Information Commissioner reveals methodology for calculating monetary penalty notices

Last month, the Information Commissioner’s Office (ICO) successfully defended the first appeal against a monetary penalty notice issued by the ICO for a breach of the Data Protection Act.

The appeal was by Central London Community Healthcare NHS Trust, which appealed against a fine of £90,000 issued for repeatedly faxing a list of pallaiative care in-patients to the wrong fax number.

The most interesting aspect of the appeal is that as part of the ICO’s defence of its decision, the Tribunal was presented with information on the ICO’s internal methodology for calculating monetary penalties.

The ICO’s methodology
The process comprises three stages.

Firstly, a decision is amade as to whether or not to issue a monetary penalty.

Secondly, the case is placed in one of three bands, depending upon the seriousness of the contravention:

  • Serious – in which case the fine will be between £40,000 and £100,000
  • Very serious – in which case the fine will be between £100,000 and £250,000
  • Most serious – in which case the fine will be between £250,000 and £500,000

Finally, the ICO selects the mid point of the applicable banding (so, for a “very serious” fine, £175,000) and then assesses the aggravating factors to see if the fine should be higher and the mitigating factors to see if it should be lower. The aggravating and mitigating factors create an overall weighting, which is then applied to the fine.

Applying this methodology to the Central London Community Healthcare NHS Trust decision, we can see that the ICO viewed this breach as being a “serious” breach with a number of aggravating circumstances (it was towards the top of the £40,000 to £100,000 banding for a “serious” breach).

Interestingly, in its decision the Tribunal queried whether the breach in this case should actually have been classified as a “very serious” breach, given the nature of the breach, the information involved and the fact that the Trust was also in breach of the well established Caldicott Principles.

Early payment discount
In its decision, the Tribunal also upheld the ICO’s decision to permit an early payment discount only if the organisation does not appeal.

Whilst the Tribunal’s decision is not binding on subsequent tribunal hearings, the guidance does provide organisations faced with a notice of intention to impose a monetary penalty notice with more information on how the ICO has calculated the proposed fine. This should in turn help organisations to ensure that any challenges to the size of a monetary penalty can be made by reference to the ICO’s own methodology.

Martin Sloan

2 Responses to “Information Commissioner reveals methodology for calculating monetary penalty notices”

  1. 1 christineoneill February 6, 2013 at 10:57 am

    Reblogged this on Brodies PublicLawBlog.

  1. 1 You cannot be serious (can you)? | Walshipedia Trackback on March 11, 2013 at 2:19 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

February 2013
« Jan   Mar »

%d bloggers like this: