Pharmacy’s UK GDPR fine reduced on appeal

Out-Law News | 23 Aug 2021 | 2:22 pm | 3 min. read

A pharmacy fined for its “careless” handling of sensitive personal data has had the level of its penalty reduced on appeal after a tribunal accepted its claims that the scale of its breach of data protection laws was smaller than a UK regulator had determined.

Doorstep Dispensaree was fined £275,000, and ordered to improve its data protection practices, by the UK’s Information Commissioner’s Office (ICO) in 2019. The ICO took action after determining that Doorstep Dispensaree had stored approximately 500,000 documents in "unlocked containers" at the back of premises in Edgware in London. The documents contained a range of personal data, including NHS numbers, medical information and details of prescriptions, as well as people's names and addresses, and some of them were water damaged.

However, the company raised an appeal against both the monetary penalty notice and enforcement notice that the ICO issued. That appeal was heard by an information rights tribunal, which has partially ruled in its favour to reduce its fine to £92,000. The tribunal’s decision has not yet been formally published by the Courts and Tribunals Judiciary but has been made public by legal news provider M-Lex.

Wynn Kathryn

Kathryn Wynn

Partner

What is clear from the tribunal’s decision is that controllers cannot be absolved of responsibility for personal data simply because processors breach contractual terms around security

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law, said: “This is the third time that the ICO has had to scale back on the fines it proposed to serve businesses for a breach of the General Data Protection Regulation (GDPR) – in the higher profile British Airways and Marriott cases the final fines issued were £20m and £18.3m respectively, down from £183m and £99m that the ICO had originally intended to impose. It remains to be seen how the arguments raised in those cases and this latest admonishment from the tribunal impacts the ICO’s approach to monetary penalty notices in future.”

“However, what is clear from the tribunal’s decision is that controllers cannot be absolved of responsibility for personal data simply because processors breach contractual terms around security. Such a breach will not render the processor the controller of the data in their place provided the processor is not using the personal data for a new unauthorised purpose,” she said.

The ICO’s investigation into Doorstep Dispensaree was triggered by a tip off from the UK's medicines regulator, the Medicines and Healthcare Products Regulatory Agency (MHRA). The MHRA had been carrying out its own regulatory enquiries at the time.

In its appeal, Doorstep Dispensaree argued, among other things, that the ICO had over-estimated the number of documents that had been stored in the containers, with it having only reviewed a sample of the papers seized by the MHRA. It also claimed that the ICO had been wrong to consider that it was the controller of the personal data at issue. Instead, it claimed that a waste disposal company, JPL, it had engaged was controller for some of the data and that care home customers of its were controller in respect of the remaining data.

Doorstep Dispensaree’s case in respect of JPL was argued on the basis that the data processor had “departed from the arrangement” they had put in place to the extent that JPL “had assumed the role of controller”. In her decision, however, tribunal judge Moira MacMillan said that while JPL had breached “relevant data processing requirements”, Doorstep Dispensaree was still overall responsible for the way that data was handled and further held that the company’s “failure to devise adequate data processing policies contributed” to JPL’s own breaches. She said Doorstep Dispensaree, and not the care homes, were also responsible for the personal data contained on the documents that the care homes had returned to it.

However, while the tribunal judge also sided with the ICO on its decisions to impose both a monetary penalty notice and enforcement notice on Doorstep Dispensaree, she found fault with the ICO’s evidence underpinning the level of fine it had imposed.

“The commissioner relies on evidence that was produced during an investigation carried out for a different purpose,” the tribunal judge said. “It therefore lacks important details about the nature of the personal data concerned, not least an accurate calculation of the number of documents recovered. The commissioner has also elected not to rely on witness evidence, nor to produce evidence of the origin of the personal data being processed by JPL. By contrast, [Doorstep Dispensaree] has audited all of the documents, and the evidence it has produced is necessarily a more reliable source of information.”

The tribunal judge concluded that 73,719 documents had been seized by the MHRA, and not approximately 500,000. She also held that 12,491 of those documents contained personal data and 53,871 contained special category data.

However, in considering what the revised penalty should be, the tribunal judge said it would not be right to consider just that there were fewer documents in the case than originally thought. She cited “the gravity of the contraventions” and further factored in the “highly vulnerable” nature of many of the data subjects as a “significant aggravating factor” that needed to be accounted for. She decided that a revised fine of £92,000 was appropriate in all the circumstances.

The initial fine issued to Doorstep Dispensaree by the ICO was the first fine the ICO had issued under the GDPR