The Upper Tribunal has just issued judgment in Central London Community Healthcare NHS Trust v Information Commissioner  UKUT 0551. This significant decision is the first time the Upper Tribunal has considered an appeal against a monetary penalty notice (“MPN”), issued by the Commissioner under section 55A Data Protection Act 1998 (“DPA”).
The Commissioner is empowered to issue an MPN under section 55A DPA, where he is satisfied that there has been a serious contravention of the data protection principles by a data controller, the contravention was of a kind likely to cause substantial damage or distress, and other relevant conditions are met. The amount of an MPN may be up to £500,000. In this case, the Trust had repeatedly faxed sensitive medical details of patients to a member of the public by mistake, believing that it was faxing them to a hospice. The Trust had “self-reported” its own contravention to the Commissioner, who had issued an MPN of £90,000.
The Trust appealed against the MPN under section 49 DPA, first to the First-Tier Tribunal, which rejected the appeal, and then to the Upper Tribunal. The grounds of appeal were fourfold: (1) the Commissioner failed to recognise he had a discretion as to whether to issue a MPN, and failed to consider how it should be exercised; (2) the Tribunal should have concluded that the Commissioner was barred from serving an MPN, because the Trust had self-reported its breach; (3) the Commissioner had acted unlawfully in offering the Trust a discount of £18,000 for early payment of the MPN, but refusing to allow the Trust to benefit from the discount if it decided to appeal; and (4) the quantum of the award was unsustainably high.
The Upper Tribunal rejected all four grounds of appeal. Along the way, it made some useful general observations about the way in which the MPN regime works. In particular, it stated as follows:
(1) The fact that a public authority has self-reported a breach does not prevent the Commissioner from issuing an MPN. Among other matters, the logical implication of that argument would be that a data controller responsible for a deliberate and very serious breach of the DPA could avoid an MPN simply by self-reporting. That could not be correct.
(2) As a matter of principle, the Commissioner has discretion whether to issue an MPN where the statutory conditions for its issue are met, as well as discretion as to the amount. On appeal, the First-Tier Tribunal (“FTT”) must conduct a full merits review of the Commissioner’s exercise of his discretion. The nature of the FTT’s jurisdiction on an appeal under section 49 DPA was akin to the nature of its jurisdiction in an appeal against a decision notice of the Commissioner under section 58 Freedom of Information Act 2000 (“FOIA”). In other words, the FTT’s function under section 49 DPA was to decide whether the Commissioner’s decision to issue an MPN and the amount of the penalty was right.
(3) It was permissible for the Commissioner to operate a scheme which gave a discount for early payment, if and only if the public authority did not appeal. There was a strong public policy argument justifying such a scheme – the early payment and early resolution of the issue. The proper analogy was with discount schemes operated for fixed penalty notices e.g. for minor motoring contraventions.
(4) The Upper Tribunal did in principle have the power to increase a penalty under section 55A DPA, although that issue did not arise on the facts of this case.
The decision is an important validation of the way in which the Commissioner presently approaches the issuance of MPNs, and usefully clarifies the nature of appeals against MPNs.
Timothy Pitt-Payne QC of 11KBW acted for the Trust; Anya Proops of 11KBW acted for the Commissioner.