First appeal against a fine issued by the ICO for breach of the Data Protection Act?

The ICO today announced another fine for a breach of the Data Protection Act, followed almost immediately by a statement from the recipient that it intends to appeal the decision.

According to the BBC, Central London Community Healthcare NHS Trust is going to appeal the £90,000 fine issued to it following the same personal information being faxed to a member of the public 45 times over a three month period.

As far as I am aware, this would be the first time that a data controller has appealed a fine issued by the ICO. (In January, we blogged about an NHS Trust in Brighton announcing that it was challenging a proposed fine, but this was a challenge to the ICO’s Notice of Intention to Fine, as opposed to a challenge to the fine subsequently issued)

The background
In this case, an administrator within the Trust’s Pallative Care Unit regularly faxed inpatient information to a hospice to assist with the provision of out of hours care. The fax contained information on the patients, including their medical diagnosis, domestic situation and resucitation instructions. A fax protocol was in place to cover the faxing of the information, under which a template fax coversheet was used and the administrator called the hospice to confirm that the fax had been received.

Following a verbal request from the hospice, the administrator also copied the fax to a second number. Unfortunately, the second number used was incorrect. Whilst the administator continued to phone for confirmation of receipt (and received such confirmation from the person he phoned), the protocol was not robust enough to ensure that confirmation was sought in relation to both faxes. Further, the administrator failed to update the template cover sheet with the second number, or obtain approval from his line manager to the addition of a new number.

The issue came to light only when a member of the public phoned to say that he had been receiving the list by fax for three months.

The administrator had not received training in relation to variations to the protocol. It was also clear from the breach that arose that the protocol was inadequate, and that the Trust had failed to consider an alternative (more secure) means of sending the data.

In short, the Trust failed to put in place adequate technical and organisational measures to prevent the unauthorised access or disclosure of data (the seventh principle).

What chance of success if the appeal goes ahead?
As I noted in my blog last week, the ICO will look at the sensitivity of the information involved and the consequences of unauthorised loss or access when determining what measures are appropriate. The greater the potential damage or distress, the more the ICO expects organisations to do to protect that information.

This is not a frolic of the ICO’s; it is set out in the Act (Para 9 of Part II of Schedule 1, to be precise).

In this case, it’s clear that there were organisational failings, as the protocol put in place failed to deal with a fairly obvious potential data breach (sending data to the wrong fax number/email address). The Trust was clearly aware of the risks (it had a fax protocol in place), but it was either deficient, or the training of its staff was decifient.

The fine issued by the ICO is consistent with a number of other fines issued to date, and is towards the lower end of the scale for such breaches (and well within the £500,000 maximum). In the circumstances, it’s not clear on what basis the Trust will appeal – the fact that the fine was issued, or the level of the fine itself.

As I say, if the Trust goes ahead with its intention to appeal, then this will be the first time that the ICO’s fines have been subjected to external judicial scrutiny. It will also provide some insight into how the ICO calculates the value of its fines. It will be interesting to see whether the Tribunal endorses the ICO’s approach to date.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

May 2012
« Apr   Jun »

%d bloggers like this: