Central London NHS Trust: key points from the Tribunal’s first MPN case

I reported earlier this week on the outcome of the first case of this type to reach the Tribunal. Here is my analysis of the key points.

Factual background

Central London Community Healthcare NHS Trust v IC (EA/2012/00111) concerned the first monetary penalty notice (MPN) to be appealed to the First-Tier Tribunal. The Trust’s appeal has been dismissed by the Tribunal (Professor Angel, Rosalind Tatam and Paul Taylor). The decision can be accessed here: Central London NHS Trust v IC EA20120111.

The background is that the Trust had, on some 45 occasions, faxed a list of palliative care in-patients to the wrong fax number (namely to that of a member of the public who notified the Trust and said he had destroyed the faxes – but he was never traced and destruction could not be confirmed). This was sensitive personal data: it included names as well as information about patients’ medical diagnoses, treatment and domestic situations.

The MPN

The IC found that the Trust had breached the seventh data protection principle, which requires that:

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The IC decided that the three preconditions for the exercise of his discretion to issue a MPN under section 55A of the Data Protection Act 1998 had been met here. These conditions are (i) there was a serious contravention of the DPA, (ii) this contravention was of a kind likely to cause substantial damage or substantial distress, and (iii) the contravention was either deliberate, or the data controller knew or ought to have known that there was a serious risk that a contravention would occur and would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it happening.

The IC is empowered to impose MPNs of up to £500,000. In this case, the amount was £90,000.

The Tribunal’s jurisdiction

On the Trust’s appeal, one of the first issues for the Tribunal was the extent of its statutory powers under section 49 of the DPA (which mirrors section 58 of FOIA): the Tribunal agreed with the Trust that, as with appeals under FOIA, the Tribunal had jurisdiction to consider the matter de novo; it was not restricted to a review along public law lines. It also found that it could either allow the appeal, or substitute an alternative MPN (including one imposing a higher penalty than that imposed by the IC), or substitute an enforcement notice instead (paragraphs 36-39).

Alleged indication that no MPN would be issued

The only point of evidence in dispute was the Trust’s contention that the IC’s enforcement team had indicated during the investigation that no MPN would be issued. The Tribunal found that the Commissioner’s enforcement officer “did not give any serious indication or assurance that there would be no fine or MPN in this case which in any way excluded the IC from deciding to issue an MPN” (paragraph 46).

The IC’s decision-making process

The decision to impose a penalty is taken by a Deputy Commissioner, in consultation with an internal working party comprising various senior managers within the ICO and one of the ICO’s enforcement lawyers. Having decided that an MPN should be issued, the ICO determined the amount by reference to an internal, unpublished framework as follows:

(i) Serious = £40,000 to £100,000

(ii) Very serious = more than £100,000 but less than £250,000

(iii) Most serious = more than £250,000 up to the maximum of £500,000.

It decided that this case was in the “serious” category. Its methodology was then to take the midpoint of that band and consider any aggravating or mitigating circumstances.

As required by the DPA, the ICO then issued the Trust with a Notice of Intent to issue a MPN to the value of £90,000. The Trust accepted that a financial penalty was warranted, but disputed the amount, making submissions on mitigating factors. The ICO maintained its position and issued the MPN.

‘Assessments’ and the statutory bar under section 55(3A)

By section 55(3A) of the DPA, the IC may not use anything which came to his attention pursuant to his carrying out an ‘assessment’ under section 51(7) when deciding on whether an MPN can be imposed. The Trust argued that the IC’s investigation of its voluntarily-reported breach constituted an ‘assessment’.

The Tribunal considered the rival submissions on the legislative intent behind the bar imposed by section 55(3A) (though on this point it rejected the Trust’s invitation to take ministerial statements into account, on Pepper v Hart principles) and on the range of powers open to the IC. It preferred those of the IC: section 51(7) is directed at educating and advising data controllers, on the basis of a consensual engagement, with a view to avoiding future breaches of the DPA. The aim of the statutory bar provided for under section 55A(3A) is to prevent the IC from using information he obtains via the educational/advisory process provided for under section 51(7) to impose an MPN on a data controller. This case did not involve such an educational/advisory process. There was no assessment under section 51(7) (paragraphs 87-91).

