Since April 2010 the ICO has had the power to issue monetary notice penalties of up to £500,000 for serious data breaches of the Data Protection Act (DPA). Since then it has issued 14 such notices with the highest fine to-date – £140,000 – served on Midlothian Council in January this year.
In a response to a freedom of information (FOI) request by Out-Law.com relating to the first 10 of those cases the ICO said that on five occasions it had issued final penalties lower than it had originally proposed.
One fine was reduced by nearly 100% because the organisation involved had claimed bankruptcy, but the average reduction in the other four fines was 20%.
The ICO is obliged to issue notices indicating to organisations responsible for the data what punishment, if any, it considers appropriate for a breach but can decide to alter or withdraw the proposed penalty in a final determination if representations made by those organisations persuade it to do so.
In a widely-reported case last year the ICO fined lawyer Andrew Crossley after he had failed to keep sensitive personal information relating to around 6,000 people secure. The ICO had originally proposed serving Crossley, trading as ACS Law, with a £200,000 penalty after hackers exposed emails containing names and other personal details of individuals accused of illegally copying pornographic material. However, the finalised monetary penalty levied on Crossley was just £1,000 after he claimed bankruptcy.
Out-Law.com can now reveal that North Somerset Council, Powys Council, Midlothian Council and A4e Limited were also fined less than the ICO originally proposed.
North Somerset Council was served with a £60,000 monetary penalty notice after the ICO had detailed its intent to fine the authority £100,000. The ICO originally proposed fining Powys and Midlothian Councils £150,000 but scaled the eventual punishments back to £130,000 and £140,000 respectively.
Employment services company A4e was fined £60,000 - 20% less than the ICO had originally proposed. The company gave an employee a laptop containing personal information on 24,000 people to take home. The computer was not encrypted.
The laptop was stolen from the employee's home and an unsuccessful attempt was made to access the information, which included details of individuals' names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence, the ICO said at the time.
Worcestershire County Council, Surrey County Council, Ealing Council, Hounslow Council and Hertfordshire County Council were all served with monetary penalty notices equal to the amount initially proposed by the ICO.
Out-Law.com asked the ICO to disclose details of the representations all 10 organisations may have made to the watchdog in response to the proposed fines, but the ICO said that the information was exempt from disclosure under the terms of the Freedom of Information Act (FOIA).
The ICO said that the information was exempt because it was "information that should not be placed into the public domain". This was because the ICO considers that disclosing the information "would, or would be likely to, prejudice … the exercise by any public authority of its functions for ... the purpose of ascertaining whether any person has failed to comply with the law ... [and]... the purpose of ascertaining whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise …"
The ICO said it had assessed whether there was an overriding public interest in disclosing the information anyway and that it had reviewed the "prejudice or harm that disclosure may cause, and its likelihood".
Although there were public interest factors in improving the transparency and understanding of the process and reasoning behind the monetary penalty issued, the ICO said that disclosure was not justified. It said there were greater opposing reasons that justified withholding the information, including that doing so would ensure "that all relevant facts are placed before the Commissioner to enable him to reach a decision in each case based on those specific circumstances".
The watchdog also considered other factors including the public interest in ensuring "data controllers" can provide as much detail as they like without it being subject to publication and in preventing controllers making "similar representations" to those made previously.
"It is likely that disclosure of all the information you have requested would prejudice the monetary penalty process. It is important to point out that we do recognise that the cases you reference in your request are completed. However, we consider that the prejudice would occur to the overarching process and we have to be mindful of the possible prejudice to any future cases," Helen Ward, the ICO's lead internal compliance officer, said in response to Out-Law.com's request for the information.
"The principle aim of the monetary penalty provision is to assist future compliance with the Data Protection Act 1998. The process and guidance are designed with this as their focus. Therefore, it is paramount that this process is able to proceed unhindered, without undue external comment or influence, and in a landscape in which both parties are able to communicate freely and frankly," she said.
Ward also said that the information Out-Law.com sought was also exempt from disclosure because it had been information provided to the Information Commissioner by the organisations "solely for the purposes of the Data Protection Act".
Under the DPA staff at the ICO are generally required to obtain consent from organisations before they can legitimately "disclose any information which has been obtained by, or furnished to, the Commissioner under or for the purposes of the Information Acts ... relates to an identified or identifiable individual or business, and is not at the time of the disclosure, and has not previously been, available to the public from other sources, unless the disclosure is made with lawful authority".
The DPA states that the ICO can issue monetary penalty notices when a "serious contravention" of the data protection principles has occurred that was "likely to cause substantial damage or substantial distress" and was either carried out deliberately or by an organisation or person who knew or should have known about the risk of the breach and the damage or distress it could cause but did not take "reasonable steps to prevent the contravention" happening.
The data protection principles require, among other things, that organisations processing personal data do so fairly and lawfully and that they take "appropriate technical and organisational measures" to protect against "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
The ICO has issued guidance on the procedures it follows when determining whether and how much to fine organisations. The guidance states that the watchdog will only impose a monetary penalty if it is "appropriate" to do so and at a level that is "reasonable and proportionate, given the particular facts of the case and the underlying objective in imposing the penalty".
Whether a penalty is reasonable and proportionate or even appropriate at all depends on "the particular facts and circumstances" of individual cases and the "representations" that organisations are permitted to make to explain the incident.
The ICO is obliged to write a notice of intent detailing the amount it proposes to fine organisations or individuals for serious breaches of the DPA and the reasons why. The notice must also set out the right of the body or person to make their representations in response. The ICO's guidance states that the representations can include "comment on the facts and views" of the Commissioner, "general remarks on the case" or details of their financial situation. The ability to pay is one of several factors that the ICO has said it considers when evaluating the level of penalty organisations should have to pay for breaching the DPA.
Following this stage the ICO reassesses the individual cases and serves a finalised monetary penalty notice, if it chooses to issue one, on the organisation or individual.