[2024] UKUT 287 (AAC)

In light of our conclusions on Issue 1, it follows that the FTT’s conclusion on seriousness cannot stand in any event. However, we consider that it is likely to assist the FTT on remission if we address the Issue 5 points (in so far as we have not already addressed them under Issue 2).

As regards the first alleged error, we reject the proposition that the factors relevant to the seriousness of the contravention are entirely distinct from those that relate to whether the contravention was likely to cause substantial damage or substantial distress. Such an approach would be highly artificial. Seriousness is a broad concept and we see no reason why it cannot include the extent of the likely consequence of the failing. As we have already discussed, paragraph 9 of Part II of Schedule 1 indicates in terms that the consequences of an unauthorised or unlawful processing of personal data (“the harm that might result”) are relevant to the applicable standard of security and thus, in turn, to whether there has been a contravention. It would be illogical to then exclude consideration of the potential consequences from an assessment of the seriousness of that contravention.

Mr Lockley accepted during his submissions that an assessment of the seriousness of the contravention did require the FTT to determine how far DSG’s contravention had fallen below the appropriate standard. We agree; this is inherent in the concept of a “serious” contravention.

Mr Lockley also accepted that there was no specific passage that he could point to in the FTT’s decision where it had addressed the applicable standard or addressed how far below it DSG had fallen. We have considered the decision as a whole and it does not appear to us that these matters were addressed. We do not know how far the FTT thought that DSG had fallen below the applicable standard.

Whilst we have considered it carefully, we are not persuaded that the FTT addressed the seriousness of the contravention at any point within the contents of paragraph 110 of its decision, where it explained why it had found that there was a contravention of DPP7 (by virtue of contraventions 3 and 9).

The need for a distinct finding as to the seriousness of the contravention is underscored by the statutory scheme. As we have explained at paragraph 64 above, an enforcement notice may be served by the ICO in respect of a contravention that has caused or is likely to cause damage or distress; and pursuant to section 13 DPA 1998, an individual who suffers damage or distress by reason of a contravention may make a claim. Unlike section 55A, neither of these provisions requires there to have been a “serious” contravention of the section 4(4) duty to comply with the data protection principles. Accordingly, it is not appropriate to simply elide the question of whether there has been a “contravention” and, if so, whether it is a “serious” one.

The proposition that the FTT failed to address how far DSG’s contravention had fallen below the applicable standard is also reinforced by the structure of the FTT’s decision: after concluding at paragraph 110 that there had been a contravention, at paragraph 111 the FTT proceeded to consider the section 55A(1)(a) criterion, then at paragraphs 112 – 113 it addressed the section 55A(1)(b) criterion and at paragraph 114 the section 55A(3) criterion. Thus, although we have considered the decision as a whole, it is reasonable to infer that the FTT identified at paragraph 111 those matters that it considered relevant to its determination of whether the contravention was “serious”. As we have already observed, there is no reference here to the FTT either asking or answering how far DSG had departed from the applicable standard.

We therefore conclude that the FTT erred in law in this respect as section 55A(1)(a) DPA 1998 required it to make this assessment.

We are not persuaded that there is force in Mr Pitt-Payne’s second criticism. Whilst it appears to us to be peripheral, rather than central, to the determination of seriousness that the FTT had to make, we do not consider that the reasonable expectations of individuals and society that a body of personal data of this nature would be adequately protected is wholly irrelevant to the seriousness of the contravention. Furthermore, this is not a matter that would easily lend itself to specific evidence (unlike the respective costs of living in Scott). It is, in our judgment, something which ought to be an uncontentious matter of common sense, given that the DPA 1998 seeks to ensure adequate protection of personal data and we do not accept that the FTT erred in taking this into account.