The IC’s adherence to its own policy

The Trust did not contend that the IC failed to apply the statutory guidance on MPNs. It did, however, argue that it failed to consider or adhere to its own non-statutory policy on the reporting of breaches, which said that “the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, he has other reasons to doubt future compliance or there is a need to provide reassurance to the public”.

Again, the Tribunal found for the IC: the statutory guidance was what really mattered, but in any event the IC had not departed from its own policies (paragraphs 102-103).

The IC’s exercising of its discretion

Where the conditions for the issuing of an MPN are met, the ICO still has a discretion as to whether or not to issue one. The Trust argued that the ICO had failed to exercise its discretion lawfully: there was no evidence of it taking into account relevant considerations.

The particular considerations relied upon by the Trust were (i) the ICO failed to take proper account of the overriding policy objective to encourage cooperative working between it and data controllers and failed to give sufficient credit for the Trust’s transparency and its co-operative stance, (ii) the effect of the ICO’s policy to impose high profile fines on data controllers who voluntarily report incidents and cooperate with its investigations is to discourage other controllers from being open and transparent, and (iii) the ICO’s approach to cases of this nature creates an unfair and unsustainable distinction between those data controllers who, when suspected of being in breach of the DPA, are required to submit to assessment notices or are requested to undergo consensual audits and those, like the Trust in this case, who voluntarily submit themselves to regulatory scrutiny. The Trust argued that the ICO had failed to think about these points.

The Tribunal rejected these criticisms as misconceived (paragraph 122). While the ICO’s process could have been more comprehensible, it could not be said to have overlooked relevant matters.

Consideration of mitigating factors

Next, the Trust contended that the ICO had failed properly to consider the mitigating factors on which it made submissions. Again, the Tribunal disagreed. The ICO had not erred in this way. In any event, the Tribunal did not seem to find the mitigating factors to be particularly forceful. It said:

“The fact that there was a voluntary notification cannot be given much weight when the Trust was under, in effect, an obligation to report (both to the ICO and to the NHS regionally). In any case it was reported over a month after the breach was discovered. Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing” (paragraph 128).

The Trust’s criticisms of the IC’s decision on the amount of the MPN

The Trust said that the IC never explained its methodology for calculating the amount of the MPN – the three categories of seriousness, for example, were never mentioned, nor was the means of calculation. Once again, the Tribunal did not agree. It considered that the IC had made the principles behind its approach clear to the Trust prior to issuing the MPN.

Notable the Tribunal observed that “We find it interesting that the contravention is only categorised as “serious” and not “very serious” as it seems to us on the facts of this case the IC could have taken a more penal approach to the amount in question” (paragraph 138) and concluded that “We are satisfied that the ICO has reached a figure within a range of reasonable figures it could have considered” (paragraph 139). It also rejected the submission that the IC failed to take the mitigating factors into account when deciding on the amount of the MPN (paragraph 148).

Discount for early payment

The final issue considered by the Tribunal is of significant importance. MPNs provide for a discount (here: 20%) for early payment. If a data controller appeals an MPN and loses, can it still claim the discount? The Trust argued that, by refusing to keep the discount offer open pending the outcome of the appeal, the IC was penalising it for exercising its legal right to have its cased tested by a Tribunal. The Tribunal disagreed: “The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter. There is no provision for a without prejudice payment” (paragraph 153). The IC did not err in refusing to keep the discount offer alive, and the Tribunal refused to restore that offer.

Data controllers who contravene the DPA in a serious or potentially serious way should take note of this last point, and indeed of the Tribunal’s first excursion into the new MPN appeal territory.

