The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.
The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.
The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:
These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.
The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.
There are many important things to note from this first UK GDPR fine:
- While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
- The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
- GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
- Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
- According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.
Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.
If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.