GDPR Update - ICO Fines Pharmacy

Just before Christmas, the ICO issued a hefty £275,000 fine against London based pharmacy business, Doorstep Dispensaree Ltd (‘Doorstep’). The fine related to a number of breaches of the GDPR, but in particular failure by Doorstep to adequately protect approximately 500,000 paper documents containing personal data relating to its customers. The personal data included customer names, NHS numbers, medical information and prescriptions and many of the customers affected were elderly and vulnerable individuals.

The documents had been discovered in a courtyard behind one of Doorstep’s premises in a number of unlocked crates, disposal bags and a cardboard box. It was suspected that the documents had been ‘stored’ in this way for some time, as some were water damaged.

Taking into account the cavalier way in which the documents had been treated by Doorstep and the nature and extent of the personal data involved, perhaps the only surprise is that the fine was not larger. However, it’s worth reflecting on the decision for a number of reasons:

• First, it is a salutary reminder that, when it comes to keeping personal data secure, the GDPR is not just concerned with protecting personal data from unlawful or unauthorised access. Equally, businesses need to ensure that they have appropriate measures in place to protect personal data from accidental loss, damage or destruction. In this case, as well as failing to ensure that customer records were not at risk of unauthorised access by unkown third parties, Doorstep had failed to ensure that the records were protected from damage by the elements.
• Second, the decision highlights the importance of ensuring that when assessing security risks, businesses take into account all aspects of their processing. This includes how they dispose of personal data once it is no longer required, as well as how they store and transmit it whilst it is still in use.
• Third, the decision emphasises that cyber security is just one aspect of information security. Businesses also need to ensure that they implement appropriate organisational and physical security measures which will protect both personal data held in hard copy and electronically. For example, effective security policies, secure premises, access controls and suitable document disposal systems.
• Fourth, it is a reminder that businesses need to ensure that their security measures are appropriate in the context of the nature and extent of the processing being undertaken and the personal data involved. In order to do so, a comprehensive risk assessment, is essential. In this case, Doorstep had clearly failed to ensure that its procedures relating to the disposal of customer records took into account the fact that individuals were easily identifiable from the records or that the personal data included high volumes of special category personal data relating to elderly and vulnerable persons.

It’s also worth noting that this is the first fine that has actually been imposed by the ICO under the GDPR. The ICO’s other actions to date have only consisted of serving notices of its intention to issue a fine (e.g. as in the cases of BA and Marriott).

If you’d like further guidance on applying the GDPR’s security obligations to your business, please don’t hesitate to contact a member of our Information Law Team.