1.01.20
ICO hands down its first fine under the GDPR
On 17 December 2019 the Information Commissioner’s Office (‘the ICO’), the UK’s independent regulator for data protection and information rights, fined a London pharmacy £275,000 for failing to ensure the security of personal data, including ‘special category’ data. This is the first administrative fine to be handed down by the ICO under the new data protection regime that came into force in May 2018.
Doorstep Dispensaree Limited, which supplies medicines to individuals and care homes, was found to have left approximately 500,000 documents in 47 unlocked crates, two disposal bags and one cardboard box in a rear courtyard at its premises. The documents contained sensitive personal data including:-
- Names
- Addresses
- Dates of birth
- NHS numbers
- Medical information
- Details of prescriptions
The ICO was alerted to the insecure data in July 2018 by the Medicines and Healthcare products Regulatory Agency (‘the MHRA’), which was conducting its own separate investigation into Doorstep Dispensary and found the documents during a search of the premises. Not only were the documents insecure, but some were also not adequately protected from the elements and were therefore water damaged.
Doorstep Dispensary did have data handling policies in place but these were found to have been out of date, not having been updated to comply with the General Data Protection Regulation (EU) 2016/679 (‘the GDPR’) and the Data Protection Act 2018 (‘the DPA’), which came into force on 25 May 2018. The policies were also inadequate and/or generic templates. In any event, they had not been complied with.
The fine was issued pursuant to section 155 of the DPA, in accordance with the powers of the Information Commissioner under Article 83 of the GDPR.
The reasoning behind the fine is set out in the Penalty Notice. In determining whether to issue a fine and, if so, the figure, the Information Commissioner considered several factors, including:-
- The nature of the breach: The company had been highly negligent – “Any controller in the kind of business carried on by Doorstep Dispensaree ought to be well aware of its data protection obligations and taking them far more seriously.”
- The gravity of the breach: The breach concerned highly sensitive information (including special category data), which had been left unsecured in a “cavalier” fashion. The data subjects could be easily identified and linked to data concerning their health. There were also serious shortcomings in the information provided to data subjects through the company’s privacy policy and “no data subject would reasonably expect that personal data relating to their health would be handled in the manner that it was by Doorstep Dispensaree.”
- The number of data subjects affected: It was not possible to identify the number of data subjects whose data was included in the documents. Nevertheless, given the number of documents and the size of the business it appeared likely that hundreds, or even thousands, of data subjects were affected.
- The degree of responsibility of the data controller: The company’s data protection failures were systemic. There was little to no evidence that it had measures in place to ensure data protection by design (as required by Article 25 of the GDPR), nor that any technical or organisational measures were in place to protect the data (as required by Article 32 of the GDPR). This was considered a major failing for a data controller that regularly handles highly sensitive health data.
- The size and financial position of the data controller: In light of the information available about the company (including its own representations about its financial position), the penalty needed to be “effective, proportionate and dissuasive”.
It is also important to note that in setting the fine, the Information Commissioner considered only the period from 25 May 2018, when the GDPR and the DPA came into force. Had the period been longer, the fine might well have been greater.
Doorstep Dispensaree has also been issued with an Enforcement Notice, requiring it to improve its data protection practices within three months. Failure to comply could result in a further penalty.
The ICO has the power to fine data controllers up to €20 million or 4% of their annual turnover (whichever is higher). In addition to the imposition of fines by the ICO, breaches of the GDPR/DPA may expose a data controller to individual civil claims (or potentially class actions) for compensation.
If you have been a victim of a data breach in relation to your medical information and wish to take legal action click here to see how our specialist privacy solicitors can assist.
Legal Disclaimer
Articles are intended as an introduction to the topic and do not constitute legal advice.