ICO fines London pharmacy £275,000 for breach of GDPR for failure to keep special category data secure

Posted on Friday January 3, 2020

A London pharmacy has been fined £275,000 for failing to ensure the security of special category data under the General Data Protection Regulation (GDPR). This is the first fine issued under the GDPR, which came into effect on 25 May 2018.

A notice published by the Information Commissioner’s Office (ICO) has announced that Doorstep Dispensaree Ltd left almost half a million documents in unlocked containers at the back of its premises in Edgware.

Information within these documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to many people.

The documents were dated between June 2016 and June 2018 and were so inadequately protected that they received water damage from being exposed to the elements.

Information concerning health is given extra protection because of how sensitive it is and is classed as “special category” data under the GDPR. There are very complex rules concerning how such data should be processed by businesses.

Introduced in May 2018, the GDPR was a landmark change to the UK’s data protection rules, which forced thousands of businesses to change how they handled personal data and breaches of such information.

Doorstep Dispensaree Ltd was investigated by the ICO after it was tipped off that documents were being stored insecurely by the Medicines and Healthcare Products Regulatory Agency, which was carrying out enquiries at the firm.

Steve Eckersley, ICO director of investigations, commented on the seriousness of this breach, stating: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

The £275,000 fine was imposed under S.155 of the Data Protection Act 2018.
The business must now update all of its data handling policies and procedures to comply with the GDPR and show the ICO that it has complied with the steps directed.
Under the GDPR, businesses and organisations can be fined up to €20 million, or 4 per cent of annual global turnover – whichever is greater.

If you are concerned about your data protection procedures in light of this fine, please contact Sehaj Lamba.