First-Tier Tribunal decisions are of course not binding on other First-Tier Tribunals. There will be more appeals against MPNs later this year. Panopticon will report on whether the principles from the Central London NHS Trust case are borne out by future decisions. For now, this decision is the best data controllers have to go on.

Tim Pitt-Payne QC appeared for the Trust. Anya Proops appeared for the IC.

Robin Hopkins

Tribunal dismisses first appeal against Monetary Penalty Notice

One of the most notable features of the information rights landscape in 2012 was the issuing by the Information Commissioner of a number of Monetary Penalty Notices for breaches of (primarily, but not exclusively) the Data Protection Act 1998.

The First-Tier Tribunal has today given its decision in the first appeal against such a notice. Central London Community Healthcare NHS Trust v IC (EA/2012/00111) saw the Trust appeal against a £90,000 MPN for the Trust’s repeated faxing of sensitive patient data to the wrong fax number (see Panopticon’s earlier reports here and here).

A summary of the key points from this landmark decision will follow as soon as possible. For now, Panopticon can confirm that the Trust’s appeal has been dismissed.

Robin Hopkins

Local authorities and NHS Trusts (2): unusual appeals ahead

I blogged earlier (see below) about the sorts of information law issues that arise routinely for local authorities and NHS Trusts. On a more unusual note, it is worth noting that the First-Tier Tribunal is due to hear appeals against notices other than the usual decision notices issued by the Information Commissioner under s. 50 of FOIA.

The first ever appeal against a monetary penalty notice issued for breaches of the Data Protection Act 1998 will be heard on 3-5 December of this year: Central London Community Healthcare NHS Trust v IC (EA/2012/0111). The Trust was fined £90,000 for faxing patient lists containing sensitive personal data to the wrong number. The Commissioner’s press release is available here.

Secondly, Southampton City Council is appealing against a decision by the Commissioner that a licensing policy under which all licensed taxis must use surveillance equipment consisting of CCTV and audio-recording facilities, both of which must operate whenever the vehicle is in motion, breached the first data protection principle. The Commissioner issued an enforcement notice against the Council (his press release is here).

The appeals will feature my fellow Panopticonners Anya Proops (for the Commissioner in both cases) and Tim Pitt-Payne QC (for the appellants in both cases).

Robin Hopkins

The Data Protection Act in defamation cases: increasingly relevant, potentially primary?

The Data Protection Act 1998 is increasingly being deployed as part of a claimant’s arsenal in defamation claims. The Information Commissioner has historically resisted policing DPA breaches in the context of allegedly defamatory expressions of opinion by one person about another.

Courts, on the other hand, have accepted that expressions of opinion about individuals are (as the definition at section 1 of the DPA makes clear) personal data, and that the DPA can therefore bite. This has arisen, for example, in the context of Norwich Pharmacal claims seeking the disclosure of the identities of users posting allegedly defamatory material. See for example Applause Store Productions Ltd and another v Raphael [2008] EWHC 1781 (QB), on which Anya posted here.

The use of the DPA in defamation claims (or cases which, though brought under the DPA, look in substance like defamation claims) has, it seems, gathered momentum. In late 2011, Tugendhadt J gave judgment in a case about the ‘solicitors from hell’ website:  The Law Society and others v Rick Kordowski [2011] EWHC 3185 (QB), on which Rachel Kamm posted here.

Last month, the DPA was again successfully relied upon as founding an arguable defamation-type claim. Desmond v Foreman, Shenton, Elliott, Cheshire West and Cheshire Council and Cheshire East Council [2012] EWHC 1900 (QB), involved a cover teacher who was suspended and ultimately dismissed following allegations that he had conducted himself in an inappropriate sexual manner towards a sixth-form student. The case involved a number of communications: meetings to discuss the allegations; requests for information from the police and previous employers; referrals to the Independent Safeguarding Authority, and queries about his home situation made by an officer of one local authority to an officer at another.

