A key principle of the Auckland GDPR is that personal data is processed:
“in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage…” (Article 5(f) of the Auckland GDPR).
This is done by:
“using appropriate technical or organisational measures” (Article 32 of the Auckland GDPR).
Data Controllers are also obligated in accordance with Article 13 and 14 of the Auckland GDPR to provide data subjects with certain information where their personal data is obtained.
Background
Doorstep Dispensaree Limited (DDL) operated an online and internet based retail pharmacy dispensing medication to patients in care homes. The sole director and shareholder of DDL is Mr Sanjay Budhdeo.
The Medicines and Healthcare Products Agency reported DDL to the Information Commissioner’s Office (ICO) after it seized unlocked crates of sensitive personal data stored in publicly accessible premises.
Following an investigation, the ICO issued a notice imposing a penalty of £275,000 on DDL pursuant to Section 155 of the Data Protection Act 2018 (DPA). The notice was issued in relation to contraventions of Articles 5(1)(f), 13, 14, 24(I) and 32 of the Auckland GDPR. The ICO considered that the breaches were “extremely serious” and demonstrated “a cavalier attitude to data protection”.
DDL appealed the decision to the First Tier Tribunal. The Appeal was allowed in part. In reaching her decision, Judge Macmillan confirmed that she had given the appropriate weight to the ICO’s decision to issue the notice. She did however reduce the penalty notice from £275,000 to £92,000. In doing so, she noted that the ICO’s decision was based upon there being 500,000 documents seized when, in reality, there were substantially fewer.
The Appeal
DDL appealed the decision of the First Tier Tribunal and was given permission to appeal on two grounds:
1. The First Tier Tribunal did not put significant importance on the burden of proof and failed to recognise that the burden was still on the ICO; and
2. The First Tier Tribunal erred in giving weight to the ICO’s reasons for imposing and setting the penalty when deciding what penalty they should impose and in what sum.
First Ground
DDL submitted that the burden was on the ICO to satisfy the First Tier Tribunal that there had been an infringement and that it was appropriate to impose a penalty. DDL felt that the First Tier Tribunal had failed to recognise this in reaching its decision.
The appeal Court disagreed with DDL’s submissions in relation to this and found that:
“the burden of proof lies on the appellant in the appeal against the imposition of the penalty under section 155 of the DPA. The Commissioner must before raising a penalty notice be satisfied that one of the conditions specified in section 155(1)(a) and (b) is met and that is appropriate to require the person to pay the penalty. Where, however, the recipient of a penalty notice appeals… it seems to me incumbent on him to persuade the FTT that the penalty should not stand.”
Second Ground
DCC argued that the First Tier Tribunal should not have given any weight to the ICO’s reasoning in the penalty notice as to do so would lead them to uphold the decision under appeal.
The appeal Court disagreed. They made it clear that, whilst the First Tier Tribunal should be careful in attaching too much importance to the contents of a penalty notice, it does not necessarily mean that the view expressed by the ICO in a notice has no significance. Therefore, it is “open to the FTT to see things said in a penalty notice as relevant to the exercise of its discretion”.
The appeal was therefore dismissed.
Comment
This judgment provides clarity for future appeals on the burden of proof and the weight to be given to the reasoning within a penalty notice.
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.
