The appeals by Scottish Borders Council and Christopher Niebel against the Information Commissioner’s Monetary Penalties, described in Paul Motion and Laura Irvine’s article A Series of Unlikely Events, have had further effects on the Information Commissioner’s enforcement practice besides those described in that article.
Before Monetary Penalties came into force in April 2010, the Commissioner’s main compliance weapons were Enforcement Notices (DPA, s 40: requiring a data controller to take or refrain from taking specified steps or processing specified data) and the non-statutory practice of extracting undertakings from organisations whose behaviour he had reason to criticise. I say non-statutory because this practice of requiring undertakings as to future behaviour appears nowhere in the Act, but presumably the Commissioner was able to extract such undertakings by threatening those concerned with tougher action, whether by Enforcement Notice or (since April 2010) by Monetary Penalty (s 55A) or Compulsory Assessment (s 41A). With the coming of Monetary Penalties and Compulsory Assessment, the use of Enforcement Notices and undertakings received less publicity but now, following the failure of the Commissioner’s Monetary Penalty against Scottish Borders Council, they have come back into fashion.
Since August 2013 when the First Tier Tribunal heard Scottish Borders, undertakings have been secured in cases which include the following:
- in March 2014 the Disclosing and Barring Service failed to stop the collection of low-level convictions no longer required for employment checks;
- in May 2014 the Student Loans Company Ltd sent customer information (including medical and psychological data – ie sensitive personal data) to the wrong address;
- similarly in July 2014 the Betsi Cadwaladr University Health Board sent eight letters about patients’ health to one of the affected patients rather than to their surgery.
The number of new Enforcement Notices seems not significantly larger than before August 2013, but one case in particular stands out:
In June 2014, the Commissioner issued an Enforcement Notice against DC Marketing Ltd to force them to desist from making cold calls to try to sell solar panels to individuals who are on the Telephone Preference Service. It also emerged that DC Marketing sometimes gave a false name to escape detection.
This matter is comparable to the facts of the original Niebel Monetary Penalty (albeit on a much smaller scale) and might be expected to have merited some sort of Monetary Penalty before the Niebel appeal.
The case is all the odder when compared with the £50,000 Monetary Penalty against Amber Windows imposed in April 2014. In Amber there were 524 complaints from the public of disregard of the Telephone Preference Service; in DC Marketing there were 280 such complaints and also the use of a false name – surely an aggravating factor.
It is clear that the Commissioner has taken the Scottish Borders and Niebel appeals pretty hard and is still trying to work out the best response, apart from asking Parliament for more powers. Expect further turbulence.
Richard Morgan is an IT Consultant and Fellow of the British Computer Society. For many years he was Computer Officer at the two Houses of Parliament. He is a founder member and a past Chairman of SCL. He is the author with Kit Burden of Morgan & Burden on IT Contracts, 9th edition Sweet & Maxwell 2013, and of Legal Protection of Software: A Handbook, xpl (formerly EMIS) 2002, and with Ruth Boardman of Data Protection Strategy, 2nd edition Sweet & Maxwell 2012.