The Information Commissioner’s Office (ICO), the UK’s GDPR data protection authority, has issued its first ever GDPR penalty to the London-based pharmacy, Doorstep Dispensaree. The company is one of the main suppliers of medicines to nursing homes in London.
ICO investigated Doorstep Dispensaree following the discovery of around 500,000 documents containing sensitive patient information outside its premises at Burnt Oak Broadway in Edgware. ICO had been tipped off about the potential GDPR violation by the Medicines and Healthcare Products Regulatory Agency, which was also conducting its own investigation of the pharmacy.
The documents had been placed in a mixture of unlocked storage containers and disposal bags at the rear of its premises. The documents were unsecured and some of the containers had not been properly sealed and were not protected from the elements.
The documents contained a range of sensitive information including patients’ names, addresses, birth dates, NHS numbers, medical information, and details of prescriptions. The documents dated between June 2016 and June 2018. Some of the patient information in the documents is classed as special category data, which requires additional protections under GDPR.
GDPR requires data collectors and data processors to protect personal data against unauthorized access, accidental loss, destruction, and damage. Anyone could have found the boxes and viewed sensitive patient data and the documents had clearly not been protected against accidental damage as many were soaking wet. The ICO estimated the documents related to around 78 nursing homes and contained the personal information of hundreds of thousands of patients.
The failure of Doorstep Dispensaree to secure the documents and protect them from damage was determined to be a clear violation of GDPR and given the “cavalier attitude to data protection” a financial penalty was deemed appropriate.
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect,” said Steve Eckersley, Director of Investigations at the ICO.
In addition to the financial penalty, Doorstep Dispensaree has been issued with an enforcement notice and has been given three months to improve its data protection practices. If sufficient steps are not taken to correct the GDPR violations and improve data protection measures, an additional financial penalty is likely to be issued.
While this is not the first time that the ICO has taken action against a UK firm for a GDPR violation, it is the first financial penalty to be formally announced. Action has previously been started against British Airways and Marriot International and the ICO has stated its intention to fine both companies, but a financial penalty has yet to be announced.