The ICO has suffered a highly unusual and embarrassing reverse after a £250,000 ($375,000) fine it imposed on Scottish Borders Council (SBC) for carelessly disposing of paper records was ruled excessive by the Information Rights Tribunal.
Appeals against fines by the Inormation Commissioner are the exception and decisions against fines, especially ones as large as that levied on the Council last September, unheard of.
The original breach occurred in September 2011 when a member of the public discovered what turned out to be files containing personal data of 676 SBC employees in a supermarket paper recycling bank.
It later emerged that along with another 172 files, the records had been discarded by a third-party firm hired to digitise the Council's records. The firm had used public recycling banks as part of this contract for up to seven years before the discovery.
Two two issues that probably upped the fine to the £250,000 level could have included this unusually long period of time and the fact that the breach was only discovered by chance, both of which suggested a lack of system and oversight.
Neither seems to have impressed the Tribunal, which has now overturned the ruling and asked the ICO to pay back the £200,000 of the fine already handed over by the Council, the remaining £50,000 having been waived for early payment.
“I am extremely pleased with the outcome and have always strongly believed that the monetary penalty notice issued by the ICO in this case was unjust and disproportionate,” Council executive Tracey Logan said.
“Of course, I acknowledge that there were gaps in our processes in this case - but we have taken significant steps to address these since the breach to ensure data protection continues to be a high priority across the Council,” she said.
In comments to the BBC, the ICO accepted that the Tribunal had not been convinced that the breach had led to actual harm to the individuals concerned.
"We are disappointed with the result and await the full ruling from the tribunal confirming the reasons for its decision, before deciding whether to appeal," a spokesperson was quoted as saying.
"We do not take the decision to issue a monetary penalty lightly and follow a thorough process before serving an organisation with a penalty notice.
"The tribunal agreed with us that the breach, which led to over 600 pension records being found in an overfilled paper recycling bank in a supermarket car park, was a serious one, but we were unable to satisfy them that it was likely to lead to substantial damage or substantial distress being caused to the individuals affected."
The ICO can console itself that a separate appeal by Sony over a £250,000 fine for the infamous and vast hack of its systems in 2011 was rejected in the Information Commissioner's favour only days before the Scottish Borders Council ruling.
Given the scale of that breach, the appeal always seemed like a long shot by Sony. Most of the ICO's notable rulings are against public sector organisations; to have lost one against one in the private-sector would have counted as a major setback.