Back in May, I noted that the Information Commissioner’s Office in the U.K. had issued a fine of £90,000 to Central London Community Healthcare NHS Trust after the trust had misdirected faxes containing sensitive information on 45 occasions during the previous year. The trust immediately announced it planned to appeal.
Today, Robin Hopkins of Panopticon reports that the appeal was dismissed.
There were a number of interesting points in the decision, including the fact that self-reporting does not really mitigate. As Panopticon notes:
The fact that there was a voluntary notification cannot be given much weight when the Trust was under, in effect, an obligation to report (both to the ICO and to the NHS regionally). In any case it was reported over a month after the breach was discovered. Co-operation was the least that could be expected for such a serious breach. By the time the Trust informed the patients over three quarters were dead. There is still no absolute guarantee the sensitive information has been destroyed. The Trust’s mitigating features are therefore features to which we find the IC could not give much weight. In any case they are almost all post facto events and nothing about the wrongdoing” (paragraph 128).
A second interesting point was how the ICO determines the penalty. Until now, that has not been made public, but the decision incorporated the internal framework:
(i) Serious = £40,000 to £100,000
(ii) Very serious = more than £100,000 but less than £250,000
(iii) Most serious = more than £250,000 up to the maximum of £500,000.
The third point I found noteworthy was that the ICO is under no obligation to keep the offer of a discount for early payment alive during the pendency of any dispute. If an entity decides to challenge the penalty but doesn’t pay it promptly, they lose the 20% discount offer:
The Trust argued that, by refusing to keep the discount offer open pending the outcome of the appeal, the IC was penalising it for exercising its legal right to have its cased tested by a Tribunal. The Tribunal disagreed: “The purpose of the scheme would appear to us to encourage early payment and also to ensure there is an early resolution to the matter. There is no provision for a without prejudice payment” (paragraph 153). The IC did not err in refusing to keep the discount offer alive, and the Tribunal refused to restore that offer.
I suspect that this ruling my discourage other appeals, or at least get entities to pay early and then appeal.
h/t, Jon Baines