A London-based pharmacy has been hit with the first ever General Data Protection Regulation (GDPR) fine in the United Kingdom by the Information Commissioner’s Office (ICO)
ICO has sanctioned a €325,000 (£275,000) GDPR penalty against Doorstep Dispensaree in connection with its ‘cavalier attitude to data protection’. This step was taken after it was found that Burnt Oak Broadway, Edgware-located pharmacy stored 500,000 medical files that included protected personal information in unsecured and unlocked holders, disposal bags, and in a cardboard box. These files were discovered during a Medicines and Healthcare Regulatory Agency (MHRA) investigation that was looking into alleged unlicensed and unregulated storage.
The enforcement notice released by ICO showed that the variety of data included in the files included names, addresses, dates of birth, medical data, NHS numbers and prescriptions dated from between January 2016 to June 2018. These documents can allow data subjects to be identified and connected to data concerning their health.
ICO made public a statement in relation to the breach which said that the files were “not secure and they were not marked as confidential waste”, adding that some “were soaking wet, indicating that they had been stored in this way for some time. Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”
In addition, it said that the exact number of persons impacted by the breach has yet to be accurately measured; however, it is thought that the documents “related to around 78 care homes.” It stated: “Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected. Taking all the above factors into account, the commissioner has decided to impose a penalty in the sum of £275,000.”
Steve Eckersley, Director of Investigations at the ICO commented: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Following the introduction of GDPR on May 25 2018, data protection agencies in the European Union can apply penalties of up to €20m or 4% of annual global revenue for the previous financial year, whichever figure is greater.
Along with the GDPR fine, Doorstep Dispensaree has also been served an enforcement notice due to the extent of the contraventions. This notice has informed them that they must implement data protection measures and have been given a deadline of three months for doing so. If enhancements are not in place by this deadline then another enforcement action could be sanctioned against them.