Doorstep Dispensaree Limited v The Information Commissioner

This appeal raises questions as to (a) where the burden of proof lies when someone on whom the respondent, the Information Commissioner (“the Commissioner”), has imposed a penalty pursuant to section 155 of the Data Protection Act 2018 (“the DPA”) appeals against it and (b) whether, when determining such an appeal, the First-tier Tribunal (General Regulatory Chamber) (Information Rights) (“the FTT”) can properly attach weight to views which the Commissioner expressed in the penalty notice.

The appellant, Doorstep Dispensaree Limited (“DDL”), is a pharmacy whose main source of business is dispensing medication to patients in care homes. At the material time, it operated both a “closed”, internet-based pharmacy (which received prescriptions from nursing homes and GP surgeries direct) and a retail pharmacy in Cambridge.

The sole shareholder and director of DDL is Mr Sanjay Budhdeo. He is also the sole director and shareholder of Joogee Pharma Limited (“JPL”), a licensed waste disposal company.

Mr Budhdeo and his wife own a property at 75-79 Masons Avenue, Harrow, Middlesex HA3 5AN (“the Property”). At the material time, JPL used this to carry out waste disposal activities on behalf of DDL, including the destruction of “personal data” (as defined in section 3(2) of the DPA) and “special category” personal data (within Article 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“the GDPR”)) generated in the course of DDL’s business. In respect of this data processing, DDL was the “controller” and JPL the “processor” (as each term is defined in section 3(6) of the DPA).

On 24 July 2018, the Medicines and Healthcare products Regulatory Authority (“the MHRA”) executed a search warrant at the Property. It seized unlocked crates, boxes and bags of documents. A subsequent analysis by Mr Kavi Mayor, DDL’s solicitor, indicated that there were 73,719 documents in the various containers, that 53,871 of the documents included special category data relating to health, that a further 12,497 included other personal data and that documents in three of the 53 crates exhibited mould.

On 17 December 2019, the Commissioner issued a notice (“the Notice”) imposing a penalty of £275,000 on DDL pursuant to section 155 of the DPA. (A notice of intent which the Commissioner had issued previously in accordance with paragraph 2 of schedule 16 to the DPA had referred to a penalty of £400,000, but this was reduced.) The Notice explained that the penalty was being issued because of contraventions by DDL of:

“a.

Articles 5(l)(f), 24(1) and 32 of the GDPR, in that [DDL] has failed to implement the appropriate organisational measures to ensure the appropriate security of the personal data it processes and has processed personal data in an insecure manner. It is also noted that Article 5(l)(e), which states that data be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which they are processed, is likely to have been infringed;

b.

Articles 13 and/or 14 GDPR, in that [DDL] has failed to provide data subjects with the information required by those Articles.”

The Notice recorded that the Commissioner considered that DDL’s breaches were “extremely serious” and demonstrated “a cavalier attitude to data protection”. With regard to “the nature, gravity and duration of the infringement”, the Notice observed that the breaches related to “the security of special category data that should have been treated with the utmost care” and that it appeared “likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable”. It was further stated that the breaches were considered to have resulted from “a highly culpable degree of negligence on the part of [DDL]”. This was also said:

“The Commissioner understands that the data subjects are not aware of the Breach, but were they to become aware it could cause high levels of distress, although financial damage is unlikely. The infringements of Articles 13 and 14 may have caused distress in the form of confusion or uncertainty about [DDL’s] processing of sensitive personal data.”

DDL appealed to the FTT. The matter was the subject of a two-day hearing before Judge Moira Macmillan in December 2020. The materials before Judge Macmillan included a schedule of agreed facts and an agreed bundle of evidence comprising 1665 pages. The Commissioner did not adduce evidence from any witness, but there were witness statements from both Mr Budhdeo and Mr Mayor, on behalf of DDL, and the former gave oral evidence.

In a decision dated 9 August 2021 and promulgated on 18 August 2021 (“the Decision”), Judge Macmillan allowed the appeal in part, reducing the penalty imposed on DDL from £275,000 to £92,000. DDL had accepted that it had failed to supply “data subjects” (as defined in section 3(5) of the DPA) with the information required by Articles 13 and/or 14 of the GDPR. Judge Macmillan also found DDL to have breached the GDPR in the other respects alleged by the Commissioner. Judge Macmillan rejected a suggestion by Mr Budhdeo that “most of the personal data recovered must have originated from care homes rather than DDL itself” and “concluded that DDL was the controller of data processed by JPL”: see paragraph 82 of the Decision. Judge Macmillan went on to say the following in paragraphs 83 to 86:

“83

I am further satisfied that JPL allowed at least some of the data processed on behalf of DDL to be stored in unlocked crates, and at least some of these were stacked in an outside yard before the documents were recovered, as a result of which some of the documents became wet. I find in addition that the yard was not an appropriately secure area in which to store personal data, due to the fact that the yard could be accessed by the occupants of and visitors to three residential flats, via fire escapes that as a matter of common sense must be readily accessible. The unlocked crates in the yard could also potentially be accessed by business visitors to the Property. I conclude from this that JPL’s methods of data storage was not appropriately secure and did not afford sufficient protection against accidental loss or destruction, and that this was a breach of the integrity and confidentiality requirements of Article 5(1)(f) for which DDL retained responsibility by virtue of Article 5(2).

84

I find in addition, on the balance of probabilities, that at the date of the search warrant JPL was storing personal data in a form that permitted identification of data subjects for longer than necessary. This is because the presence of personal data that was two or more years old indicates that not all data was destroyed when it was no longer required. DDL has confirmed that historic, hard copy documents were not required for record keeping purposes. Given the findings I have already made in relation to the provenance of these documents, and the absence of any evidence that the historic records had only been passed to JPL for destruction recently, I am satisfied that the retention of this data by JPL was a breach of the storage limitation requirements of Article 5(1)(e,) for which DDL also retained responsibility by virtue of Article 5(2). I note in addition that, other than Mr Budhdeo’s witness testimony, no contemporaneous evidence has been adduced to show when and how JPL securely destroyed personal data on DDL’s behalf.

85

I find that DDL’s failure to devise adequate data processing policies contributed to JPL’s breaches of relevant data processing requirements. In particular, I find that the absence of a retention policy and of a clear explanation by DDL of the processes JPL must follow when destroying personal data incidental to the destruction of medicinal waste must have contributed to JPL’s breaches as it was provided with no appropriate procedures to follow.

86

I conclude as a consequence that DDL’s responsibility for JPL’s breaches also amount to a breach of the requirements of Article 24(1), in that DL failed to implement appropriate and organisational measure to ensure that JPL’s processing was performed in accordance with the GDPR, as well as a breach of the requirements of Article 32, in that DDL failed to implement appropriate measure to ensure a level of security appropriate to the risks.”

Turning to whether any, and if so what, penalty should be imposed, Judge Macmillan said this in paragraphs 88 to 96 of the Decision:

“88

In accordance with the principles identified in Hope and Glory [i.e. R (Hope and Glory) v City of Westminster Magistrates’ Court [2011] EWCA Civ 31, [2011] 3 All ER 57] I have afforded appropriate weight to the Commissioner’s decision to issue an MPN [i.e. a penalty notice] but note that the level of penalty was predicated upon 500,000 documents having been seized. I have instead considered the appropriate level of penalty based on a finding that 66,638 documents containing personal data were recovered, 53,871 of which contained special category data.

89

I nevertheless reach the same conclusion as the Commissioner, in that the contraventions identified are sufficiently serious to justify issuing a penalty. However, in contrast to the approach taken by the Commissioner in the [Notice], I do not consider a breach of Article 24(1) to be a contravention in relation to which an MPN may be imposed under s. 155(1), because it is not a breach of GDPR listed in s. 149(2).

90

I adopt the Commissioner’s assessment of the factors set out in Article 83(2), other than her assessment of the number of data subjects affected by the contraventions which was based on the MHRA’s estimated figure of 500,000 documents. I note in particular the Commissioner’s conclusions as to the gravity of the breach and the risk of significant emotional distress being caused to a vulnerable group of data subjects were they to become aware of the contraventions. I also agree with the Commissioner’s conclusion that the serious breaches of the data processing principles occasioned by JPL’s activities were largely due to DDL’s negligence in relation to its Article 24(1) and Article 32 obligations.

91

I conclude as a consequence that issuing an MPN is an effective, proportionate and dissuasive response to DDL’s contraventions.

92

I note the statutory intention of both the GDPR and DPA is that a higher financial penalty should be imposed under this than other the predecessor legislation. Having considered the Commissioner’s statutory guidance and the circumstances of this case, I am satisfied that the Commissioner’s penalty assessment in the NOI [i.e. the notice of intent which the Commissioner issued in accordance with paragraph 2 of schedule 16 to the DPA] of £400,000 was appropriate given the facts as she understood them to be. I am further satisfied that her subsequent decision to reduce the penalty to £275,000 was appropriate in light of DDL’s financial position.

93

I agree that a person responsible for a serious contravention of the GDPR should not avoid a monetary penalty solely on the basis their financial position, since such a practice would undermine a key purpose of the legislation. However, financial hardship remains an important consideration in terms mitigation. I find that it has already been reflected in an appropriate manner in the MPN under appeal.

94

I am satisfied that the amount of the penalty imposed on DDL should be reduced further in light of the Tribunal’s conclusion that substantially fewer than 500,000 documents were recovered. However, 12,491 documents containing personal data and 53,871 documents containing special category data are still very large numbers of documents, and the significant aggravating factor that majority contained the personal data of highly vulnerable data subjects remains.

95

Given the gravity of the contraventions, my additional finding that DDL is responsible for a breach of Article 5(1)(e) obligations, and the long list of aggravating criteria identified in the MPN, I am satisfied that the level of the penalty imposed should not be reduced by a percentage based on solely on the lower numbers of documents.

96

Having taken all of these matters into consideration I have decided that the amount of the [Notice] should be reduced to £92,000, which is a reduction of approximately two thirds.”

DDL appealed to the Upper Tribunal (Administrative Appeals Chamber), but without success. In a decision issued on 1 June 2023, Upper Tribunal Judge Mitchell dismissed the appeal. DDL now challenges that decision in this Court. The parties, however, rightly focused on the Decision rather than Judge Mitchell’s analysis. What is at issue is essentially the approach taken by Judge Macmillan.

So far as relevant, Article 5 of the GDPR, which forms part of Chapter II and is headed “Principles relating to processing of personal information”, provides as follows:

“1.

Personal data shall be:

…

(e)

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’);

(f)

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2.

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

Articles 13 and 14 of the GDPR, which are headed respectively “Information to be provided where personal data are collected from the data subject” and “Information to be provided where personal data have not been obtained from the data subject”, oblige a controller to provide a data subject with certain information where personal data are collected.

Article 24 of the GDPR, which is headed “Responsibility of the controller”, states in Article 24(1):

“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

Article 32 of the GDPR, which is headed “Security of processing”, requires the controller and processor to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, “[t]aking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.