The claimant contended that a number of these communications implied that he was actually guilty of and had actually committed various serious offences (including rape, of which he had been accused in 2001 but exonerated through court proceedings). He brought a defamation claim, also contending that the allegedly defamatory statements infringed his rights under Article 8 and the DPA (in particular, breaches of data protection principles 1, 2, 3, 4 and 6).

The defendants – two local authorities, a headmaster and two local authority officers – sought summary judgment. They said the communications complained of were no more than expressions of concern that matters needed investigating, they asserted qualified privilege (based on the performance of their public duties) and justification.

The judge – as in Kordowski, Tugendhadt J – dismissed the application for summary judgment in part, finding that the claimant’s case under Article 8 and the DPA had a real prospect of success in relation to some of the communications complained of.

The judgment is of interest not only as an illustration of the difficulties of lawfully sharing sensitive information (including opinions) in the context of safeguarding children. It also illustrates that the DPA is increasingly – and realistically – being pressed into the service of types of complaint traditionally brought under other heads. The DPA and Article 8 are, of course, long-standing and natural complements to each other. Defamation, however, is slightly more alien territory for the DPA. Copyright infringement (on which, see a post of mine from last year here) is another area to which the DPA is increasingly relevant.

What, it is sometimes wondered, does a claim under the DPA add which is not already covered by claims under Article 8, defamation and so on? After all, as the defendants in Desmond argued, if someone is aggrieved at DPA breaches, then he has another remedy available, namely a complaint to the ICO. Interestingly, Tugendhadt J’s judgment in Desmond reverses this: what, he asked, would an Article 8 or defamation claim add to the DPA claim – at least with respect to one of the communications complained of? In particular, he was concerned with how best to deal with the claim that information about the 2001 rape allegation had been processed (retained, communicated) without reference to the judgments exonerating the claimant.

This last point about fair and accurate records of serious allegations is important: see an older post of mine here.

For the moment, back to Desmond and how best to deal with legal claims about this sort of complaint. Tugendhadt J said this:

“81. How and why it is that the references to the 2001 incident came to be recorded, but recorded without mentioning the public judgments of the court containing the police’s explanation for not charging the Claimant, is a question for which the proceedings under the DPA may provide the most appropriate form of investigation (as the Court of Appeal suggested in para 51 of their judgment). It is for consideration whether claims under the HRA or in defamation would add any benefit to the Claimant over and above a claim under the DPA. And as noted above, a claim under the DPA appears to raise no issues of limitation.

82. I invited the parties to consider why the Court should not direct that the claim under the DPA proceed first and separately from the other two claims, and give directions as to the filing of evidence (or agreed statements of facts) so that the matter could be determined in accordance with the overriding objective, and in particular with the objective of allotting to the case an appropriate share of the court’s resources.”

This demonstrates that, at least in some circumstances, the DPA may appropriately play the lead role rather than a supporting one in a complaint about unjustifiable and damaging communications about individuals. It looks as if the DPA will continue to flex muscles it did not even know it had.

Robin Hopkins

PRIVATE EMAILS AND TEXTS SUBJECT TO FOIA

Following the emergence earlier this year that Department for Education officials had, apparently routinely, used personal email accounts for the conducting of official business, the ICO has considered this issue. It has today issued guidance that many FOI officers and lawyers will find notable, to say the least.

The key points:

