In this blog, we will tell you about the first ICO fine under the GDPR and give you key takeaways from the decision.
In December 2019, ICO fined a pharmacy, Doorstep Dispensaree, £275,000 for failing to ensure the security of special category data.
Doorstep Dispensaree, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the GDPR
The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.
Whilst executing a search warrant, the MHRA discovered, in a rear courtyard, 47 unlocked crates, 2 disposal bags and a cardboard box containing an estimated 500,000 documents with names, addresses, dates of birth, NHS numbers, medical information and prescriptions. The documents weren’t secure or marked as confidential and some were soaking wet.
The ICO requested information from Doorstep Dispensaree; however, Doorstep Dispensaree refused to provide this and the ICO issued an Information Notice in October 2018. Doorstep Dispensaree appealed the issuing of the Notice as the MHRA were investigating but the Notice was upheld. Doorstep Dispensaree eventually responded to the Notice but still didn’t provide the ICO with all the required information. The policies that it did provide were vague templates from a trade association and some hadn’t even been used by Doorstep Dispensaree.
The ICO issued a Notice of Intent to impose a £400,000 fine in June 2019. Doorstep Dispensaree replied with written representations, including that the waste disposal company was at fault and that they should be fined instead. The ICO didn’t accept this argument as Doorstep Dispensaree was the controller and had full responsibility.
The contraventions set out in the Monetary Penalty Notice can be grouped into two types:
Security (Articles 5(1)(f), 24(1) and 32 GDPR):
- leaving documents outside in unlocked containers where they could be accessed by neighbours and damaged by water ingress from “careless” storage
- documents not being securely shredded in breach of a relevant policy
- policies being “out of date and/or inadequate and/or generic templates”
- inadequate records
- concerns about retention
- a large number of data subjects were affected, including elderly or vulnerable people in care homes
Transparency (Articles 13 and 14 GDPR) – various deficiencies in Doorstep Dispensaree’s privacy notices.
Specifically, the notices:
- did not state that Doorstep Dispensaree was the controller
- did not give the Article 6 legal basis or the Article 9 condition for processing special category data
- did not outline the categories of personal data collected from third parties
- did not specify what their legitimate interest was
- did not explain who the recipients of the data were
- did not state the retention periods for the data
- did not inform the data subjects of their rights
- did not say which third parties the data came from
- did not say whether the processing was a statutory or contractual requirement
MOST OF THIS COULD HAVE BEEN HANDLED WITH A FAIR PROCESSING NOTICE
ICO concluded that the breach was “extremely serious and demonstrates a cavalier attitude to data protection”.
- You are responsible for the data. Keep it secure.
- You are responsible for giving people the information required by Article 13 and 14
- Audit your service providers, especially on security matters, throughout the relationship lifecycle, as you are the controller
- Have a data sharing agreement in place with all processors that conforms with the GDPR and has a liability clause in it
- Don’t forget that it’s not just data subject complaints and news reports which trigger investigations – reports from other regulators can too.