The High Court has ruled that the Information Commissioner’s Office was wrong to fine a Scottish council £250,000 for breaking data laws, sparking claims the case has neutered the watchdog’s enforcement powers.
The ICO slapped the fine on Scottish Borders Council last year after a firm it appointed to process staff pension records failed to dispose of the data in a way that met the security requirements of the Data Protection Act.
But on appeal, the Information Rights Tribunal has ruled that there was not a legitimate basis for the ICO to issue a fine.
Mr Justice Warren, a judge of the Chancery Division of the High Court, said: “There was no liability to a monetary penalty in this case because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress.”
The council may yet be issued with an enforcement notice or be subject to other regulatory action, yet Pinsent Masons data protection law expert Kathryn Wynn believes the ruling could hinder the ICO in its future enforcement of data protection laws.
She said: “[This case] sets a precedent for appeals against data breach monetary penalties as it further raises the threshold that needs to be met by the ICO to serve a monetary penalty.
“The ruling will serve to blunt the talons of the Information Commissioner [Christopher Graham] by requiring a greater standard of evidence over the damage and distress suffered by individuals as a result of a data breach in order for a monetary penalty to be justified.
“It is inconsistent with the general direction of travel around data security and protection in the EU, as reflected in the current draft of the proposed EU Data Protection Regulation.”
But Wynn also warned: “UK organisations must not be lulled into a false sense of security in relation to the reduced chances of facing a monetary penalty from the ICO following this ruling when it looks likely that the threshold for penalties will be lowered, and the levels of possible fines raised, under a reformed EU data protection framework.”
ICO gets nearly 4,500 calls a week
UK data breach fines top £2.5m
Public view shopping data as private
Personal data ‘worth a fraction of 1p’
Are data enforcers up to the job?
‘Hardman’ Graham flexes muscle
ICO ‘worse than incompetent’