Opinion: Paul Motion and Laura Irvine

One year ago the First-tier Tribunal (FTT) overturned a monetary penalty of £250,000 issued to Scottish Borders Council (SBC) by the Information Commissioner (ICO) for a contravention of the Data Protection Act 1998 (DPA). Despite the FTT ruling, the ICO has not apparently changed its approach to establishing the likelihood of substantial damage, one of the prerequisites to issuing a monetary penalty.

In the Scottish Borders appeal, the FTT decided that the breach of the DPA, though serious, was not “of a kind likely to cause substantial distress or substantial damage”. The case concerned the loss of pension files containing non-sensitive personal data. The FTT dismissed the ICO’s evidence about how substantial distress might have been caused, and focused on the likelihood of substantial damage. Evidence was presented by the council to demonstrate that the non-sensitive personal data contained in the files was insufficient to perpetrate identity theft or fraud, since organisations such as banks and credit providers require proof of identity in the form of original documentation. There was insufficient information available to obtain a passport or driving licence, for example. The FTT was thus not persuaded that there was a likelihood of substantial damage.

In 2013, three other DPA fines were issued by the ICO which again involved the loss of non-sensitive personal data. Glasgow City Council was fined £150,000 in June; Bank of Scotland was fined £75,000 in August; and Jala Transport Ltd (a moneylender, despite the name) was fined £5,000 in September following the loss of personal data similar to that lost in SBC. (Copy identification documents were also lost in the second and third cases, but the evidence at the SBC appeal demonstrated that they would not be sufficient to permit identity fraud or theft to take place.)

Each notice issued by the ICO assumed that: “If that data is in fact disclosed to untrustworthy third parties then it is likely that the contravention would cause further distress and also substantial damage to the data subjects such as exposing them to identity fraud or theft.”

Thus it appears the ICO is still relying on the type of formulation found wanting by the FTT in Scottish Borders. The Glasgow City Council fine was issued just prior to the decision in Scottish Borders, but the other two decisions postdate the decision.

In our view, given the decision in Scottish Borders, the ICO would have struggled to convince the FTT that the contravention in these three cases was of a kind likely to cause substantial damage. (Nor do we understand the basis of the ICO’s conclusion in relation to substantial distress.) It is surprising that the ICO has seemingly not changed its approach to this issue. The ICO’s reasoning is not set out in the monetary penalty notice. Complaints about such lack of clarity were acknowledged in the findings of the ICO’s Review of the Impact of Civil Monetary Penalties, published in July 2014 (see ico.org.uk). Following these findings, the ICO undertook to review the statutory guidance and operational policies and to assess whether they needed updating in relation to the interpretation of substantial damage or distress. In our view this is beyond question, as the current approach is too reliant on speculation.

However, the ICO is now lobbying for a lowering of the same statutory threshold, in relation to breaches of the Privacy and Electronic Communication Regulations 2003 (see the fuller article referred to below). But in setting the bar at the likelihood of substantial distress or damage, Parliament presumably took into account the level of fine it was empowering the ICO to impose in relation to such breaches.