Section 155(1) of the Data Protection Act 2018 (“the DPA”) empowers the Commissioner, by written notice, to require a person to pay a penalty if satisfied that the person “has failed or is failing as described in section 149(2), (3), (4) or (5)”. By section 155(2)(a), the Commissioner is in such a case required to have regard to the matters specified in Article 83(1) and (2) of the GDPR (now the “UK GDPR”) “when deciding whether to give a penalty notice to a person and determining the amount of the penalty”. As is explained in section 3(10) of the DPA, the “UK GDPR” means the GDPR “as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018”.

Section 149(2) of the DPA provides so far as relevant:

“The first type of failure is where a controller or processor has failed, or is failing, to comply with any of the following—

(a)

a provision of Chapter II of the GDPR [now ‘UK GDPR’] or Chapter 2 of Part 3 or Chapter 2 of Part 4 of this Act (principles of processing);

(b)

a provision of Articles 12 to 22 of the GDPR [now ‘UK GDPR’] or Part 3 or 4 of this Act conferring rights on a data subject;

(c)

a provision of Articles 25 to 39 of the GDPR [now ‘UK GDPR’] or section 64 or 65 of this Act (obligations of controllers and processors) ….”

Article 83 of the GDPR, which is headed “General conditions for imposing administrative fines”, states so far as relevant:

“1.

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2.

Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)

the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)

the intentional or negligent character of the infringement;

(c)

any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)

the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)

any relevant previous infringements by the controller or processor;

(f)

the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)

the categories of personal data affected by the infringement;

(h)

the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i)

where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j)

adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)

any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.”

Section 162 of the DPA entitles a person who is given a penalty notice to appeal to the FTT.

Section 163 of the DPA, headed “Determination of appeals”, provides as follows:

“(1)

Subsections (2) to (4) apply where a person appeals to the Tribunal under section 162(1) or (3).

(2)

The Tribunal may review any determination of fact on which the notice or decision against which the appeal is brought was based.

(3)

If the Tribunal considers—

(a)

that the notice or decision against which the appeal is brought is not in accordance with the law, or

(b)

to the extent that the notice or decision involved an exercise of discretion by the Commissioner, that the Commissioner ought to have exercised the discretion differently,

the Tribunal must allow the appeal or substitute another notice or decision which the Commissioner could have given or made.

(4)

Otherwise, the Tribunal must dismiss the appeal ….”

It was common ground both before us and before the Upper Tribunal and FTT that “an appeal under s. 163 gives rise to a full merits review of the decision under appeal” (to quote from paragraph 35 of the Decision). As Judge Macmillan observed in paragraph 36:

“when taking a fresh decision, the Tribunal is not required to undertake a reasonableness review of the [Commissioner’s] decision, but instead must decide whether it would itself reach the same decision based on the evidence now before it”.

That that is the correct approach is borne out by Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 551 (AAC), (2014) 136 BMLR 61. In that case, Upper Tribunal Judge Wikeley considered the implications of section 49 of the Data Protection Act 1998, which section 163 of the DPA substantially mirrors. In paragraph 50, Judge Wikeley characterised an appeal to which section 49 of the 1998 Act applied as “an appeal by way of a full merits review” and rejected any suggestion that “one party to an appeal should be given some sort of evidential head start in an appeal”. Judge Wikeley further noted, in paragraph 51, that section 49 was in essentially in the same terms as section 58(1) of the Freedom of Information Act 2000, in respect of which Upper Tribunal Judge Jacobs had in Information Commissioner v Home Office [2011] UKUT 17 (AAC), at paragraph 58, referred to the FTT deciding “independently and afresh”.

Article 51 of the UK GDPR makes the Commissioner responsible for “monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data”. By Article 52, the Commissioner is to “act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation”, must “remain free from external influence, whether direct or indirect,” and “shall neither seek nor take instructions from anybody”.

Section 115 of the DPA provides for the Commissioner’s “general functions” to include the “Tasks” specified in Article 57 of the UK GDPR. Those “Tasks” include these:

“(a)

monitor and enforce the application of this Regulation;

(b)

promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing … ;

…

(d)

promote the awareness of controllers and processors of their obligations under this Regulation;

… ; and

(v)

fulfil any other tasks related to the protection of personal data.”

By section 160 of the DPA, the Commissioner must produce and publish guidance about how he proposes to exercise his functions in connection with, among other things, penalty notices. Section 161 provides for such guidance to be laid before Parliament and to come into force only in the absence of a resolution of either House of Parliament not to approve it.

At the relevant time, the Commissioner’s guidance on penalty notices was set out in the “Regulatory Action Policy” published in November 2018. This explained that the Commissioner would approach setting any penalty level on the basis of the following mechanism:

“Step 1. An ‘initial element’ removing any financial gain from the breach.

Step 2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) of the DPA.

Step 3. Adding in an element to reflect any aggravating factors.

Step 4. Adding in an amount for deterrent effect to others.

Step 5. Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship).”

“Generally”, it was said, “the amount will be higher where … vulnerable individuals or critical national infrastructure are affected”.

DDL was granted permission to appeal on two grounds. These are to the following effect:

I shall take these matters in turn.

Judge Macmillan said the following as regards the burden of proof in paragraph 38 of the Decision:

“I conclude … that to a limited extent the burden of proof is of secondary importance in the context of a full merits review. However, when the appeal is against a penalty imposed in response to perceived infringements, I am satisfied that there must also be an initial evidential burden imposed upon the decision maker who is required to prove that the infringement has taken place. As a matter of common sense, this evidential burden must shift to the other party once evidence of the infringements has been introduced.”

Mr Philip Coppel KC, who appeared for DDL with Mr Rowan Clapp, took issue with Judge Macmillan’s approach in this respect. He argued that the burden was on the Commissioner to satisfy the FTT that DDL had “failed … as described in section 149(2) [of the DPA]” (so that section 155(1)(a) applied) and that it was appropriate for it to impose any, and if so what, penalty.

