The Scottish Borders Council, through its Appeal against its recent Monetary Penalty Notice (MPN), could undermine the “prompt payment” discount offered by the Information Commissioner.
In its Press Release dated October 22nd, the Council said it had launched an appeal over the size of a penalty from the Information Commissioner's Office (ICO) after a self-reported data breach. The ICO issued a £250,000 fine to Scottish Borders last month after files relating to the Council were discovered in a recycling bank. The Council had employed a data processor for a number of years without regard for the contractual obligations in the Seventh Principle.
Scottish Borders Council (SBC)’s press release then continues:
“the fine has been paid in order to achieve a 20% discount on the total amount but this was done so with the caveat that SBC still reserved the right to appeal. The appeal has been lodged in a written submission to the Information Tribunal and the ICO has until 2 November to file a reply to the appeal. The case will then go to a three-judge panel for a decision, which is expected by the end of January”.
A quick visit to the Tribunal web-site shows that, as of yesterday, the Appeal is still listed.
Hang on a second! I had always thought that the 20% payment was for those data controllers who admit their mistake quickly; those data controllers who want to contest the MPN at the Tribunal loose the 20%. What Scottish Borders is doing is pay up and also Appeal.
A quick call to the ICO’s Press Office reveals that the ICO thinks on the same lines as I do. An ICO spokesperson said:
• “The Commissioner operates an early payment scheme for all civil monetary penalties served. Under that scheme, a data controller who has been subject to a penalty may obtain a 20% discount if the Commissioner receives the full payment of the penalty within 28 calendar days of the notice being served.
• The objectives of the early payment scheme are to encourage early payment of the penalties and reduce the costs to the public purse entailed on pursuing enforcement action and responding to challenges to the notices. The scheme operated by the Commissioner is similar to that operated by other regulators, such as the Financial Services Authority.
• There is no provision under the scheme which allows a data controller to make a payment subject to reservations, for example, by reserving his right to appeal against the penalty. The effect of such reservations would be to nullify the advantages which the scheme is intended to achieve”.
So what I assume has happened is that the ICO has asked for the Appeal to be struck off the Tribunal list, but the fact that it hasn’t been struck off might mean that the Appeal will proceed. If Scottish Borders are successful, it appears that data controllers can pay early and also Appeal; the ICO’s statement implies that the ICO has little reason to offer a 20% early payment discount.
Of course, what might happen is that the Tribunal could reinstate the full MPN. In which case, Scottish Borders would have lost 20% of its £250K (i.e. £50K) and would have to shoulder the costs of its Appeal (little change from £80K-£100K, I suspect). In other words, the Council is risking around £130K-£150K on top of the £200K fine it has already paid. This could be a public relations disaster if it goes wrong.
Even if it “wins”, the Council still bears its own costs. This means to cover its costs and show that its Appeal gamble has paid off, the MPN has to be reduced by more than half (i.e. to less than £100K). There appears to be little point winning an £80K-£100K reduction in a MPN if you have to spend £80K-£100K on your own costs getting that reduction!
Advert
JUSTICE evening event at Hunton and Williams: “Defamation, privacy and freedom of expression online”, 30 St Mary Axe, London EC3A 8EP (the London “Gherkin”) 20 November 2012 –http://www.justice.org.uk/events.php/46/life-and-law-online-defamation-freedom-of-expression-and-the-web (£50)
We are running a course leading to BCS’s Foundation Certificate in Information Security Management in January in London; ideal for data protection people wanting to understand best practice in information security management. See side panel for links to all details as well as our DP/FOI courses.
Comments
You can follow this conversation by subscribing to the comment feed for this post.