A pharmaceutical company Doorstep Dispensaree has failed in its appeal of an ICO Monetary Penalty Notice (MPN) in the Upper Tribunal. This is the first GDPR appeal to be heard by the Upper Tribunal and its decision affirms the burden and standard of proof in the First Tier Tribunal. Doorstop Dispensaree argued that the criminal standard of proof applied in appeals against the imposition of MPNs, rather than the lower, civil standard, therefore the MPN could not be enforced. The Upper Tribunal rejected this argument and affirmed that the civil standard of proof applies. Doorstep Dispenseree failed in its attempts to change the conventional principles in information law litigation.
Background
Doorstep Dispensaree was a pharmaceutical company that supplied medicines, mainly to care homes. In 2018, the Medicines and Healthcare Products Agency (MHRA) searched the building during and found that there were 47 crates of documents left outside in an unsecured courtyard. The documents included medical prescriptions and medication administration records, many of which were wet. The MHRA then notified the ICO.
The ICO's notice of intention to impose a MPN was £400,000. In December 2019, the ICO fined the company £275,000 after finding after it found the company was more likely than not to have mishandled 47 crates worth of c.500,000 customers' pharmaceutical documents, including special category personal data relating to care home residents.
In 2020, Doorstep Dispenseree's solicitor confirmed that no more than 75,000 documents were seized of which 53,871 contained special category data.
In August 2021, the First-tier Tribunal reduced the fine to £92,000 but refused to overturn the overall decision. Doorstep Dispenseree then applied to the Upper Tribunal with seven Grounds of Appeal.
The Appeal
In the Upper Tribunal, Doorstep Dispensaree brought seven Grounds of Appeal, most were mainly fact specific. Those with wider importance include Doorstep Dispenseree's arguments on the burden of proof and the civil standard of proof.
The Burden of Proof in First Tier Tribunal Appeals against MPNs under the DPA 2018
Doorstep Dispenseree argued that the burden of proof should be placed on the ICO. Counsel for Doorstep Dispenseree, Mr Coppel KC argued that the Tribunal is required to do more than "simply marking the Commissioner's homework" and that it places the ICO under "both a legislative and evidential burden". UTJ Mitchell disagreed. UTJ Mitchell explained that the ICO had engaged in a full merits review of the MPN with a review of the facts and its discretion was exercised to revisit the existing penalty. There were arguments introduced in respect of Article 6 ECHR, but similarly these failed as UTJ Mitchell concluded that even if the MPN did amount to a criminal charge, it would not require the burden of proof to be placed on the ICO.
The Civil Standard of Proof
The Upper Tribunal agreed with the First-tier Tribunal and ruled that the civil standard should apply, meaning that whether conduct has occurred that carries monetary penalties under the DPA 2018 will be decided on the "balance of probabilities" rather than "beyond reasonable doubt".
The Upper Tribunal was left unpersuaded by Doorstep Dispenseree's novel arguments. The Judgment made clear that any appeal made against the ICO's MPN is a full merit review where the First Tier Tribunal will be required to determine the outcome of any appeal on the civil standard of proof.
Insurability
The decision may be of interest to cyber insurers in relation to the question of whether UK GDPR penalties are insurable given the Upper Tribunal's clear decision that MPN's are subject to the civil, rather than criminal, standard of proof.
The insurability of UK GDPR penalties is detailed area beyond the scope of this article. However, the general position is that there is no express prohibition against the insuring UK GDPR penalties unless the underlying acts are themselves uninsurable. For example, fines imposed for criminal offences under the Data Protection Act 2018 (which supplements the UK GDPR ) are not insurable.
Had the Upper Tribunal determined that a criminal burden of proof apply for UK GDPR monetary penalties, then this could have implied that the underlying facts were criminal in nature and uninsurable. As it stands, the decision remains consistent with the current position that UK GDPR monetary penalties are administrative in nature and not uninsurable as a matter of principle.
UTJ Mitchell's Judgment is comprehensive and the full 79 page Judgment can be found here.
