Doorstep Dispensaree Ltd, a London-based pharmacy that supplies medicine to care homes, is the first organisation in the UK to be issued with a fine since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The Information Commissioner’s Office (ICO) announced it had imposed the fine of £275,000, along with an enforcement notice, on 20 December 2019 after finding the company had failed to secure a number of care home patients’ special category data.
Doorstep was found to have stored approximately 500,000 documents containing personal data at the back of its premises in Edgware in unlocked crates, disposal bags and a cardboard box. These were neither secure nor marked as confidential waste. Although the courtyard where the documents were found was locked, it could still be accessed from residential flats via a fire escape, leaving the documents vulnerable to potential unauthorised or unlawful access. The ICO also confirmed that some of the documents were found to be “soaking wet, indicating that they had been stored in this way for some time” and that this “careless” storage failed to protect the documents from accidental loss or damage.
The personal data included care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions. As information relating to an individual’s health is classified as special category personal data under the GDPR, its sensitivity requires more stringent security measures to be in place to provide additional protection. Consequently, the pharmacy’s failure to ensure appropriate security for this data was considered to be a serious breach of the GDPR.
The ICO’s fine and what we should take from it
In July 2019 the ICO made headlines by issuing two notices of intention to fine in respect of British Airways and Marriott International, Inc. In those two cases, which also involve breaches of security, the ICO indicated that it intended to impose fines of £183 million and £99 million respectively. As yet, final decisions in both matters are still awaited and so the fine imposed upon Doorstep is our first real indication of how the ICO is going to apply the new laws.
The fine imposed on Doorstep has already been followed by a second fine of £500,000 imposed upon DSG Retail Limited (which operates Currys PC World and Dixons travel stores) after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. This fine was imposed under the pre-GDPR penalties regime and is at the maximum level, so a post-GDPR fine would likely have been much higher. While the fines of £275,000 and £500,000 are modest in comparison to those potentially being imposed on BA and Marriott, it is still interesting to note they are significantly higher than the majority of fines issued before the GDPR came into force.
We have also seen a number of considerably higher fines for breaches of the GDPR being imposed in other EU Member States, such as Google LLC’s fine of €50 million in France and a fine of €18 million issued to Österreichische Post AG in Austria. There is, however, still a very wide range of fines being issued across the EU as a whole. For example, all fines issued to date in Belgium have been under €10,000, whereas the fines issued by the various German data protection authorities range from €10,000 to €14.5 million indicating we are yet to see any definite trends emerging.
Importantly, the fine issued against Doorstep is the first indication that the ICO is looking at more general GDPR compliance issues rather than simply large security breaches. In the case of Doorstep there was no unlawful access – it was simply that the information about Doorstep’s lack of procedures and appropriate security was passed on to the ICO as a result of an investigation by another regulator (the Medicines and Healthcare Products Regulatory Agency). It is a useful reminder that organisations should not only be focusing on cyber security when protecting personal data – they must ensure that there are appropriate processes for document disposal in place, as well as having secure premises and suitable internal security policies for protecting personal data held both in hard copy and electronically.
It will be interesting to see how Doorstep’s fine ultimately compares to future fines imposed by the ICO, however organisations must be mindful of the fact that a fine of up to €20 million or 4% of a company’s annual turnover can be issued under the GDPR. It does not need to be a multi-million pound fine to have a significant impact on a business.