On17th December 2019 the Information Commissioners Office (ICO) issued its first ever fine under GDPR, the General Data Protection Regulation - a huge £275,000 fine to London based pharmacy, Doorstep Dispensaree Ltd (Doorstep).
In addition to the fine, the ICO has issued an enforcement notice requiring Doorstep to make significant improvements to its data protection procedures and policies.
Doorstep was under investigation by the Medicines and Healthcare products Regulatory Agency (MHRA) for other matters but, as part of their investigation, the MHRA discovered sacks and containers full of documents being kept outside in Doorstep’s yard. MHRA passed the details of its investigation to the ICO.
The sacks and containers were not locked and were so insecure that they had let in the rain with many of the documents being damaged.
Those documents contained sensitive personal data – data relating to individuals’ medical histories and their national insurance numbers, as well as their full names and addresses.
While some of the documents had been damages, there was no indication that there had, in fact, been any loss, theft or misuse of the data.
The case highlights the importance that the ICO places on having appropriate security arrangements in place along with risk assessments, data protection impact assessments and documented policies and procedures.
These policies and procedures must be thought out and considered in relation to the specific types of data that your business is holding and processing.
Crucially, and perhaps part of the downfall for Doorstep, staff have to be aware of data protection with proper training. Employers have to develop a culture where data protection is taken seriously.
While the case does little to clarify some of the nuances of the GDPR regime, it sends a clear message as to the ICO’s attitude to those organisations who are reckless with the management of personal data. Not surprisingly, leaving crates of confidential information unlocked and insecure in the back yard is not going to cut it!
The ICO’s guidance on special category data can be found here.
Details of the Enforcement Notice can be found here.
For further practical advice on developing and documenting procedures for special category data (such as data relating to health, race or religion, sexuality or political opinions) please contact Matt Rowley in our Corporate and Commercial Department.