A pharmacy delivery company has been fined £275,000 by the UK's Information Commissioner's Office (ICO) after the watchdog found fault with the way it stored sensitive data. It is the first fine the ICO has issued under the General Data Protection Regulation (GDPR).
The ICO said Doorstep Dispensaree had stored approximately 500,000 documents in "unlocked containers" at the back of its premises in Edgware in London. The documents contained a range of personal data, including NHS numbers, medical information and details of prescriptions, as well as people's names and addresses, and some of them were water damaged.
Steve Eckersley, director of investigations at the ICO, said: "The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect."
One of the overarching principles of the GDPR requires organisations to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
According to the ICO, the documents it found in its investigation were dated between June 2016 and June 2018. However, the ICO said its fine only addressed the company's non-compliance after the GDPR took effect, on 25 May 2018.
In addition to the fine, Doorstep Dispensaree has been ordered by the ICO to improve its data protection practices. If it does not comply with the enforcement notice within three months, the company faces further potential sanctions.
The ICO opened its investigation into Doorstep Dispensaree after a tip off from the UK's medicines regulator, the Medicines and Healthcare Products Regulatory Agency (MHRA), which was carrying out a separate enquiry.
Data protection law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law, said: "The level of fine is much more in keeping with those issued under the data protection regime that was in place prior to the GDPR. However, it is not indicative of the severity of fines that the ICO has the power to issue now."
"Here, the ICO chose to issue a penalty covering negligent non-compliance of several provisions of data controller obligations it identified. It only took into account these infringements over a short period after the GDPR took effect. The case concerned failings in respect of physical storage of special category health data, retention of the data and failure to provide transparency information to the data subjects. The ICO did not consider there was a risk of financial loss, but it indicated the level of distress to the data subjects would be serious," she said.
"In the British Airways and Marriott hotels cases, where the ICO has outlined its intention to impose monetary penalties under the GDPR, the level of fines envisaged is far greater. Those cases concern international corporations and alleged failings on cybersecurity," Voznick said.
