Information Tribunal overturns ICO fine
Published on Thursday 18th July 2013
Information Tribunal overturns ICO decision to impose fine.
After a four-day hearing which concluded in Edinburgh today, the Information Tribunal overturned the decision by the Information Commissioner's Office (ICO) to issue a Monetary Penalty Notice (MPN) of £250,000 to the Council.
The fine was issued in September 2012. The Council paid the fine in order to achieve a 20% discount on the total amount but lodged an appeal.
After consideration of the appeal, the Tribunal concluded there to be insufficient grounds to justify the MPN issued by the ICO and as such, the amount already paid to the ICO will be refunded in due course.
The Information Tribunal has requested both parties work together to identify the progress made on improving processes and systems since the breach. A joint report containing this information, along with any outstanding actions and a timetable to implement these must be submitted to the Tribunal panel by 10 September.
Tracey Logan, Chief Executive
Tracey Logan, Chief Executive said: “I am extremely pleased with the outcome and have always strongly believed that the monetary penalty notice issued by the ICO in this case was unjust and disproportionate.
"Of course, I acknowledge that there were gaps in our processes in this case - but we have taken significant steps to address these since the breach to ensure data protection continues to be a high priority across the Council.
"We are committed to continue to work with the ICO to ensure our processes and policies are as robust as possible."
David Parker, Leader of the Council
David Parker, Leader of the Council: “I am delighted with today’s outcome. To issue such a high monetary penalty on a public authority in this economic climate was excessive, especially when the breach was self-reported and officers took all appropriate steps on the discovery of this incident and co-operated fully with the ICO at all times.
"Data and information security is a priority at SBC - and I am confident that the work taking place across the Council to address any issues will be acknowledged appropriately in the future.
"I would like to thank the members of the Information Tribunal
Appeal Panel who ensured that our appeal was heard and conducted in a
fair and constructive way.
"The process of the appeal has taken four days of hearings and the Tribunal members had considerable written material to consider - but they have worked tirelessly to ensure a fair and sensible outcome."
Since the data breach, the Council has initiated an Information
Management project which aims to reinforce existing processes and
procedures currently in place with regards to information management
across all areas of the Council. This has involved reviewing and
implementing improvement actions to strengthen information governance
and security arrangements both internally and when arranging contracts
and agreements with suppliers and partners.
As part of this project, in February this year, we launched a new staff awareness campaign called ‘Think Information’ which aims to support all staff in their role in looking after information. The focus of this campaign is to ensure all staff, no matter what their role is, understand the role they have to play in making sure the public trusts the Council to look after their information. Not only does this include further support and training for all staff, but a series of materials have been produced to provide important information and advice to all levels of staff.
The Chief Executive and Leader of the Council have also signed up to the Personal Information Promise with the Information Commissioner’s Office (ICO) which outlines ten promises which the council has shown it is committed to keeping as part of its role as a public authority. This promise is on public display in Council Headquarters.