By the time an ICO’s lengthy investigation is complete and its fine has been issued, a huge amount of time, money and resource has been invested by the company in co-operating and responding to the regulatory investigation. It is therefore not surprising that very few companies decide to incur further time and costs in exercising their right to appeal an ICO’s decision at the First Tier Tribunal (Information Rights).

Arguably, the risk paid off for Doorstep Dispensaree Limited (“DDL”) who successfully appealed the ICO’s Monetary Penalty Notice (“MPN”) of £275,000 issued on 17 December 2019. The Tribunal Judge MacMillan concluded that the quantum was disproportionate and consequently reduced it by almost two-thirds (65.81%), to £94,0001. 

However, the appeal was only a partial success; the Tribunal upheld the ICO’s overall finding that DDL had breached the GDPR’s data security and accountability principles, breached its obligation to tell data subjects that it processed their data, and failed to have adequate data retention provisions. The initial evidential burden was on the ICO to prove that there had been an infringement and it reminded the Tribunal of the legislative purpose of a MPN, which should be; effective, proportionate and dissuasive (section 155(1) DPA 2018). With this in mind, the Tribunal Judge was satisfied that the gravity of DDL’s violations were sufficiently serious to warrant a significant MPN.

The Facts

DDL operates both an internet-based pharmacy and a retail pharmacy in Cambridge.

DDL owned a site (the “Property”) in which waste disposal company, Joogee Pharma (“JPL”), was contracted to carry out the destruction and disposal of personal data and special category data generated during the course of DDL’s business, on DDL’s behalf.

A search of the Property by the Medicines and Healthcare products Regulatory Agency (“MHRA”) in July 2018 found unlocked crates, cardboard boxes and disposal bags of paper, produced by DDL’s business, in its courtyard. The majority of the 73,000 papers seized by MHRA contained personal data and special category data relating to highly vulnerable individuals. 

The MHRA reported its findings to the ICO, estimating that the total number of documents recovered as being over 500,000, with dates ranging from December 2016 to June 2018.

Consequently, the Commissioner launched an investigation into DDL and the processing activities at the Property.

At the relevant time, DDL had no data retention policy and its other policies had not been updated to reflect the GDPR.

On 17 December 2019, the ICO issued its Enforcement Notice and a MPN of £275,000.

The Appeal

DDL accepted that its data protection policies in place at the material time were deficient, but submitted that it was inappropriate and unnecessary of the ICO to issue a coercive notice when the breaches identified had now largely been remedied.

DDL criticised the Commissioner’s “unquestioning acceptance of the MHRA’s assertion of the facts” and noted in particular the absence of witness evidence. DDL asserted that the processing in breach of the GDPR “has been assumed purely on the basis of a lack of adequate data protection policies”. However, DDL accepted that it did not have written GDPR compliant polices in place at the time, “the waste disposal processes followed met the requirements of the GDPR”.

DDL’s position was that JPL securely destroyed all personal data within 28 days of receipt and in accordance with its data protection obligations. It submitted that the presence of historic documents was a result of the care homes erroneously passing these documents to JPL and it was wrong to assume that these documents had resided at the Property since that date.

In any event, DDL submitted that it was not the responsible data controller of the personal and special category data recovered. DDL asserted that the majority of the personal data originated from the care homes and not DDL itself, therefore it was the care homes who were the responsible data controllers. Alternatively, DDL submitted that JPL had assumed the role of data controller themselves as they had acted outside of their contractually agreed duties in failing to destroy the personal data in a secure and timely manner.

DDL submitted that the breach of the GDPR was much less serious than the Commissioner assessed it to be. The MPN’s quantum was calculated on the basis that ‘over 500,000 documents’ contained personal and special category data, when in fact the true figure was much lower; 73,719 documents in total, 66,638 of which contained personal data and 53,871 special category data. Further, DDL claimed that the ICO had failed to consider DDL’s financial position and ability to pay.

The Tribunal’s decision

The Tribunal upheld the Commissioner’s Enforcement Notice and her overall regulatory findings against DDL. Judge MacMillan was satisfied that DDL was the data controller of all of the personal data recovered, both the care home waste collected by JPL and DDL’s own waste. She acknowledged that DDL’s care home clients may have breached their own regulatory and data processing obligations, however concluded that the presence of historic documents was a result of DDL’s own data protection failures, which in turn, contributed to JPL’s breaches of its relevant data processing requirements pursuant to the GDPR’s accountability principle.

Judge MacMillan ruled that DDL had breached the GDPR’s data security and accountability principles (Articles 32 and 5(2)), by failing to implement appropriate organisational measures to not only (i) ensure that JPL’s processing was performed in accordance with the GDPR, but also

(ii) ensure a level of security appropriate to the risks.

Judge MacMillan agreed that the evidence relied upon by the Commission lacked accuracy and important detail about the nature of the personal data concerned. However, criticised the credibility of DDL’s own witness evidence and adopted the Commissioner’s position as to the gravity of the breach.

Notably, the Judge also expressed her concerns regarding “the risk of significant emotional distress being caused to a vulnerable group of data subjects were they to[o] become aware of the contraventions.”

Judge Macmillan acknowledged that financial hardship is an important mitigating factor to be considered, however a person responsible for a “serious contravention of the GDPR” should not be able to avoid a penalty based solely on their financial position. The Judge was satisfied that the Commissioner had already taken this into account when it reduced the fine from £400,000 proposed in its Notice of Intent.

It therefore reassessed the appropriate level of the penalty on the basis that 66,638 documents containing personal data were recovered and not 500,000 documents, as originally thought.

A victory?

No doubt a 66% cut to the MPN is a good result for DDL. However, DDL will have had to offset a proportion of the £181,000 saving against its costs of appealing.

This Tribunal Judgment is only binding on those parties in the proceedings, but it is still likely to be an influential one for companies considering appealing regulatory action.

It remains to be seen whether DDL’s risk of appealing has actually paid off given that the ICO’s damning statements of DDL in its Enforcement Notice were upheld. Of particular note were Judge MacMillan’s concerns as to the “vulnerable group of data subjects” who were at risk of suffering “significant emotional distress” as a result of DDL’s violations, which may act as an invitation for potential litigation from those affected. If recent trends are anything to go by, it is likely that the MPN and the statements which accompany it, are going to be heavily scrutinised by claimant law firms and used to form the basis of potential future claims.

1 https://informationrights.decisions.tribunals.gov.uk/DBFiles/Decision/i2910/Doorstep%20Dispensaree%20JM.pdf