A year and a half after coming into effect in May 2018, the GDPR has seen its first fine handed out by the Information Commissioner’s Office (ICO). This case highlights the importance of data protection for businesses, serving as a cautionary tale about the importance of proper data storage.
In this blog, we will tell you about the first fine the Information Commissioner’s Office handed out under the GDPR and give you the key takeaways from the decision.
Why did ICO fine the company?
In December 2019, ICO fined a pharmacy, Doorstep Dispensaree, £275,000 for failing to ensure the security of special category data.
Doorstep Dispensaree, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the GDPR. This highlights the importance of training all employees on data protection to avoid such errors being made, as they can be costly for any business.
How was the ICO made aware of the data protection breach?
The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.
Whilst executing a search warrant, the MHRA discovered, in a rear courtyard, 47 unlocked crates, 2 disposal bags and a cardboard box containing an estimated 500,000 documents with names, addresses, dates of birth, NHS numbers, medical information and prescriptions. The documents weren’t secure or marked as confidential and some were soaking wet.
The ICO requested information from Doorstep Dispensaree; however, Doorstep Dispensaree refused to provide this and the ICO issued an Information Notice in October 2018. Doorstep Dispensaree appealed the issuing of the Notice as the MHRA were investigating, but the Notice was upheld. Doorstep Dispensaree eventually responded to the Notice but still didn’t provide the ICO with all the required information. The policies that it did provide were vague templates from a trade association and some hadn’t even been used by Doorstep Dispensaree.
The ICO issued a Notice of Intent to impose a £400,000 fine in June 2019. Doorstep Dispensaree replied with written representations, including that the waste disposal company was at fault and that they should be fined instead. The ICO didn’t accept this argument as Doorstep Dispensaree was the controller and had full responsibility.
What exactly caused Doorstep Dispensaree to receive an ICO fine?
The contraventions set out in the Monetary Penalty Notice can be grouped into two types:
Security (Articles 5(1)(f), 24(1) and 32 GDPR):
- leaving documents outside in unlocked containers where they could be accessed by neighbours and damaged by water ingress from “careless” storage
- documents not being securely shredded in breach of a relevant policy
- policies being “out of date and/or inadequate and/or generic templates”
- inadequate records
- concerns about retention
- a large number of data subjects were affected, including elderly or vulnerable people in care homes
Transparency (Articles 13 and 14 GDPR) – various deficiencies in Doorstep Dispensaree’s privacy notices.
Specifically, the notices:
- did not state that Doorstep Dispensaree was the controller
- did not give the Article 6 legal basis or the Article 9 condition for processing special category data
- did not outline the categories of personal data collected from third parties
- did not specify what their legitimate interest was
- did not explain who the recipients of the data were
- did not state the retention periods for the data
- did not inform the data subjects of their rights
- did not say which third parties the data came from
- did not say whether the processing was a statutory or contractual requirement
MOST OF THIS COULD HAVE BEEN HANDLED WITH A FAIR PROCESSING NOTICE
ICO concluded that the breach was “extremely serious and demonstrates a cavalier attitude to data protection”.
How to avoid receiving an ICO fine
This case showed the repercussions of incorrectly storing sensitive data. Data breaches can be costly – not just for those whose data is compromised, but for the perpetrating data holder as well.
It also brings into sharp focus the role that data protection officers should play in helping businesses avoid such mishaps, as with proper guidance, this incident might have been avoided.
The Doorstep Dispensaree ordeal highlighted a number of ways to avoid incurring such a penalty in the future:
- You are responsible for the data in your care. Keep it secure.
- You are responsible for giving people the information required by Articles 13 and 14. ● Audit your service providers, especially on security matters, throughout the relationship lifecycle, as you are the controller.
- Have a data-sharing agreement in place with all processors that conforms with the GDPR and has a liability clause in it.
- Don’t forget that it’s not just data subject complaints and news reports that trigger investigations – reports from other regulators can, too.
Protect your data with an outsourced data protection officer
The way you protect your data falls to you, and you must ensure that you abide by the law.
Not only do you risk being fined if you don’t, but you also risk losing your reputation as a business. Ensure that you are ICO compliant and consider outsourcing a Data Protection Officer if you don’t have the knowledge in-house.
If you have any questions, the team at Sapphire Consulting is always happy to help. Get in touch with us today to find out more.