[2023] UKUT 132 (AAC)

The Tribunal found that 66,638 documents containing personal data were recovered by the MHRA (of which 53,871 contained special category personal data) rather than the 500,000 documents on which the Commissioner’s MPN was based.

The Tribunal concluded that the Commissioner had mistakenly thought that a MPN might be imposed for a breach of Article 24(1) of the GDPR. That was not the case “because it is not a breach of GDPR listed in s.149(2) [of the DPA 2018]” (paragraph 89 of the Tribunal’s reasons).

Apart from the number of seized documents / affected data subjects, the Tribunal adopted the Commissioner’s assessment of the matters specified in Article 83(2) (paragraph 90). The Commissioner’s assessment was not reproduced in the Tribunal’s reasons. It is found in paragraphs 47 to 67 of the MPN issued by the Commissioner on 17 December 2019. The key considerations were as follows:

the Appellant’s breaches were “both repeated, and negligent in character” and its subsequent attempts to improve compliance were not “relevant to how seriously defective the practices were at the date of the Breach” (paragraph 48 of the MPN);

nature of infringement (Article 83(2)(a)): the breach concerned the security of special category data “that should have been treated with the utmost care”. A controller operating the Appellant’s type of business should take its data protection obligations “far more seriously” and “therefore…the Breach resulted from a highly culpable degree of negligence on the part of [the Appellant]”. The data’s sensitivity made it “particularly important” to ensure compliance with Articles 13 and 14 of the GDPR but the Appellant “paid little or no attention to its regulatory obligations in this respect” (paragraphs 49, 50);

gravity of infringement (Article 83(2)(a)): the breach was “very serious” and concerned “highly sensitive information that was left unsecured in a cavalier fashion”. Data subjects could be “very readily identified and linked to data concerning their health”, and a high proportion of them were likely to be elderly or otherwise vulnerable. There were “very serious shortcomings in the information provided to data subjects through the privacy policy”, which was a significant infringement of subjects’ right to transparency about the processing of their personal data and was heighted by the data’s sensitive nature. No data subject would reasonably expect personal data relating to their health to be handled in the manner that it was (paragraphs 51, 52);

duration of infringement (Article 83(2)(a)): the exact duration of the breach was uncertain but, given the age of some data, it must have been “occurring, to some extent, since at least 25 May 2018”. That date was relevant because earlier breaches would fall to be dealt with under the previous data protection regime and, for the same reason, the Commissioner only took into account privacy notice inadequacies, under Articles 13 and 14, since 25 May 2018 (paragraphs 53, 54);

number of data subjects affected (Article 83(2)(a): the Commissioner’s analysis of the number of affected data subjects was based on the assumption that some 500,000 documents were seized during the MHRA’s July 2018 search of the Premises;

damage suffered (Article 83(2)(a)): data subjects were not aware of the breach but, if they had been, “it could cause high levels of distress, although financial damage is unlikely”. The Article 13/14 infringements may also have caused distress – confusion or uncertainty – about the Appellant’s processing of sensitive personal data (paragraph 56);

intentional or negligent character of infringement (Article 83(2)(b)): Article 13 and 14 infringements were treated as negligent rather than intentional but “in both cases there is considerable evidence of extremely poor data protection practice, amounting to significantly negligent conduct” (paragraph 57);

action taken to mitigate damage (Article 83(2)(c)): the Commissioner was “unaware of any mitigation measure that [the Appellant] may have taken” although he did take into account subsequent, actual or intended, improvements in data protection practices. The Appellant was taking steps to improve written policies and contractual arrangements, and staff training. If properly implemented, the Appellant’s changes were likely to mitigate the ongoing Article 13/14 breach. The Commissioner gave “some credit” for this factor in determining the penalty amount but “notes that some of the policy documents provided remain in template form” (paragraphs 58, 59);

degree of responsibility (Article 83(2)(d): there was “little to no evidence that measures to ensure data protection by design and default were in place”, as required by Article 25, nor that “any technical or organisational measures were in place to protect the affected data as required by Article 32”. This was a “major failing” for a controller that routinely processed large quantities of highly sensitive health data. The Appellant “bore full responsibility” for these infringements as well as “shortcomings of its privacy notice”. The GDPR’s implementation was extensively publicised in advance. Joogee Pharma’s role did not avoid the Appellant’s responsibility for ensuring “the security of any processing undertaken by it or on its behalf” (paragraph 60);

previous infringements (Article 83(2)(e)): no known previous infringements (paragraph 61);

cooperation with supervisory authority (Article 83(2)(f)): this was “poor”. The Appellant failed to “engage” which required multiple chasing emails from Commissioner staff. The Appellant appealed against the Information Notice but could have simply relied on section 143(6) of the DPA 2018 to withhold information that might be self-incriminating. However, the remedying or mitigation of the infringement was not hampered since the data was now secure and “data subjects unaware of the incident”. The Commissioner also acknowledged a more cooperative approach in representations made in response to the notice of intent to issue a MPN (paragraph 62);

categories of affected personal data (Article 83(2)(g)): “these include information allowing very easy identification of individuals…and sensitive, special category data relating to health (medical information, prescriptions)” (paragraph 63);

manner in which infringement became known to supervisory authority (Article 83(2)(h)): the Appellant did not notify the Commissioner (paragraph 64);

compliance with previous orders (Article 83(2)(j)); adherence to approved codes of conduct etc (Article 83(2)(k)): not applicable (paragraphs 65, 66);

other aggravating or mitigating factors (Article 83(2)(k)): the Appellant may have made “a modest financial gain” by saving on the costs of secure destruction or appropriate storage (paragraph 67).

While the Tribunal agreed with the Commissioner’s findings, save for the number of affected data subjects, it noted “in particular” findings as to the gravity of the breach and the risk of significant emotional distress to a vulnerable group of data subjects, and expressly agreed with the Commissioner that the “serious breaches” occasioned by Joogee Pharma’s activities were largely due to the Appellant’s “negligence in relation to its Article 24(1) and Article 32 obligations”. The Tribunal concluded “as a consequence that issuing an MPN is an effective, proportionate and dissuasive response to [the Appellant’s] contraventions” (paragraph 91 of the Tribunal’s reasons). Despite the reduced magnitude of the breach, the Tribunal found that “the contraventions identified are sufficiently serious to justify issuing a penalty” (paragraph 89).