The Information Commissioner’s Office has suffered another setback in its enforcement of GDPR – now known as UK GDPR – after the first company to be hit by a fine for breaching the legislation has had the penalty slashed by two-thirds on appeal.
Doorstep Dispensaree was issued with a £275,000 penalty in December 2019 for failing to store “special category data” securely.
At the time, the ICO ruled the firm – which supplies medicines to customers and care homes – left nearly 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018.
In setting the fine, the ICO only considered the contravention from May 25 2018, when GDPR came into effect. It originally served the firm with a notice of intent for a £400,000 penalty but this was reduced following “representations” made to the regulator.
Despite this reduction, Doorstep Dispensaree launched an appeal at the First-Tier Tribunal in an attempt to quash the decision.
During the appeal process, which has been severely delayed due to Covid, it emerged that the ICO had based its figure of 500,000 documents on an estimate provided by the Medicines & Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.
But, it seems, this was way out. In fact, the Tribunal heard that 66,638 documents containing personal data were recovered, 53,871 of which contained special category data.
Even so, Judge Moira Macmillan stated: “[These] are still very large numbers of documents, and the significant aggravating factor that majority contained the personal data of highly vulnerable data subjects remains.”
And, while Judge Macmillan upheld the original ICO enforcement notice that Doorstep Dispensaree had breached GDPR, she said: “I am satisfied that the level of the penalty imposed should not be reduced by a percentage based on solely on the lower numbers of documents.”
In fact, Judge Macmillan ruled that no single factor would lead her to cut the fine but that, taking “a number of issues” into consideration, including the financial hardship suffered by Doorstep Dispensaree and which section of GDPR was breached, she concluded that the fine be reduced to £92,000.
So far, the ICO has issued five fines under GDPR and while none of them has been overturned three have now had the scale of the penalty severely reduced.
In October last year, it was announced that British Airways had secured a reduction of nearly 90% from £183m to £20m for its fine, while Marriott had hammered down its penalty from £99m to £18.4m and a £1.25m fine against Ticketmaster is still under appeal.
It is still too early to say whether the fifth penalty – a £25,000 fine issued to transgender charity Mermaids last month – will also go to appeal.
LGBTQ+ charity battered for confidential email gaffe
ICO issued £42m in fines last year; £29m is still unpaid
BA and Marriott to pay £38.4m GDPR penalties ‘on tick’
Another fine mess? ICO still failing to get rogues to pay
Marriott hammers down GDPR fine from £99m to £18m
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Ticketmaster preps band of lawyers to fight GDPR fine
ICO issues first GDPR fine, but it’s not BA or Marriott