First fine under the new data protection regime for "careless" storage of personal data

The Information Commissioner’s Office (ICO) has fined London based pharmacy, Doorstep Dispensaree Ltd, £275,000 for failing to ensure the security of documents containing personal data.  This is the first fine finalised by the ICO under the General Data Protection Regulation (GDPR) which came into force on 25 May 2018.

It is understood that two other proposed substantial GDPR fines that the ICO notified in July 2019 to British Airways (£183m) and Marriott International, Inc (£99m) have not yet been concluded, but it will be interesting to see the ICO’s final approach to those.  Meanwhile the Doorstep Dispensaree fine provides some useful reminders about the potential consequences of non-compliance. 

Background

In July 2018, during a criminal investigation into Doorstep Dispensaree Ltd by another regulator, approximately 500,000 documents containing personal data were found in the courtyard of the company’s premises.  The documents, dating from January 2016 – June 2018, were stored in 47 unlocked crates, 2 disposal bags and 1 cardboard box.  The files contained names, addresses, birth dates and NHS numbers, plus special category data including medical information and prescriptions. 

The ICO launched an investigation in August 2018 and issued the Penalty Notice imposing the £275,000 fine on 17 December 2019.  Due to the seriousness of the failures, Doorstep Dispensaree Ltd was also issued with an enforcement notice, ordering it to improve its data protection practices within three months or face further enforcement action.

The ICO's decision

The crux of the ICO’s decision was Doorstep Dispensaree Ltd’s failure to implement robust data governance mechanisms.  In the Penalty Notice, it identified a number of specific contraventions of the GDPR:

• Several of Doorstep Dispensaree Ltd’s policies predated the GDPR and/or were direct copies of generic templates. Furthermore, the company’s Privacy Notice did not contain the requisite information prescribed by the GDPR.
• Even where a policy was provided, it was not complied with - data was not shredded despite the Data Handling Procedure stating that all waste containing patient data was to be cross shredded before disposal.
• There was a failure to protect the data from accidental loss, destruction or damage. The rear of the premises could be accessed by others, creating a risk of unauthorised access, and the unsecure storage of the data left it exposed to the elements.
• Data was being held for longer than necessary.
• There was a failure to consider the risks to the rights and freedoms of the data subjects in light of the volume and sensitivity of the data.

Checklist

To avoid fines or enforcement action by the ICO, it is crucial that your organisation takes steps to comply with the GDPR.  Key considerations include:

• Ensuring data protection policies are in place, relevant and up to date. These should be reviewed on a regular basis, include robust advice to staff and be specific as to the organisation.  Compliance is a continual process.
• Check that appropriate technical and organisational measures are in place to ensure security of personal data.
• Where you have a relationship with a data processor or waste disposal company, ensure you have a contract in place articulating roles and responsibilities. You can download our checklist on mandatory provisions for data processing contracts here.
• Regularly undertake risk assessments to enable you to assess the appropriate level of security required for data.
• Be clear on how you categorise data that you process, how it is stored, retained and disposed of.
• Don’t breach your own policies!

Claire Williams and Judith Houston