The most helpful authority on this issue is, I think, Khan v Customs and Excise Commissioners [2006] EWCA Civ 89, [2006] STC 1167 (“Khan”). In that case, Customs and Excise had concluded that Mr Khan, who had a dry cleaning business, should have been registered for value added tax (“VAT”) and imposed a penalty calculated by reference to the amount of VAT which was thought to have been evaded. Mr Khan appealed pursuant to section 83 of the Value Added Tax Act 1994. Carnwath LJ, who gave the leading judgment in the Court of Appeal, noted that section 60(7) of the 1994 Act provided that, on an appeal against an assessment to a penalty, the burden of proof as regards intention to evade VAT and dishonesty lay on Customs and Excise. That apart, however, Carnwath LJ considered that Mr Khan bore the burden of proof.

Carnwath LJ explained as follows:

“[70]  … [T]he general principle, in my view, is that, where a statute gives a right of appeal against enforcement action taken by a public authority, the burden of establishing the grounds of appeal lies on the person appealing.

[71]  That principle is well-established in other statutory contexts, particularly where the relevant facts are peculiarly within the knowledge of the person appealing. For example, a local planning authority may serve an enforcement notice if it ‘appears’ that there has been a breach of planning control. The owner can appeal against the notice on various grounds, which may, for example, include a denial of the acts complained of, or a claim that permission is not required. It has long been clear law that the burden of proof rests on the appellant. That was confirmed recently in this court in Hill v Secretary of State for Transport, Local Government and the Regions [2003] EWCA Civ 1904. Buxton LJ said (at [43]–[44]):

‘[43] The appellant accepted that there is a longstanding decision in planning law, Nelsovil Ltd v Minister of Housing and Local Government [1962] 1 WLR 404, [1962] 1 All ER 423, which has been generally regarded as placing the burden of proof on the appellant in an enforcement notice appeal. That view was developed in the leading judgment of Widgery J and pungently summarised by Slade J at page 409 of the report: “It is a novel proposition to me that an appellant does not have to prove his case.”

[44] … The general principle that the appellant must prove his case seems to be unassailable …’

[72]  It is true that both Nelsovil and Hill were planning cases, but the statements in the former were expressed quite generally. There may of course be something in the nature of the appeal, or the statutory context, which requires a different approach ….

[73]  The ordinary presumption, therefore, is that it is for the appellant to prove his case. That approach seems to me to be the correct starting-point in relation to the other categories of appeals with which we are concerned under s 83 of the 1994 Act, including the appeal against a civil penalty. The burden rests with the appellant except where the statute has expressly or impliedly provided otherwise. Thus, the burden of proof clearly rests on Customs to prove intention to evade VAT and dishonesty. In addition, in most cases proof of intention to evade is likely to depend partly on proof of the fact of evasion, and for that purpose Customs will need to satisfy at least the tribunal that the threshold has been exceeded. But, as to the precise calculation of the amount of tax due, in my view, the burden rests on the appellant for all purposes.”

In paragraph 74, Carnwath LJ said that that view was reinforced by a number of considerations, including these:

“(i)

it is the appellant who knows, or ought to know, the true facts; (ii) s 60(7) makes express provision placing the burden on Customs in relation to specified matters. This suggests that the draftsman saw it as an exception to the ordinary rule, and seems inconsistent with an implied burden on Customs in respect of other matters; … (vi) to reverse the burden of proof would make the penalty regime unworkable in many cases. In a case such as the present, a ‘best of judgment’ assessment is needed precisely because the potential taxpayer has failed to keep proper records, so that positive proof in the sense required in the ordinary civil courts is not possible. The assessment may be no more than an exercise in informed guesswork. Indeed to put the burden on Customs would tend to favour those who have kept no records at all, as against those who have kept records, which are merely inadequate, but may be enough to give rise to an inference on the balance of probabilities.”

Earlier in his judgment, at paragraph 69, Carnwath LJ had cited Brady (Inspector of Taxes) v Group Lotus Car Companies plc [1987] 3 All ER 1050 (“Brady”) as authority for the proposition that the burden of proof on an appeal against a “best of judgment” assessment “does not change merely because allegations of fraud may be involved”. Brady concerned estimated assessments to corporation tax. The General Commissioners had taken the view that the assessments could be justified only if there had been fraud on the part of the taxpayer companies, that the onus was on the Inland Revenue to prove the fraud and that they had failed to discharge that burden: see 1054. That decision was, however, overturned on appeal. In the Court of Appeal, Dillon LJ said at 1055 that “[w]here the assessments are made in time, … the burden lies on the taxpayer from the start to displace the assessments”. Balcombe LJ similarly considered that “the burden of proof remained on the taxpayer companies throughout”: see 1062.

The third member of the Court, Mustill LJ, concurred on this aspect of the case while dissenting on another issue. Mustill LJ observed at 1059 that the term “evidentiary burden of proof” “simply expresses a notion of practical common sense and is not a principle of substantive or procedural law”. He went on:

“It means no more than this, that during the trial of an issue of fact there will often arrive one or more occasions when, if the judge were to take stock of the evidence so far adduced, he would conclude that, if there were to be no more evidence, a particular party would win. It would follow that, if the other party wished to escape defeat, he would have to call sufficient evidence to turn the scale. The identity of the party to whom this applies may change and change again during the hearing and it is often convenient to speak of one party or the other as having the evidentiary burden at a given time. This is, however, no more than shorthand, which should not be allowed to disguise the fact that the burden of proof in the strict sense will remain on the same party throughout, which will almost always mean that the party who relies on a particular fact in support of his case must prove it. I do not see how this fact of forensic life bears on the present case.”

