ICO issues first UK fine for GDPR breach
A “careless” attitude towards patient data caused a GDPR Data Breach and cost London-based pharmacy, ‘Doorstep Dispenseree’, an eye watering £275,000, scaled down from an initial £400,000 judgment. The pharmacy has also been issued with an enforcement notice, requiring it to update all policies and procedures within 3 months, and carry out mandatory staff training. The pharmacy will incur a further fine if it fails to meet the actions specified in the enforcement notice.
The long awaited and much anticipated first UK fine issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) has been issued and it is certainly worth considering.
Doorstep Dispensaree – which supplies medicines to individuals and care homes – left some 500,000 documents in unlocked containers at the back of its premises in Edgware in July 2018. The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people, and dated between June 2016 and June 2018.
The Pharmacy was under investigation by the Medicines and Healthcare Products Regulatory Agency (MHRA) following a separate issue of regulatory compliance, when the breach was discovered by inspectors. Upon spotting the crates and examining further, MHRA realised the sensitivity of the information they had discovered, and reported the matter to the ICO.
In light of the report made by MHRA, the Commissioner wrote to the pharmacy highlighting her concerns and requesting cooperation by the pharmacy with the ICO’s investigation into various allegations of breaches of the GDPR. This marked the start of a lengthy period of poor-communication and co-operation with the ICO in which the pharmacy failed to respond, failed to respond adequately or provided insufficient and unsatisfactory information to the Commissioner.
In considering whether to levy a fine, and if so, at what level, the ICO highlighted the following key areas. These can act as helpful guide points to review your business and it’s GDPR compliance:
The nature, gravity and duration of the breach
In this case the data was of the upmost sensitivity, and the dates of the documents discovered suggested the breach had been ongoing
The intentional or neglectful nature of the breach
For the pharmacy to leave this data outside, unlocked and exposed to the elements showed a “cavalier attitude”
Evidence of policy and organisational approaches to GDPR responsibilities
During the investigation period, the pharmacy did eventually provide a suite of data protection documents to the Commissioner, however most were labelled ‘draft’ or still in template form and were therefore not adequate. In particularly the pharmacy’s privacy notice was lacking in key information required.
The responses from the Pharmacy to the Commissioner
Repeatedly delayed and inappropriate responses given by the Pharmacy throughout the ICO’s investigation also influenced the gravity of the fine.
So what can we learn from this? Here’s a quick checklist to start you off:
- Do you have a GDPR policy in place, which has been rolled out and is both known and accessible to all staff?
- Have you issued privacy notices to your staff and covered all necessary areas within the notice?
- Is sensitive data on your premises stored in a way that protects it from damage, be that cyber damage or physical damage?
- Have you appointed a Data Protection Officer?
- Have you trained your staff on GDPR included their obligations and responsibilities?