Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that the benefits of informing the Information Commissioner's Office (ICO) about serious data breaches outweigh the risks associated with being served with a fine.
Wynn was commenting after the Upper Information Rights Tribunal ruled last week that organisations that self-report a data breach to the ICO do not gain immunity from being issued with a monetary penalty notice over that breach. It is the first time the Upper Tribunal has ruled on an appeal against a monetary penalty notice (MPN) served by the ICO for a breach of the Data Protection Act (DPA).
In the case the Upper Tribunal rejected an appeal brought by Central London Community Healthcare NHS Trust against the ICO's decision to serve it with a £90,000 fine over a data breach it experienced in 2011. The Trust had argued, among other things, that the ICO was wrong to serve it with a fine because it had self-reported the breach to the watchdog.
Upper Tribunal judge Nicholas Wikeley ruled that it would be wrong for immunity from fines to automatically follow an act of self-reporting.
"The logical implication of [The Trust's] construction of the legislative scheme is that a data controller responsible for a deliberate and very serious breach of the DPA would be able to avoid an MPN by simply self-reporting that contravention and co-operating with the Commissioner thereafter," the judge said. "Such an offender would be in a better position than a data controller acting in good faith, but unaware of a breach, who could be the subject of an MPN because e.g. a third party had reported the matter to the Commissioner. Such an arbitrary outcome would necessarily undermine both the effectiveness of, and public confidence in, the regulatory regime."
In a statement the ICO issued after the case was ruled on by the First-tier Tribunal in January, deputy Information Commissioner David Smith said that the watchdog does look favourably upon companies that self-report data breaches even though self-reporting does not itself provide immunity from fines.
"Organisations should not be discouraged from self-reporting data breaches to the ICO as a result of this ruling," Kathryn Wynn of Pinsent Masons said. "The ICO has often considered self-reporting as a mitigating factor when determining the level of monetary penalty notices they issue and certainly take a stronger stance on enforcement where they first hear about data breaches through press reports or via complaints."
"In addition, self-reporting gives organisations the chance to tell their side of the story and gives them greater control to take rectification measures of their own initiative that are suitable and feasible for their organisation instead of having to react to measures imposed by the ICO through the enforcement regime," she said.
Wynn added that businesses that choose not to self-report, and take "minimal steps to address the particular breach", run the risk of being caught out and being forced to comply with ICO-imposed rectification measures within a prescribed timescale, but also face the risk of a monetary penalty notice at the time the ICO initiates enforcement action.
"Not only could that cost an organisation dearly, it could cause major disruption to business processes," Wynn said. "Even without total immunity from penalty, it is still better to self-report than not."
The ICO fined Central London Community Healthcare NHS Trust £90,000 in May 2012 after the body admitted to sending approximately 45 separate fax messages containing the lists of inpatients to the wrong recipients.
The lists, sent from Pembridge Palliative Care Unit, contained "confidential and sensitive personal data" that set out medical diagnoses, information about patients' domestic situation and resuscitation instructions for "many" of those individuals listed who "were receiving palliative care," the ICO said at the time.
The Trust took advantage of 20% discount on the penalty imposed on it by paying the fine within 28 days of it being served, but it simultaneously launched an appeal against the imposition of the penalty by the ICO. In January the First-tier Tribunal ruled that organisations fined for breaking UK data protection laws cannot take advantage of an early payment discount offer and simultaneously pursue an appeal against the imposition or amount of that fine. That decision has now been upheld by the Upper Tribunal.
Judge Wikeley said that the early payment discount scheme "does not act as a fetter on the statutory right of appeal" and said that even if he was wrong about that, the interference with those rights is not unwarranted.
"The tribunal properly identified a very significant public policy argument which justifies the operation of an early payment discount scheme – the early payment and early resolution of the issue," the judge said. "Moreover ... there is a strong public interest in disincentivising data controllers from mounting ill-founded appeals."