A London pharmacy supplying medicines to customers and care homes has fined £275,000 by the Information Commissioner’s Office (ICO) for lapses in data security.
The Doorstep Dispensaree became the first UK business to be fined under the General Data Protection Regulations (GDPR), which came into effect on May 25, 2018.
According to ICO, the pharmacy left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of patients.
The documents were dated between June 2016 and June 2018. Some of the documents were water damaged, making the pharmacy responsible for not ensuring security against accidental loss, destruction or damage.
ICO launched the investigation after it was alerted by the Medicines and Healthcare products Regulatory Agency (MHRA).
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect,” said Steve Eckersley, Director of Investigations at ICO.
The pharmacy has also been issued an enforcement notice and ordered to improve its data protection practices within three months.
Commenting on the news, Paula Barrett, Partner and Global Co-lead of Privacy & Cyber Security Law, