Data Protection and Coronavirus – ICO Guidance

Data Protection and Coronavirus – ICO Guidance

The Information Commissioner’s Office (ICO) has issued guidance around data protection and coronavirus, recognising the “unprecedented challenges” we face during the pandemic.

On the whole, the ICO is taking a commonsense approach. They state that measures taken should be proportionate: “if something feels excessive from the public’s point of view, then it probably is.”

Here’s a short summary of the guidance provided by the ICO on data protection and coronavirus:

  • The ICO understands that data protection standards may not be as high during this time because resources are being diverted away from compliance work. Organisations won’t be penalised if they need to adapt their usual practices.
  • Data protection laws do not prevent people working from home, which many will do during the pandemic. The same security measures should be considered for homeworking as at the workplace.
  • Staff should be informed about cases of coronavirus at your organisation. Individuals do not need to be named, however; provide no more information than is necessary.
  • There’s no need to collect significantly more health data about your employees. While you have an obligation to protect their health, you should not collect more information than you need and can take a commonsense approach to this.
  • Rather than attempting to handle things internally, a better approach may be to ask people to consider and follow government advice – for example, calling the NHS on 111 if they have visited a badly affected country or are showing symptoms of the virus.
  • It’s fine to share employee health data with the authorities if necessary – although it’s unlikely you’ll need to do so.

You can read the full guidance from the ICO here.

This is certainly a difficult time for people and organisations, but on the matter of data protection and coronavirus, it’s important to be sensible. Don’t take unnecessary measures; make sure that your response is proportionate.

If you have any more questions about this or any other subject relating to data protection, get in touch with us today and our consultants will provide all the advice you need.

First UK GDPR fine issued

First UK GDPR fine issued

The first UK GDPR fine has been issued by the Information Commissioner’s Office (ICO). A fine of £275,000 was issued to Doorstep Dispensaree Ltd, a pharmacy based in London which supplies medicine to care homes.

The fine was issued on 20th December 2019 after an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Although the MHRA was investigating other issues, they found an estimated 500,000 documents containing personal data left unsecured in an outside courtyard at the pharmacy’s premises.

The documents were apparently found in storage crates, a cardboard box, and disposal bags. According to a report from mondaq:

These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.


The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.

There are many important things to note from this first UK GDPR fine:

  • While £275,000 is a significantly greater fine than anything issued pre-GDPR, it is also far short of the maximum possible. This is because the ICO has taken into consideration the size and financial position of Doorstep Dispensaree Ltd to make the fine “effective, proportionate and dissuasive”.
  • The data involved was not breached, but was stored in a dangerous way that was non-compliant with GDPR. The ICO is not merely looking at breaches, but overall compliance.
  • GDPR does not only apply to data stored digitally, but hard copies as well. Physical documents should be stored safely and securely, and properly disposed of as well.
  • Data controllers are required to protect data against damage or accidental loss; apart from questions over security, it is clear that storing documents outside in a cardboard box will insufficiently protect them from damage.
  • According to a report from Lexology: “The Commissioner noted that the pharmacy’s data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy.” So there were other failings at the pharmacy, which showed little compliance with GDPR in any way.

Our GDPR Consultants can always advise an organisation about what they must do to become GDPR compliant. If Doorstep Dispensaree Ltd had obtained external, professional advice about data protection, they might have been able to avoid this fine.

If you have any concerns about compliance at your organisation, get in touch with us today and we’ll work with you on your data protection programme.

Facebook will be fined $5 billion for Cambridge Analytica Scandal

Facebook will be fined $5 billion for Cambridge Analytica Scandal

The US data regulator, the Federal Trade Commission (FTC), has announced that it intends to fine Facebook $5 billion for its part in the Cambridge Analytica Scandal.

The fine that Facebook received from the UK’s ICO , coming pre-GDPR, was a mere £500,000 – but despite this being a huge amount more, many feel that it’s inadequate.

Here’s what Dave Lee, the BBC North America technology reporter had to say about it:


Facebook had been expecting this. It told investors back in April that it had put aside most of the money, which means the firm won’t feel much added financial strain from this penalty.


What we don’t yet know is what additional measures may be placed on the company, such as increased privacy oversight, or if there will be any personal repercussions for the company’s chief executive, Mark Zuckerberg.


The settlement, which amounts to around one quarter of the company’s yearly profit, will reignite criticism from those who say this amounts to little more than a slap on the wrist.

You can read the full news report here:

It’s notable that the fine was only just passed by the FTC by 3 votes to 2, with those voting against it stating that it was insufficient, even though it would be the biggest ever brought by the FTC against a tech company.

Perhaps the most shocking thing is that Facebook shares actually rose 1.8% at the news, with investors receiving the news positively.

The debate will go on, but many will continue to think that Facebook got off lightly with just a $5 billion fine. If this had come under GDPR, it would likely have been in a great deal of trouble.

As it is, a mere £500,000 from the ICO – a record at the time, until the recent British Airways fine of £183 million – seems hardly worth mentioning.

We weren’t scaremongering. BA’s £183m GDPR fine should alarm every business.

We weren’t scaremongering. BA’s £183m GDPR fine should alarm every business.

So, those of us who warned how profoundly dangerous a GDPR fine could be for businesses two years ago weren’t wrong – we were among the very first to recognise the implications and it’s now clear that the game has changed and if either your GDPR compliance, or cybersecurity, are compromised it can bankrupt your business. The first major GDPR fine – £183 Million – yes you read that right – is now public. Contact [email protected] for quick, comprehensive guidance. (more…)

Survey finds small businesses confused over GDPR

Survey finds small businesses confused over GDPR

smartphone and laptop - GDPR for small businessesThe rules of GDPR for small businesses is the same as for bigger corporations. Yet it’s been reported that many small businesses still don’t understand GDPR, seven months after it came into effect. Of the 1000 questioned for a new survey, half admitted that they didn’t understand the rules brought in on May 25th, despite the possible consequences. Keep in mind this could potentially be up to €20 million – per data breach.

There were many shocking statistics to come out of the survey. A few to particularly take note of:

  • 60% of small businesses didn’t know that the Information Commissioner’s Office should be notified if a data breach occurs. In addition, half didn’t know that the affected individuals should also be notified.
  • 25%  allowed employees to use their own phones, computers etc. for work without making sure the data was encrypted. No matter how secure the data was in the workplace, it therefore wasn’t sufficiently protected.
  • Many paper records are not being disposed of securely. More than half were not disposing of customer records properly, and the same was true of staff records in 71% of cases.
  • A quarter had used details from real case studies in training materials, effectively handing out private information to their employees.

You can read the full details of the survey by clicking here.

Being unaware of the requirements under GDPR for small businesses, these companies are putting their customers and themselves at risk. It’s vital that everyone knows their obligations regarding data protection under the new laws, but many still don’t.

Activa Consulting can provide extensive GDPR gap analysis to ensure that your company is compliant with GDPR. We also offer services designed to protect you from data breaches such as GDPR staff training, which will prevent simple lapses that could lead to massive fines.

So contact us today to give your organisation the best chance of being GDPR compliant!