Turning to the case before him, Mustill LJ said this at 1059:

“It may well be that, if the taxpayer companies’ version does not correspond with the true facts, it must follow that someone was guilty of fraud. This does not mean that, by traversing the taxpayer companies’ case, the Revenue have taken on the burden of proving fraud. Naturally, if they produce no cogent evidence or argument to cast doubt on the taxpayer companies’ case, the taxpayer companies will have a greater prospect of success. But this has nothing to do with the burden of proof, which remains on the taxpayer companies because it is they who, on the law as it has stood for many years, are charged with the task of falsifying the assessment. The contention that, by traversing the taxpayer companies’ version, the Revenue are implicitly setting out to prove a loss by fraud overlooks the fact that, in order to make good their case, the Revenue need only produce a situation where the commissioners are left in doubt. In the world of fact there may be only two possibilities: innocence or fraud. In the world of proof there are three: proof of one or other possibility and a verdict of not proven. The latter will suffice, so far as the Revenue are concerned.”

An appellant was also held to have the burden of showing the order under appeal to be wrong in R (Hope and Glory) v City of Westminster Magistrates’ Court [2011] EWCA Civ 31, [2011] 3 All ER 579 (“Hope and Glory”). That case involved an appeal to the Magistrates’ Court from a decision of Westminster City Council’s licensing sub-committee. Toulson LJ, giving the judgment of the Court of Appeal, said:

“[48]  It is normal for an appellant to have the responsibility of persuading the court that it should reverse the order under appeal, and the [Magistrates’ Courts Rules 1981] envisage that this is so in the case of statutory appeals to magistrates’ courts from decisions of local authorities. We see no indication that Parliament intended to create an exception in the case of appeals under [the Licensing Act 2003].

[49]  We are also impressed by [counsel for the Council’s] point that in a case such as this, where the licensing sub-committee has exercised what amounts to a statutory discretion to attach conditions to the licence, it makes good sense that the licensee should have to persuade the magistrates’ court that the sub-committee should not have exercised its discretion in the way that it did rather than that the magistrates’ court should be required to exercise the discretion afresh on the hearing of the appeal.”

More recently, the Court of Appeal followed Brady and Khan in Awards Drinks Ltd v Revenue and Customs Commissioners [2021] EWCA Civ 1235, [2021] STC 1576. That case involved an appeal against “best of judgment” assessments to VAT under section 73 of the Value Added Tax Act 1994. Henderson LJ said in paragraph 37:

“Brady was a case about direct taxation, not VAT, but I can see no reason why the same principles should not apply to a ‘best of judgment’ assessment to VAT made under s 73 of VATA 1994. The guidance given by Carnwath LJ in the Khan case may have been technically obiter on this point, but he regarded the position on an appeal against such an assessment as ‘well-established’ and cited Brady with apparent approval. In my respectful view, he was clearly right to do so.”

In the present case, Mr Coppel argued that, while the DPA does not expressly provide for the Commissioner to bear the burden of proof on an appeal under section 163, it so provides impliedly. A distinction is to be drawn, he suggested, between a case in which a person is challenging the refusal of a benefit (such as Hope and Glory) and one in which the challenge is to the imposition of a penalty (such as this one). In a case of the former kind, Mr Coppel submitted, it is for the person seeking the benefit to show why he should have it. Where, on the other hand, what is at issue is the imposition of a penalty, it is for the body propounding it to justify it, Mr Coppel contended. For the burden of proof to be on a party appealing against a penalty imposed by the Commissioner would also, Mr Coppel said, be inconsistent with the principle that an appeal under section 163 of the DPA is a “full merits review” in which neither party has an “evidential head start”.

In my view, however, the burden of proof lies on the appellant in an appeal against the imposition of a penalty under section 155 of the DPA. The Commissioner must before raising a penalty notice be satisfied that one of the conditions specified in section 155(1)(a) and (b) is met and that it is appropriate to require the person to pay the penalty. Where, however, the recipient of a penalty notice appeals under section 163, it seems to me to be incumbent on him to persuade the FTT that the penalty should not stand. Carnwath LJ explained in Khan that the “general principle … is that, where a statute gives a right of appeal against enforcement action taken by a public authority, the burden of establishing the grounds of appeal lies on the person appealing” and that the “ordinary presumption … is that it is for the appellant to prove his case”: see paragraphs 71 and 73. Far from suggesting that this “general principle” is limited to challenges to the refusal of benefits as opposed to the imposition of penalties, Carnwath LJ explained that it applies to enforcement notices served in respect of breaches of planning control and that he considered the approach to be the correct starting-point in relation to an appeal against a civil penalty. As regards the latter, the burden was on Customs to establish tax evasion and dishonesty, but that was because section 60(7) of the 1994 Act expressly so provided. Further, in the present context, as in Khan, “it is the appellant who knows, or ought to know, the true facts”. The Commissioner did not, of course, witness the documents coming into DDL’s hands or crates, boxes or bags being placed in the yard at the Property: she was working from what the MHRA found. DDL, however, should be aware of how it came to have the documentation and the circumstances in which at least some of it was put in the yard. That DDL should be in a position to explain matters is the clearer because Article 5(2) of the GDPR (now the UK GDPR) provides for a controller to “be responsible for, and be able to demonstrate compliance with paragraph 1”.

Moreover, the fact that the FTT considers matters “afresh” on an appeal under section 163 of the DPA is not inconsistent with the appellant bearing the burden of proof. In an ordinary civil dispute, the scales are not weighted in favour of either party, but one of them (commonly, the claimant) will nonetheless have the burden of proof. That means that, where the Court cannot say which party’s case is the more probable, it will decide against the party with the burden of proof. In practice, the burden of proof rarely matters: the Court is able to make a finding on the balance of probabilities. What is significant for present purposes, however, is that the existence of a burden of proof is compatible with a hearing in which matters are looked at afresh, without preconceptions.

