Central London Community Healthcare NHS Trust GIA 1014 2013
| Jurisdiction | UK Non-devolved |
| Judge | Judge N J Wikeley |
| Judgment Date | 08 November 2013 |
| Neutral Citation | 2013 UKUT 551 AAC |
| Subject Matter | Information rights |
| Respondent | The Information Commissioner |
| Court | Upper Tribunal (Administrative Appeals Chamber) |
| Docket Number | GIA 1014 2013 |
| Appellant | Central London Community Healthcare NHS Trust |
Central London Community Healthcare NHS Trust v Information Commissioner
DECISION BY THE UPPER TRIBUNAL
(ADMINISTRATIVE APPEALS CHAMBER)
The DECISION of the Upper Tribunal is to dismiss the appeal.
The decision of the First-tier Tribunal (General Regulatory Chamber) (Information Rights) dated 15 January 2013 under file reference EA/2012/0111, in relation to the Appellant’s appeal against the Monetary Penalty Notice dated 27 April 2012 (ENF0406305), does not involve any error on a point of law. The First-tier Tribunal’s decision accordingly stands.
This decision is given under section 11 of the Tribunals, Courts and Enforcement Act 2007.
REASONS
The subject matter, grounds of appeal and outcome of this appeal in summary
1. The Information Commissioner (“the Commissioner”) has the (relatively new) power to issue a monetary penalty notice (an “MPN”) on data controllers, imposing what is, in effect, a civil fine of up to £500,000 for certain breaches of the data protection legislation. The Commissioner imposed a penalty of £90,000 on the Central London Community Healthcare NHS Trust (“the Trust”) for its admitted data protection breaches. The First-tier Tribunal dismissed the Trust’s appeal. The Trust now appeals to the Upper Tribunal against both the imposition of the MPN and the amount of that penalty.
2. To date the First-tier Tribunal (“the tribunal”) has heard three such appeals against MPNs (the appeal in this case, under reference EA/2012/0111, along with Scottish Borders Council v Information Commissioner (EA/2012/0212) and Niebel v Information Commissioner (EA/2012/0260)). However, this is the first case to be determined at Upper Tribunal level.
3. The Trust has four grounds of appeal. The first, the “discretion” ground, is that the tribunal erred in law by not holding that the Commissioner had (a) failed to recognise that he had a discretion as to whether to serve an MPN; and (b) failed to consider how that discretion should be exercised. The second, the “assessment” ground, is that the tribunal should have concluded that the Commissioner was barred from serving an MPN as the process following the Trust’s self-report of its breach was a consensual process and so an “assessment” within the terms of the legislation. In effect, the argument is that the Trust can claim the benefit of a form of statutory immunity. These two grounds both relate to whether the Commissioner could or should have served an MPN at all.
4. The remaining two grounds of appeal concern the amount of the penalty under the MPN. The third ground of appeal, the “discount” ground, is that the way in which the Commissioner operates his early payment discount scheme constitutes a fetter on the right of appeal, and is therefore unlawful (and so the tribunal should have applied the 20 per cent discount to reduce the amount of the penalty). The fourth and final ground, the “quantum” ground, is that in any event the tribunal should have reduced the amount of the penalty, as the Commissioner’s approach was, so it is said, legally unsustainable.
5. I held an oral hearing of this appeal on 16 October 2013. I am indebted to Mr Timothy Pitt-Payne QC (counsel for the Trust) and Ms Anya Proops (counsel for the Commissioner) for their careful and clear submissions, both on paper and orally. I am dismissing this appeal for the reasons that follow.
The facts of the case
6. The facts of the case are not in dispute. I can simply adopt the agreed statement of facts as set out in the tribunal’s decision (FTT decision at paragraph [4]):
‘4. The parties agree the following factual background relating to the data breach in issue in this case:
a. The Trust is responsible for managing vast quantities of sensitive patient
data;
b. The Trust had in place an arrangement by which it faxed, each weekday evening, highly sensitive patient data relating to patients in its palliative care unit (“the Unit”) to St John's Hospice ("the Hospice"). The data in question was contained in inpatient lists, to assist doctors providing out of hours care for these individuals;
c. The Trust used a fax protocol (or task sheet for the administrator) for sending the lists which had been agreed with the Hospice ("the protocol"). The protocol required the Unit to telephone the Hospice to check that the relevant fax had been received;
d. The person responsible for faxing the lists to the Hospice ("the administrator") had not been given adequate training in respect of the faxing process and had not been specifically trained to obtain management approval to vary the fax protocol in accordance with changing operational needs;
e. In March 2011, the administrator became aware that the list needed to be sent to an additional fax number at the Hospice (“the additional fax number”). The administrator did not update the protocol with the additional fax number and did not obtain approval from her manager in respect of the new arrangements;
f. Thereafter the administrator (or her stand-in) faxed the inpatient lists on some 45 separate occasions to a fax number which was not in fact the number for, nor that which had been provided by, the Hospice;
g. The administrator did telephone the Hospice to confirm that the first fax had been received but did not check that the second fax had been received under the additional fax number;
h. The error only came to light when, on 6 June 2011, a member of the public rang the administrator to inform her that he had been receiving the inpatient lists since 28 March 2011 but had shredded them. The Trust has been unable to trace the member of the public following this call and, accordingly, has no way of confirming precisely what had happened to the data;
i. The lists which were wrongly sent to the member of the public contained data relating to 59 individuals, all of whom were regarded as 'vulnerable adults' due to their age and ill health. The data in issue included not only the patients' names but their medical diagnoses; medical treatment; information about the patients' domestic situations (including third party/family information) and resuscitation instructions. This information amounted to acutely private information and sensitive personal data (under section 2 DPA).’
7. I accept both of Mr Pitt-Payne’s points that the Trust itself reported the breach to the Commissioner and that thereafter the Trust fully co-operated with the Commissioner’s investigation. It remains, however, as I remarked at the oral hearing, a sorry tale. In that context I note the tribunal’s further findings (neither of which was in dispute) that (i) the Trust was required to report the breach under guidance issued by the Department of Health and the NHS (FTT paragraphs [70]-[71]); and (ii) by the time the Trust took action to notify the affected individuals (or “data subjects”), only 15 could be so advised as the other 44 persons had died in the meantime (FTT paragraph [40(i)]).
The legislative framework
8. The Trust is a “data controller” within the meaning of section 1(1) of the Data Protection Act 1998 (“the DPA”). The patients in question are or were “data subjects”, also within section 1(1); the information in question was obviously “sensitive personal data” within section 2(e). Furthermore, subject to any exemptions (which do not apply here) “it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller” (section 4(4)).
9. Part I of Schedule 1 to the DPA sets out the eight data protection principles, the seventh of which is that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Paragraphs 9-12 of Part II of the Schedule make further provision in this regard, including the requirements that:
‘9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to–
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.
10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.’
10. From the outset the DPA vested the Commissioner with a wide range of enforcement powers (see Part V, sections 40-50). As originally enacted, the DPA included no provision for MPNs (and, indeed, no such provision was required under the EU Data Protection Directive, also known as Directive 95/46/EC, which the DPA implements; however, the position may change in the light of current developments at the European level). But section 55A of the DPA – which appears in Part VI of the DPA under the beguiling heading of...
To continue reading
Request your trial