£250k fine for supermarket skip file-dump data breach, er, binned

I have just read the Scottish Borders Tribunal Decision and the reasons why the Tribunal quashed the commissioner’s £250,000 Monetary Penalty Notice (MPN).

It seems clear from the judgment that the Tribunal thinks that the Information Commissioner should have served an Enforcement Notice.

The Tribunal has hinted that ICO should, even at this late stage, serve an Enforcement Notice and that Scottish Borders should accept it. The fact that the Tribunal’s Decision is designated to be “Preliminary Decision” means that the Tribunal is reserving its position; it could impose its own solution and clearly does not want Scottish Borders to be seen as being wholly innocent.

Unlike other commentators, I don’t think that the Tribunal’s reasoning in its Decision will result in much change to the ICO’s policy with respect of the use of Enforcement or Monetary Penalty Notices – except possibly he will take more care in deciding the appropriate enforcement mechanism.

SOURCE: theregister.co.uk

Information Security Buzz