In Basildon Borough
Council v Information Commissioner [2018] UKFTT 2017_0124
(GRC) the First-tier Tribunal had to consider an appeal by Basildon against the ICO’s monetary penalty notice (MPN) dated 22 May 2017. The MPN had been issued in respect of a breach of the seventh data protection principle and was for £150,000. The seventh data protection principle requires that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
In its treatment of a planning application Basildon had posted on its portal, and left accessible for over six weeks, details of an application concerning the applicant’s family, including disability requirements, mental health issues, the names of all family members, their age and the location of the site. This data clearly included personal data and sensitive personal data. The Basildon policy was for such information to be redacted.
The ICO issued a penalty notice, ruling (in essence) that Basildon’s procedures for ensuring that redactions took place were inadequate.
Basildon appealed against the MPN, arguing that (i) it did not contravene the seventh data protection principle; (ii) alternatively, if it did, the conditions for issuing a monetary penalty under the Data Protection Act 1998, s 55A were not met, and (iii) alternatively, if a MPN was justified, the amount was too high.
No Contravention
Basildon contended that the processing was in accordance with their legal duty as a planning authority to publish details of applications; its policy of redaction of personal details (which it had notably failed to follow) was not a necessary feature of lawful processing. The contention was that the application could not be fully understood without reference to the supporting information, including personal data and sensitive personal data, which had been filed with the application. Moreover, the Town and Country Planning (Development Management Procedure) (England) Order 2015, art 40 left them with no choice as to what to publish.
The Tribunal was ‘somewhat surprised’ that Basildon had chosen to argue this point, observing (at [30]-[31]) that the authorities:
‘unequivocally stated that domestic legislation had to be read restrictively in the light of obligations imposed by EU Directives. Indeed, where domestic legislation clashes directly with EU legislative obligations then the domestic legislation will be struck down.
The bald and unavoidable fact of this case is that Basildon did have a procedure for checking what personal data contained within planning applications should go up online but, on their own admission, it was completely overlooked on this occasion. That failure was clear prima facie evidence of inadequate measures – in contravention of DPP 7. The failure in this particular case was compounded by a lack of training and guidance and a lack of “safety net” procedures to catch incorrect decision making by an initial decision taker.’
No Right to Issue a MPN
In relation to the suggestion that the ICO had not had the right to issue a MPN, Basildon relied on the contention that any breach was not of a kind likely to cause substantial damage or substantial distress, as required under s 55A.
Basildon highlighted the fact that the applicant for planning permission in this case had previously appealed to the Planning Inspectorate putting a large amount of personal data in the public domain. Basildon also relied on the warnings in the application process that data may be published and suggested that the applicant, when contacted, had not expressed any distress. Basildon also analysed the sensitive personal data published and submitted that it was not of a type where a disclosure was likely to cause any, let alone substantial, damage or distress.
The Tribunal gave this contention short shrift too. Basildon had focused too much on the particular case and the persons involved and not enough on what was ‘likely’ – the key element in s 55A. Moreover, even in the particular case, Basildon was referring to information given to the Planning Inspectorate a decade earlier and had assessed the effect by speaking to 1 of 17 people affected by the breach. The Tribunal:
‘unhesitatingly concluded that Basildon ought to have known that its lack of adequate systems and procedures meant that there was a risk of the processing of personal data in contravention of the DPA and that such a contravention would be of a kind likely to cause substantial damage or substantial distress’.
Amount of MPN
While acknowledging that the ICO had taken some mitigating features into account, the Tribunal was not convinced that the ICO had given them all due weight. In particular:
(a) at least Basildon had procedures for redaction in place even though it had not followed them;
(b) it appeared that only a relatively small number of people were affected by the breach;
(c) the data had been on the portal for only a short period and Basildon had reported its breach;
(d) the planning application form does inform applicants of the possibility of the publication of the information provided in the application and does provide a telephone number for further advice on what this might mean in practice.
In addition, guidance issued in 2006 (and drafted in consultation with the ICO) was ‘poorly drafted and clearly needs urgent revision’ and could be read to allow unredacted publication. Moreover, the Tribunal felt that the ICO had placed too much weight on aggravating features which arose only from the ‘triggering incident’ and applied only to the 17 people affected by the breach.
The Tribunal reduced the amount of the MPN to £75,000.
Comment
In a closing comment (at [36]), the Tribunal noted that unlike fines imposed in the criminal justice system there is no independent body such as the Sentencing Council providing a definitive list of relevant aggravating and mitigating factors and a matrix of appropriate fines. The Tribunal observed that ‘the Commissioner is seeking to establish her own database of penalties and pertinent factors to be taken into account’, although it is hard to believe that this is a priority for the ICO with GDPR looming. It would seem that the Article 29 Working Party, probably when reconstituted as the European Data Protection Board, will provide some guidance for fines under the GDPR – certainly it has expressed that ambition and has a taskforce with that brief.
But the Tribunal raised a novel point, saying ‘it might be argued that that it is not entirely appropriate for the investigator and enforcer of MPNs to be the body that also effectively sets the level of the penalties’. That was a comment on the ICO’s intention to establish a database but it applies with equal force to any guidance that the EDPB might publish. The position is complicated by the quasi-criminal nature of any data protection fines – whatever they are called – and by different approaches to the role of ‘the prosecutor’ across the 28 Member States. But, for the UK, how much notice should a tribunal take of a prosecutor’s guidance? And, if a UK court asserts its proper judicial independence and ignores EDPB guidance, what are the implications for data protection adequacy?
There is one slightly strange aspect to the Tribunal’s decision: the contention that the ICO had placed too much weight on the trigger event in assessing the penalty. Given the limited nature and effect of that breach, I would have thought that taking account of the wider picture would have led to an increase in the penalty not a reduction. Clearly, I am missing something.
But I am not missing as much as Basildon, who reported a breach and then claimed before the Tribunal that there wasn’t one. Perhaps a lesson in the need to take legal advice early – or a lesson in ignoring legal advice that disappears up its own submission.