The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.
The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.
The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:
These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.
The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.
There are many important things to note from this first UK GDPR fine:
- While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
- The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
- GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
- Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
- According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.
Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.
If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.
Regus, an office-space provider, has seen the data of 900 employees exposed by accident. This Regus data breach took place following a staff review, and involved staff details being posted publicly online.
According to BBC News, the review involved sales staff showing researchers around an office space, while the researchers pretended to be clients interested in renting the space.
However, subsequent to the review, a spreadsheet of staff data was published on the task-management website Trello. The details published included names, addresses, and job performance data.
Furthermore, the names and addresses of researchers from Applause, a company contracted by Regus parent company IWG, were also published.
According to the report from the BBC:
“Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles,” IWG said.
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise.
“As our primary concern we took immediate action and the external provider has now removed the content.”
How this Regus data breach happened is unclear. According to the co-founder of Trello, Michael Pryor:
“Trello boards are set to private by default and must be manually changed to public by the user.
“We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible.”
You can read the full article from BBC News by clicking here.
Given these measures on Trello, it appears that the breach has taken place due to human error. This demonstrates why data protection staff training is so important: any employee can be responsible for a data breach which results in significant fines.
Worryingly it appears that this data breach has not been reported to the Information Commissioner’s Office (ICO). This is despite it being a requirement under GDPR that data breaches are reported within 72 hours if it constitutes a risk to people.
However, it remains to be seen whether it has been reported to a data commissioner in another country; the BBC has made enquiries to Luxembourg’s official body to see if the breach has been reported there instead.
Are you uncertain what to do if you suffer a data breach? Or are you worried about the security of data at your organisation? Get in touch with us today to get expert help from our GDPR Consultants!
The Royal College of Psychiatrists has called for social media data to be handed over to academics in order to protect children and young people who are at risk of suicide.
By studying the content that is being viewed, the hope is that new research could help protect users from material that could harm them.
According to an article from The Guardian:
“We will never understand the risks and benefits of social media use unless the likes of Twitter, Facebook and Instagram share their data with researchers,” said Dr Bernadka Dubicka, chair of the college’s child and adolescent mental health faculty. “Their research will help shine a light on how young people are interacting with social media, not just how much time they spend online.”
Data passed to academics would show the type of material viewed and how long users were spending on such platforms but would be anonymous, the college said.
That the data would be anonymised could potentially make this course of action permissible under GDPR, but this data is nonetheless extremely sensitive. Care would have to be taken to ensure that it was shared with academics legally and that users were sufficiently protected.
The idea has received support from other sources as well. The Guardian goes on:
NHS England challenged firms to hand over the sort of information that the college is suggesting. Claire Murdoch, its national director for mental health, said that action was needed “to rein in potentially misleading or harmful online content and behaviours”.
She said: “If these tech giants really want to be a force for good, put a premium on users’ wellbeing and take their responsibilities seriously, then they should do all they can to help researchers better understand how they operate and the risks posed. Until then, they cannot confidently say whether the good outweighs the bad.”
Click here to read the full article from The Guardian.
With the government currently planning measures to make the internet a safer place for users, including setting up an independent regulator and placing a duty of care on online companies, the Royal College of Psychiatrists may well get what they want here.
But with data privacy being a major concern here, there is also likely to be objections. According to the BBC, civil rights group Big Brother Watch stated that users should be “empowered to choose what data they give away, who to and for what purposes”, and that young people should not be treated like “lab rats” on social media.
Pop-ups asking us for our consent to website cookies have increased since GDPR came into force. However, a new study shows that many of these pop-ups could actually still be in breach of GDPR.
The study, titled: “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence”, focuses on the requirement for informed consent. According to an article from Telecoms.com:
The issue this study seems to have been conducted to address concerns how much information people are supplied with when asked for their consent, as well as the matter of presumed consent – i.e. opt-out as opposed to opt-in. In many cases this process is managed by third party consent management platforms (CMP), and that’s what the study focused on.
We scraped the designs of the five most popular CMPs on the top 10,000 websites in the UK,” says the abstract to the report. We found that dark patterns and implied consent are ubiquitous; only 11.8% meet the minimal requirements that we set based on European law. Second, we conducted a field experiment with 40 participants to investigate how the eight most common designs affect consent choices.
“We found that notification style (banner or barrier) has no effect; removing the opt-out button from the first page increases consent by 22–23 percentage points; and providing more granular controls on the first page decreases consent by 8–20 percentage points. This study provides an empirical basis for the necessary regulatory action to enforce the GDPR, in particular the possibility of focusing on the centralised, third-party CMP services as an effective way to increase compliance.
You can read the full article from Telecoms.com by clicking here.
The study has basically found that people are not being supplied with enough information to give their consent in the majority of cases. If consent is not sufficiently informed, then it is not up to the standards of GDPR.
In fact, GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Because pop-ups relating to website cookies and other elements do not meet these criteria, they are not GDPR compliant – putting these websites and companies at risk of being penalised.
Unsure of how consent or other lawful bases for storing and processing data under GDPR work? Want to improve your compliance programme? Contact us today; our GDPR consultants can provide expert advice.
In an embarrassing slip-up for the British government, the addresses of more than 1000 New Years honours recipients have been published online. The file was apparently uploaded to an official website on Friday evening before being taken down again on Saturday.
Those who had their details leaked included politicians, senior police officers, and a number of celebrities – including Sir Elton John, cricketer Ben Stokes, and TV cook Nadiya Hussain.
In his analysis for the BBC, Rory Cellan-Jones writes:
There is no doubt that this is a serious data breach and the government, of all organisations, should be better acquainted with the law on disclosing sensitive personal information.
But while some of the celebrities and the police officers awarded honours may be concerned about their privacy and security, it would have been far more serious if the home addresses of those on the list of gallantry awards had been leaked.
The Information Commissioner’s Office has so far only levied one fine under the new Data Protection Act which came into effect in 2018 – a London pharmacy was fined £275,000 for careless storage of the very sensitive medical data of half a million people.
Lawyers who specialise in data protection think the ICO will see this as a less serious case of human error and may let the Cabinet Office escape with a warning about improving its practices.
But they say much now depends on the attitude of those who have seen their data leaked – they could decide to bring civil claims against the government for putting in the public domain information many of them have been determined to keep private.
You can read the full BBC report here.
This is again a demonstration that it is not just private businesses that can run afoul of data protection laws. Public bodies – including the government – can do so as well.
It’s extremely worrying that a breach like this can happen. Announcing the New Years Honours list is a high-profile event, as are many of the people included on the list. This could have serious consequences.
Although Cellan-Jones believes the Cabinet Office may get off lightly with just a warning, it remains to be seen how the ICO will respond. But whatever happens next, data protection practices should definitely be looked at closely within government.
If you’re concerned about your own data protection measures, get in touch with Activa Consulting today and let us help you improve your organisation!
Data subject access requests are a key part of GDPR. By allowing users to request a copy of the data an organisation holds on them, they ensure transparency and give users the awareness and ability to protect their information.
However, an unexpected side-effect is that they are also posing a risk to users because organisations are not taking sufficient steps to check the legitimacy of such requests.
The issue was discovered by Oxford University PhD student James Pavur. Having sent 150 data subject access requests in his fiancé’s name, he was given her data by almost a quarter of organisations with no more confirmation of identity than her email address or phone number.
As reported by Econsultancy:
Clearly, subject access creates a significant and previously not well-publicized risk for businesses.
While GDPR compliance has been a great concern for many companies, and Pavur’s research indicates that a large percentage are taking subject access requests seriously, the lack of a standard for what constitutes reasonable identity verification leaves companies vulnerable and gives bad actors the ability to turn a consumer data protection law into a weapon for stealing consumer data.
Perhaps not surprisingly, just as small and mid-sized organizations struggled the most to prepare for the GDPR, these organizations also appear to be the most vulnerable to subject access abuses. According to Pavur, the largest organizations he sent requests to “tended to perform well”. Non-profits and mid-sized businesses, on the other hand, were responsible for 70% of the mishandled requests.
You can read the full article from Econsultancy here: https://econsultancy.com/identity-verification-is-now-an-important-gdpr-issue/
The data that Pavur gained access to was often of a sensitive nature. In one case, he was able to obtain his fiancé’s US social security number without providing any documentation. He also obtained bank details and breached usernames and passwords that were still in use.
All of this indicates that there is still a long way to go when it comes to GDPR compliance. In attempting to comply with the law over data subject access requests, organisations were actually failing in their obligations to protect user data.
If you’re uncertain about how to ensure GDPR compliance, Activa Consulting can help. Get in touch with us today and our expert data protection consultants will provide the guidance that you need.