In my view, the burden of proof on an appeal against a penalty notice is throughout on the appellant. What is referred to as the “evidential burden of proof” signifies that, “that during the trial of an issue of fact there will often arrive one or more occasions when, if the judge were to take stock of the evidence so far adduced, he would conclude that, if there were to be no more evidence, a particular party would win” (to quote from Mustill LJ in Brady). However, the “the burden of proof in the strict sense” will remain on the appellant.

It follows that there can be no question of Judge Macmillan’s approach to the burden of proof having been unfavourable to the appellant. She proceeded on the basis that “the burden of proof is of secondary importance in the context of a full merits review”. That reflected the reality: the FTT will normally be able to decide whether a penalty is justified without resort to the burden of proof. Where, however, that is not the case, the burden is on the appellant, not (contrary to DDL’s contention) the Commissioner.

In any event, the burden of proof did not play any significant part in the Decision. Judge Macmillan made findings as to what was likely to have happened, placing no reliance on where the burden of proof lay. Considering that Mr Budhdeo’s suggestion that “most of the personal data recovered must have originated from care homes rather than DDL itself” was “improbable”, she “concluded” that DDL was the controller of data processed by JPL: see paragraph 82 of the Decision. In the paragraphs of the Decision that followed, without once mentioning the burden of proof, she recorded points on which she was “satisfied”, as to which she had “concluded” and in respect of which she was making findings. There is no indication, either, that she attached any significance to the incidence of the burden of proof when she was arriving at her conclusions in paragraphs 88 to 96 as to what, if any, penalty was appropriate.

In the circumstances, I do not accept the first ground of appeal.

Judge Macmillan noted in paragraph 37 of the Decision that the Court of Appeal had decided in Hope and Glory that “‘careful attention’ should be paid to the reasons given by an original decision-maker, bearing in mind that Parliament had entrusted it with making such decisions”, but that “the weight to be attached to the original decision when hearing an appeal is a matter of judgment for the Tribunal, ‘taking into account the fullness and clarity of the reasons, the nature of the issues and the evidence given in the appeal’”. In paragraph 88, Judge Macmillan said that, “[i]n accordance with the principles identified in Hope and Glory”, she had “afforded appropriate weight to the Commissioner’s decision to issue [a penalty notice]”.

Mr Coppel challenged Judge Macmillan’s approach. He argued that she should not have attached any weight to the Commissioner’s decision but could be seen to have done so. Giving “careful attention” to a regulator’s decision, Mr Coppel said, gives the impression of a tilted balance such that there is a predisposition to uphold the decision under appeal. That, Mr Coppel submitted, is antithetical to the FTT’s role, and unfair.

On this aspect of the case, we were referred to Hope and Glory, Huang v Home Secretary [2007] UKHL 11, [2007] 2 AC 167 (“Huang”), Hesham Ali v Home Secretary [2016] UKSC 60, [2016] 1 WLR 4799 (“Hesham Ali”) and MS (Pakistan) v Home Secretary [2020] UKSC 9, [2020] 1 WLR 1373 (“MS (Pakistan)”). In Hope and Glory, one of the issues was how much weight the District Judge sitting in the Magistrates’ Court had been entitled to give to the decision of the licensing sub-committee: see paragraph 39. Toulson LJ said in paragraph 40 that the Court did “not consider that it is possible to give a formulaic answer” to that (“first”) question because “it may depend on a variety of factors: the nature of the issue, the nature and quality of the reasons given by the licensing authority and the nature and quality of the evidence on the appeal”. In paragraph 45, Toulson LJ concluded:

“Given all the variables, the proper conclusion to the first question can only be stated in very general terms. It is right in all cases that the magistrates’ court should pay careful attention to the reasons given by the licensing authority for arriving at the decision under appeal, bearing in mind that Parliament has chosen to place responsibility for making such decisions on local authorities. The weight which magistrates should ultimately attach to those reasons must be a matter for their judgment in all the circumstances, taking into account the fullness and clarity of the reasons, the nature of the issues and the evidence given on the appeal.”

In Huang, the appellants were seeking to remain in the United Kingdom on the basis that their removal would violate article 8 of the European Convention of Human Rights (“the ECHR”). The Immigration and Asylum Act 1999 provided for an appeal to an adjudicator in such a case, and paragraphs 21 and 22 of part III of schedule 4 to that Act, which applied in relation to such an appeal, corresponded very closely to what is now section 163 of the DPA. In paragraph 11 of Huang, Lord Bingham explained that the task of an adjudicator on an appeal of that kind was “to decide whether the challenged decision is unlawful as incompatible with a Convention right or compatible and so lawful”: the adjudicator does not have “a secondary, reviewing, function dependent on establishing that the primary decision-maker misdirected himself or acted irrationally or was guilty of procedural impropriety” but “must decide for itself whether the impugned decision is lawful and, if not, but only if not, reverse it”. That being so, the adjudicator’s first task was “to establish the relevant facts”: see paragraph 15. However, “the judgment of the primary decision-maker, on the same or substantially the same factual basis, is always relevant and may be decisive”: see paragraph 12. Further, Lord Bingham said this in paragraph 16:

