The Information Commissioner’s Office has finally dished out its first GDPR fine – nearly 19 months after the regulation came into force – slapping a London-based pharmacy with a £275,000 penalty for failing to store “special category data” securely.
Doorstep Dispensaree, which supplies medicines to customers and care homes, left nearly 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018.
Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of GDPR.
The ICO launched its investigation after it was alerted to the insecurely stored documents by the Medicines & Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.
ICO director of investigations Steve Eckersley said: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
In setting the fine, the ICO only considered the contravention from May 25 2018, when GDPR came into effect. It originally served the firm with a notice of intent for a £400,000 penalty but this was reduced following “representations” made to the regulator.
Even so, Doorstep Dispensaree has also been issued an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.
Meanwhile, the clock is running down fast on both the British Airways and Marriott International cases, with the six-month timeframe between issuing a notice of intent and the final penalty running out early next month. The two firms face combined fines of £282m.