Today, the Commissioner served – for the first time – a monetary penalty notice on a charity. The charity in question, Norwood Ravenswood Ltd, is a social care charity. One of its social workers had attempted to deliver to the home of prospective adopters certain background reports containing highly confidential sensitive personal data on four young children. Finding the couple out, and unable to fit the package through the letterbox, the social worker left the package in a concealed area at the side of the house. When the prospective adopters returned home, the package had disappeared. It was never recovered.
At the time of the incident, the charity had no specific guidance on sending personal data to prospective adopters. Further, and in breach of the charity’s data protection policy, the social worker in question had not received any data protection training.
The Commissioner found that there had been a “serious contravention” of the seventh data protection principle (i.e. that appropriate technical and organisational measures shall be taken … against accidental loss … of … personal data). Perhaps unsurprisingly, the contravention was also found to be “of a kind likely to cause … substantial distress” (for the purposes of the second limb of the test, in s. 55A(1)(b) of the DPA). In addition, the Commissioner concluded that the charity knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention within the meaning of s. 55A(3) of the DPA.
Although the Commissioner was not aware of any previous similar security breach, and the charity had voluntarily reported the incident to the Commissioner and had fully cooperated thereafter, the Commissioner nevertheless set the penalty at £70,000. Interestingly, the Commissioner does not appear to have taken the data controller’s charitable status to be a factor of any significance in this regard, on the basis that it had “substantial reserves”. Although the penalty is at the lower end of the spectrum of penalties awarded to date this year, it remains a substantial sum.
Overall, today’s decision serves as a useful reminder both of the potential consequences of inadequate data protection procedures and of the fact that even charitable bodies may face heavy penalties if serious contraventions occur.
There is still no monetary penalty case law to offer guidance. But, as regular readers of this blog may recall, the first appeal against a monetary penalty notice (brought by London Community Healthcare NHS Trust) is in the pipeline. It will be heard in December this year (with Tim Pitt-Payne QC and Anya Proops of 11KBW acting for the opposing parties).
One final thought, or, rather, question. The vast majority of the monetary penalty notices concern public authorities. Are public authorities really committing many more “serious contraventions” than private persons, or are they simply more likely to be reporting such contraventions to the Commissioner?