London pharmacy Doorstep Dispensaree Ltd has been issued a fine of £275,000 by the Information Commissioner's Office under the new General Data Protection Regulation for failing to store approximately 500,000 documents in accordance with the latest data protection requirements.
In July last year, the Medicines and Healthcare Products Regulatory Agency (MHRA) carried out a search at the premises of Doorstep Dispensaree under the Human Medicines Regulations. During the course of the search, MHRA found that the London pharmacy stored approximately 50,000 documents in unlocked crates, disposal bags, and boxes in a rear courtyard.
The documents contained vast amounts of personal data of UK citizens such as names, addresses, dates of birth, NHS numbers, prescription details, and other medical information. These documents were dated between January 2016 and July 2018 and had suffered damage due to prolonged exposure to the elements.
MHRA promptly referred the London pharmacy to the ICO due to various violations of data protection regulations. Information Commissioner Elizabeth Denham then wrote to the pharmacy, asking it to explain why the documents were stored in such manner, why it chose to retain some of the information since January 2016, and to provide a copy of its policy relating to the secure disposal of personal data to her office.
London pharmacy did not cooperate with the ICO at first
After the pharmacy chose not to respond accurately to the Commissioner's queries, the ICO issued an Information Notice to it in October 2018, asking it again to respond to the Commissioner's queries. Instead of responding, the pharmacy appealed the Information Notice but the appeal was dismissed by the First-Tier Tribunal on 28 January this year.
Doorstep Dispensaree finally responded to the Information Notice on 1 March, stating that it could not provide some of the information requested as there was a risk of the firm exposing itself to prosecution in the MHRA's existing criminal proceedings against it.
The pharmacy, however, shared copies of its data handling procedure, its code of conduct, its information governance policy, its standard operating policies relating to the disposal of medicines, as well as a GDPR checklist issued by the National Pharmacy Association.
The ICO found that most of these policies and procedures had not been updated since April 2015 and did not incorporate any of the data protection requirements introduced by GDPR. At the same time, advise povided to staff in relation to data protection was also quite vague.
In June, the ICO issued a Notice of Intent to the London pharmacy in which it proposed to issue a fine of £400,000 under section 155 of the Data Protection Act 2018 and also informed the company of its intent to issue an Enforcement Notice under section 149 of DPA 2018 via a Preliminary Enforcement Notice.
"At the time of the breach, it [Doorstep Dispensaree Ltd] had failed to adopt and/or implement appropriate technical measures, such as physically secure storage and/or shredding, that would ensure the secure processing of personal data. Likewise, it has failed to adopt and/or implement appropriate organisational measures, such as adequate data protection policies, to ensure secure processing of personal data," the ICO noted.
"The manner in which the data were stored gave rise to an unacceptable risk of unauthorised access. There was also an unacceptable risk of accidental loss, damage or destruction of such data.
"In addition, because it has adopted inadequate data protection policies, and kept inadequate records of its data processing activities and security measures, Doorstep Dispensaree is unable to demonstrate that its processing is performed in accordance with GDPR," it added.
ICO fines Doorstep Dispensaree and threatens to take further action if data protection practices are not improved
Taking into account the size of Doorstep Dispensaree and its financial health, the ICO has decided to issue a penalty of £275,000 to the London pharmacy what must be paid by 17 January next year. The pharmacy has also been asked to improve its data protection practices within three months, failing which further enforcement action could be taken against it.
Since 2018, the Information Commissioner's Office has issued 22 monetary fines totalling over £3 million under the Data Protection Act 1998 and 23 monetary fines totalling over £2 million under the Privacy and Electronic Communications Regulation.
Monetary fines issued under DPA 1998 totalled £3,010,610 and included a £500,000 fine issued to Equifax, a £500,000 fine issued to Facebook, a £385,000 fine issued to Uber, a £325,000 fine issued to the Crown Prosecution Service, and a £250,000 fine issued to Yahoo.
The ICO also issued a fine of £15,000 as well as a further £6,000 in costs to Cambridge Analytica in January this year for failing to comply with an enforcement notice issued by it in May last year that directed the firm to provide a citizen with details of his personal data processed by it.
However, out of 12,385 personal data breach reports it handled in the period, the ICO issued monetary penalties to data controllers in only 0.05 percent of cases, while instructing data controllers to take further action in 17 percent of cases, and taking no action at all in 82 percent of cases beyond asking organisations to take steps to addresses data breaches.