 2018. When deciding whether to impose a penalty notice and the amount of any penalty notice, the ICO must ensure that the penalty is effective, proportionate and dissuasive and have regard to various factors including (non-exhaustively) the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered (Article 83 of the UK GDPR).
Here, the ICO issued its first ever monetary penalty notice in the sum of £275,000 (albeit the initial penalty was higher and later reduced to that sum to take into account DDL’s financial position) as well as an enforcement notice.
DDL’s appeals of the penalty notice
Following an appeal to the First Tier Tribunal, the penalty was reduced to £92,000 mainly because it came to light that only 67,000 of the 500,000 documents found at JPL’s premises were relevant to the issues.
A second appeal was largely unsuccessful leading to a third appeal to the Court of Appeal. The Court was asked to consider two matters: firstly, who bears the burden of proof in an appeal regarding a monetary penalty notice and secondly, the weight to be given to the ICO’s reasoning for the penalty. DDL argued that the FTT should not have given weight to the ICO’s reasoning in the penalty notice as it resulted in a “tilted balance”.
Decision of the Court of Appeal
DDL argued that the burden was on the ICO to satisfy the FTT that there had been an infringement and that it was appropriate to impose a penalty. The court disagreed finding that the burden of proof in a penalty appeal is on the appellant. The appellant carries the burden because they “know, or ought to know” the true facts” which, here, concerned the storage of the boxes. In other words, it was for DDL to persuade the FTT that the penalty should not stand and not the other way around.
On the second issue, it was not unfair to attach weight to the contents of the penalty. The FTT appeal judge had analysed the ICO’s conclusions and adopted arguments she found persuasive. She was correct to give careful attention to the ICO’s reasoning and then to use discretion to decide how much weight to give before reaching a final decision on the appeal. In the context of Article 83 of the UK GDPR (relevant parts referenced above), the ICO’s reasoning was of direct relevance to the court’s discretion and the role and experience of the ICO meant that they were in a position to give the court insight into whether the penalty would be effective and dissuasive.
Comments
Data controllers must be prepared to prove their case should serious data breaches be identified. The FTT and court will exercise their discretion on penalties independently of the ICO but the ICO is recognised as an expert in their field and their reasoning for the issue and value of penalties will be given careful consideration. The case emphasises the importance of proactive risk assessment and management of data risks, and of complying with ICO guidance to minimise risks.
For further advice and assistance on Data Protection issues, please contact Kate Steele.
How our dispute resolution lawyers can support you
If you’re experiencing any issues in relation to penalty notices, our experienced dispute resolution lawyers can provide invaluable guidance and ongoing support.
From addressing complex legal issues, to providing clear and practical advice, our team will be by your side, wherever your are, to guide you toward the best outcome for your business. Contact us today to get started.