  • FOIA applies to official information held in private email accounts when held on behalf of the public authority. So too text messages. This much is obvious from the definition of ‘held’ in s. 3 of FOIA. The question is exactly what this means, and what to do about it.
  • There will be occasions on which, having searched its own systems, the public authority will be expected to ask employees (or contractors etc) to search their personal email accounts/text messages for information described in a FOIA request.
  • The ICO expects such occasions to be ‘rare’. I think this means that the ICO will not expect the public authority to do so simply because a requester asks it to; something more will be required.
  • What is that ‘something more’? The ICO recommends public authorities look out for ‘relevant factors’ which may trigger the duty to ask.
  • These factors include the nature, wording and subject matter of the request.
  • They also include “how the issues to which the request relates have been handled within the public authority”. This may be another way of asking: is the public authority aware that this sort of thing has been going on?
  • Another relevant factor is “by whom and to whom the information was sent and in what capacity, e.g. public servant or political party member”. This is often a blurred line, one imagines. Not sure how this could be scrutinised (other than hacking into private systems, which is not nice, not fashionable and not legal).
  • Public authorities should establish procedures for dealing with such situations.
  • They should keep records of any private email account/text message searches they have requested.
  • Public authorities should remind staff that, where a request for information to which the requester would be entitled has been made, it is a criminal offence to erase or conceal that information with the intention of preventing disclosure (see s. 77 of FOIA).
  • ‘Concealment’ would include denying that anything of an ‘official capacity’ nature is (or, at the time of the request, was) in one’s private email inbox or text message folder.
  • Public authorities should tell their employees not to use private channels for official business in the first place.

Panopticon understands from some of its friends in the media that requests aiming at exactly this sort of information were fired off this morning (or earlier this week, in anticipation of the new ICO line).

Meanwhile, a decision on the complaint against the Department for Education is in the pipeline.

Panopticon will be keeping its Benthamite eye on how these matters unfold.

Robin Hopkins

GASKELL: COMMISSIONER CAN, IN EXCEPTIONAL CIRCUMSTANCES, DECLINE TO ORDER DISCLOSURE

In my recent post on Sittampalam v IC and BBC (EA/2010/0141), I explained that the Tribunal took the view that the Commissioner does have a discretion to decline to order disclosure, even where information was incorrectly withheld at the time, due to subsequent developments such as legislative changes, inquiries or court proceedings and so on. In so doing, that Tribunal differed from the decision in Gaskell v IC (EA/2010/0090), where it was held that no such discretion existed.

The Upper Tribunal (UT Judge Wikeley) has this week allowed an appeal against the Gaskell decision, meaning that the Sittampalam position has now been confirmed as correct. The issue is put succinctly at paragraph 10 of UT decision GIA 3016 2010:

“The reasoning in the Commissioner’s Decision Notice can be summarized simply. Section 44(1)(a) of FOIA provides an absolute exemption where disclosure by the public authority holding it “is prohibited by or under any enactment”. Section 18(1) of CRCA [Commissioners for Revenue and Customs Act] 2005 provides that “Revenue and Customs officials may not disclose information which is held by the Revenue and Customs in connection with a function of the Revenue and Customs.” Section 18(1) did not apply to the Rent Service at the time that Mrs Gaskell made her original request. However, by the time of his Decision Notice, Rent Service staff had become HMRC officials. If the Commissioner were to order disclosure, those staff would be contravening section 18 of CRCA 2005.”

The First-Tier Tribunal found that the Commissioner has no discretion to decline to order disclosure in such circumstances (and that if he did have such a discretion, he exercised it incorrectly in this instance). In contrast, however, the UT concluded as follows (paragraph 31; my emphases):

“In conclusion, I agree with both counsel [11KBW’s Karen Steyn and Ben Hooper] that the requirement under section 50(4) that the decision notice should specify the steps which must be taken by the public authority does not amount to a mandatory obligation on the Commissioner to require steps to be taken to comply with the requirements of sections 1(1), 11 or 17 in every case, although that consequence will usually follow, save for exceptional cases such as the present one. As a matter of law the mandatory element of section 50(4) is that, if the Commissioner considers that the public authority ought to take any steps to comply with those statutory requirements, then he must specify them in the decision notice, along with the defined period within which they must be undertaken.”

The UT went on to decide that the Commissioner had exercised his discretion correctly in this case.

UT Judge Wikeley’s judgment also includes both a Jane Austenism and the first citation of the Information Law Reports (or Info LRs), launched by Justis and 11KBW this month: Office of Government Commerce v Information Commissioner [2008] EWHC 737 (Admin); [2010] QB 98; [2011] 1 Info LR 743.

Robin Hopkins