“The authority [be it, adjudicator, Immigration Appeal Tribunal or immigration judge] will wish to consider and weigh all that tells in favour of the refusal of leave which is challenged, with particular reference to justification under article 8(2). There will, in almost any case, be certain general considerations to bear in mind: the general administrative desirability of applying known rules if a system of immigration control is to be workable, predictable, consistent and fair as between one applicant and another; the damage to good administration and effective control if a system is perceived by applicants internationally to be unduly porous, unpredictable or perfunctory; the need to discourage non-nationals admitted to the country temporarily from believing that they can commit serious crimes and yet be allowed to remain; the need to discourage fraud, deception and deliberate breaches of the law; and so on. In some cases much more particular reasons will be relied on to justify refusal, as in Samaroo v Secretary of State for the Home Department [2002] INLR 55 where attention was paid to the Secretary of State’s judgment that deportation was a valuable deterrent to actual or prospective drug traffickers, or R (Farrakhan) v Secretary of State for the Home Department [2002] QB 1391, an article 10 case, in which note was taken of the Home Secretary’s judgment that the applicant posed a threat to community relations between Muslims and Jews and a potential threat to public order for that reason. The giving of weight to factors such as these is not, in our opinion, aptly described as deference: it is performance of the ordinary judicial task of weighing up the competing considerations on each side and according appropriate weight to the judgment of a person with responsibility for a given subject matter and access to special sources of knowledge and advice. That is how any rational judicial decision-maker is likely to proceed. It is to be noted that both Samaroo and Farrakhan (cases on which the Secretary of State seeks to place especial reliance as examples of the court attaching very considerable weight to decisions of his taken in an immigration context) were not merely challenges by way of judicial review rather than appeals but cases where Parliament had specifically excluded any right of appeal.”

Lord Reed cited both Huang and Hope and Glory in a judgment with which Lord Neuberger, Lord Thomas, Baroness Hale, Lord Kerr, Lord Wilson and Lord Hughes agreed in Hesham Ali. In that case, a person against whom a deportation order had been made had appealed against it to the First-tier Tribunal on the ground that it was incompatible with his rights under the ECHR. At the time, the circumstances in which such an appeal should be allowed were set out in section 86 of the Nationality, Immigration and Asylum Act 2002 (“the 2002 Act”) in terms which resembled those now found in section 163 of the DPA. At paragraph 8, Lord Reed noted that the Tribunal “reaches its decision after hearing evidence, and on the basis of its own findings as to the facts” and that its task “is not merely to review the decision made by the Secretary of State”.

In paragraph 44 of Hesham Ali, Lord Reed referred to, and quoted, paragraph 16 of Lord Bingham’s opinion in Huang. He then said this:

“45.

It may be helpful to say more about this point. Where an appellate court or tribunal has to reach its own decision, after hearing evidence, it does not, in general, simply start afresh and disregard the decision under appeal. That was made clear in Sagnata Investments Ltd v Norwich Corpn [1971] 2 QB 614, concerned with an appeal to quarter sessions against a licensing decision taken by a local authority. In a more recent licensing case, R (Hope and Glory Public House Ltd) v City of Westminster Magistrates’ Court [2011] PTSR 868, para 45, Toulson LJ put the matter in this way:

‘It is right in all cases that the magistrates’ court should pay careful attention to the reasons given by the licensing authority for arriving at the decision under appeal, bearing in mind that Parliament has chosen to place responsibility for making such decisions on local authorities. The weight which magistrates should ultimately attach to those reasons must be a matter for their judgment in all the circumstances, taking into account the fullness and clarity of the reasons, the nature of the issues and the evidence given on the appeal.’

46.

These observations apply a fortiori to tribunals hearing appeals against deportation decisions. The special feature in that context is that the decision under review has involved the application of rules which have been made by the Secretary of State in the exercise of a responsibility entrusted to her by Parliament, and which Parliament has approved. It is the duty of appellate tribunals, as independent judicial bodies, to make their own assessment of the proportionality of deportation in any particular case on the basis of their own findings as to the facts and their understanding of the relevant law. But, where the Secretary of State has adopted a policy based on a general assessment of proportionality, as in the present case, they should attach considerable weight to that assessment: in particular, that a custodial sentence of four years or more represents such a serious level of offending that the public interest in the offender’s deportation almost always outweighs countervailing considerations of private or family life; that great weight should generally be given to the public interest in the deportation of a foreign offender who has received a custodial sentence of more than 12 months; and that, where the circumstances do not fall within paragraphs 399 or 399A [of the Immigration Rules], the public interest in the deportation of such offenders can generally be outweighed only by countervailing factors which are very compelling ….”

Huang was also cited in MS (Pakistan), another immigration case. MS (Pakistan) raised an issue as to the significance of a decision reached under the “National Referral Mechanism” (or “NRM”) in the context of an appeal under the 2002 Act on the ground that removal from the United Kingdom would be incompatible with the ECHR. The Home Secretary’s position was that “when determining an appeal that removal would breach rights protected by the ECHR, the tribunal is required to determine the relevant factual issues for itself on the basis of the evidence before it, albeit giving proper consideration and weight to any previous decision of the defendant authority”: see paragraph 11. Baroness Hale, with whom Lord Kerr, Lady Black, Lord Lloyd-Jones and Lord Briggs agreed, said in paragraph 15:

“It is thus apparent that ‘the proper consideration and weight’, which the Secretary of State says should be given to any previous decision of the authority, will depend upon the nature of the previous decision in question and its relevance to the issue before the tribunal. The decision of the competent authority under the NRM process was an essentially factual decision and, for the reasons given, both the FTT and the UT were better placed to decide whether MS was the victim of trafficking than was the authority.”

