Sunday, 3 August 2014

Pension records in the skip, still a cause celebre

It may be almost a year since Scottish Borders Council wriggled off the Information Commissioner's £250,000 hook after forking out a small fortune in defence fees in the infamous "Pension Records In The Skip" case. But the ramifications and ripples for those working in the information rights industry continue with finger pointing and a fierce war of words still raging across cyberspace.

The council was hit with the quarter-of-a-million pound "fine" after failing to notice their regular data processor had dumped up to 1200 paper files carrying personal details of members of the local authority's pension scheme in a supermarket waste bin at South Queensferry.

It was only when the bins overflowed that the horrendous breach of security came to light. The man who had held the council's processing contract for years later told the press that, unbeknown to his employers, this had been his normal, if somewhat careless method of disposing of SBC's redundant paperwork.Shredding might have been a better option.

In the eyes of the hundreds of potential victims, whose names, addresses, National Insurance numbers and bank details were left fluttering in the breeze, the potentially catastrophic episode can only have been regarded as a record breaking breach of the Data Protection Act. On the face of it a £250,000 penalty seemed fully merited.

But experience tells us it is extremely rare for any public authority to take the rap for wrongdoing of any kind. So, armed with council taxpayers' cash SBC engaged specialist lawyers Brechin Tindal Oatts (BTO) to mount a successful appeal against the Information Commissioner's 'conviction'. It mattered little to our councillors and their officials that BTO would pocket more than £28,000 in legal fees while expert witnesses commissioned on the council's behalf would account for another £19,000. Throughout the entire sequence of desperate efforts to 'clear' SBC's name there was little, if any thought given to the individuals blighted by the council's gross neglect and lack of control over processing.

Proceedings finally ground to a halt in August 2013 after almost two years of hearings and debate, and SBC hailed the outcome as a veritable triumph despite the unnecessary financial outlay to cover their dreadful errors. There was no mention of the £48,000 racked up in legal fees and other charges, and when the time and effort devoted by SBC's in-house legal team over the two-year campaign to strike down the 'fine' is added into the equation then the true cost may well be adjacent to £100,000.

BTO solicitor advocates Paul Motion and Laura Irvine were SBC's saviours, and could rightly claim a stunning legal victory over Information Commissioner Christopher Graham. They had persuaded the appeal tribunal the Commissioner's reasoning behind his financial penalty was flawed as the breach of data protection, though serious, was not likely to cause substantial damage or substantial distress.

That seemed to be that. But now, in an article written to mark the upcoming first anniversary of the landmark ruling Mr Motion and Ms Irvine claim the ICO does not appear to have learned lessons from the SBC case and continues to dispense identical monetary penalties which cannot be justified.

They say: "Out of the 19 fines issued during the last year by the ICO, three were imposed for the loss of personal data that – like the SBC appeal data - was not classed as sensitive. However in all three cases the ICO nonetheless felt able to assert that it was likely that the contravention would have caused substantial damage by exposing the data subjects to identity fraud and possible financial loss. In our view given the decision in the SBC appeal, the ICO would have struggled to demonstrate to the Tribunal that the contravention in these three cases was of a kind likely to cause substantial damage or substantial distress."

There is no direct reference to the Borders case in Mr Graham's recently published annual report, but he has complained about the outcome of SBC's appeal in newspaper interviews. According to BTO Mr Graham had been 'miffed' by the ruling.

In what amounts to clear criticism of the Commissioner the BTO lawyers write: "The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation."

But information rights expert Tim Turner, a former policy manager at the ICO who now runs his own training company, claims in his blog that Motion and Irvine's review of recent action is "eccentric, even myopic".

He agrees the ICO approach is flawed and inconsistent. But Mr Turner supports monetary penalties for breaches of Data Protection.

He adds: "I fear Irvine and Motion have lost sight of the purpose of the legislation. It is there to protect the public and to facilitate lawful, legitimate business activities. Personal data should be respected and handled with care. Some organisations will comply without sanction, but we need a strong effective regime for those who wont."

I'm sure those members of the SBC pension fund whose confidential, personal papers were scattered around that South Queensferry car park on September 10 2011 would wholeheartedly agree.

No comments:

Post a Comment