Hope and Glory, Huang, Hesham Ali and MS (Pakistan) thus show that, even where an appellate body is charged with deciding something for itself, it can potentially be proper for it to attach weight to views expressed by the decision-maker from whom the appeal is brought. In Hope and Glory, Toulson LJ spoke of the Magistrates’ Court paying “careful attention to the decision under appeal, bearing in mind that Parliament has chosen to place responsibility for making such decisions on local authorities”. In Huang, Lord Bingham referred to “according appropriate weight to the judgment of a person with responsibility for a given subject matter and access to special sources of knowledge and advice”, citing in particular judgments by the Home Secretary as to whether deportation was “a valuable deterrent” and whether an applicant “posed a threat to community relations”. In Hesham Ali, Lord Reed said that, “[w]here an appellate court or tribunal has to reach its own decision, after hearing evidence, it does not, in general, simply start afresh and disregard the decision under appeal” and, specifically, that, in circumstances where “the decision under review has involved the application of rules which have been made by the Secretary of State in the exercise of a responsibility entrusted to her by Parliament, and which Parliament has approved”, appellate tribunals should “attach considerable weight” to the assessment of proportionality on which the Home Secretary has based a policy relating to deportation.

Mr Coppel argued that these cases are all distinguishable from the present one. What was under appeal in Hope and Glory, he pointed out, was a decision made by councillors answerable to their constituents; the Commissioner, in contrast, is unelected. As for Huang, Hesham Ali and MS (Pakistan), they all related to immigration where policy-driven decisions are made by a Minister answerable to both Parliament and the electorate. Not only is the Commissioner not in a comparable position, but the DPA and (UK) GDPR detail the matters to be taken into account when deciding on penalties. While, therefore, there could be no complaint about a Tribunal looking at a penalty notice, it cannot properly attach weight to views expressed in it as such, Mr Coppel contended.

On the other hand, the Commissioner is charged by the DPA and UK GDPR with monitoring and enforcing the UK GDPR and promoting the awareness of controllers, processors and the public. He is required, too, to produce and publish guidance relating to penalty notices which is laid before Parliament. He will also have knowledge of the amounts of, and reasons for, penalties other than the particular penalty under challenge on an appeal.

As Mr Coppel stressed, the Judges appointed to sit in the FTT can be expected to be familiar with the law and practice related to data protection. Even so, it seems to me that, given the particular role of the Commissioner, it can potentially be lawful for the FTT, in determining an appeal from the imposition of a penalty, to give some weight to the fact that a view was expressed in a penalty notice.

I doubt whether that could ever be the case with an issue as to whether a person “has failed or is failing as described in section 149(2), (3), (4) or (5)” (as described in section 155(1)(a) of the DPA). To the extent that the point turned on the facts, the FTT would have to make up its own mind on the basis of the evidence before it. Nor could an argument as to the law gain any extra weight because it had been incorporated in the penalty notice. There could, of course, be no objection to the FTT adopting a contention advanced in the penalty notice if it found it convincing, but the fact that the source was the Commissioner could not improve it. The FTT would be endorsing it because it assessed it as correct, not because the Commissioner had put it forward. A legal argument will be no better (or worse) on account of being presented by the Commissioner.

Depending on the particular facts, however, the position may be different at the stage when the FTT is deciding whether to impose a penalty and, if so, in what sum. In that context, it seems to me that it can sometimes be proper for the FTT to attach weight to the fact that something said in a penalty notice was informed by the knowledge and expertise of an individual to whom Parliament has given functions and responsibilities as regards data protection. While the FTT must beware of attaching too much importance to the contents of a penalty notice, I do not think that it must necessarily treat the fact that a view expressed in a penalty notice emanated from the Commissioner as without significance. To the contrary, it can, I think, be open to the FTT to see things said in a penalty notice as relevant to the exercise of its discretion.

More specifically, in a case such as the present regard is be had to the matters specified in Article 83(1) and (2) of the (UK) GDPR. By Article 83(1), penalties are to be “effective, proportionate and dissuasive”, while Article 83(2) requires due regard to be given to, among other things, “the nature, gravity and duration of the infringement” taking into account “the number of data subjects affected and the level of damage suffered by them”. The FTT may possibly consider observations in a penalty notice relating to these matters to be of significance. It may be open to the FTT to take the view that the Commissioner’s role and experience are such as to have given him insight into what penalty would be “effective”, “dissuasive” and in keeping with penalties imposed in other cases. Likewise, the FTT might possibly think that the Commissioner was in a position to comment usefully on, say, “gravity” and harm.

So far as the present case is concerned, it is not wholly clear to what extent Judge Macmillan gave weight to things said in the Notice. There is no reason to suppose that she did so in deciding that DDL had failed to comply with Articles 5, 13, 14, 24 and 32 of the GDPR. When, in contrast, she turned to what (if any) penalty should be imposed, she explained that she had “afforded appropriate weight to the Commissioner’s decision to issue [a penalty notice]”. In at least much of what follows, however, Judge Macmillan appears to have been doing no more than adopting arguments that she found persuasive. That seems to be the case, for example, as regards Judge Macmillan’s “agree[ing] with the Commissioner’s conclusion that the serious breaches of the data processing principles occasioned by JPL’s activities were largely due to DDL’s negligence in relation to its Article 24(1) and Article 32 obligations” and, at any rate largely, with her “adopt[ing] the Commissioner’s assessment of the factors set out in Article 83(2)”. There is, moreover, no question of Judge Macmillan having endorsed the Commissioner’s analysis uncritically. Thus, she rejected both the idea that breach of Article 24(1) was material and the Commissioner’s assessment of the number of data subjects affected by DDL’s contraventions of the GDPR.

Judge Macmillan spoke in paragraph 90 of the Decision of “not[ing] in particular the Commissioner’s conclusions as to the gravity of the breach and the risk of significant emotional distress being caused to a vulnerable group of data subjects were they to become aware of the contraventions”. It may be that, once again, she was merely agreeing with what the Commissioner had said. If, however, she went further than that, and attached weight to the Commissioner’s conclusions as such, that was not objectionable. It was open to her to do so.

It follows that, in my view, the second ground of appeal fails.

I would dismiss the appeal.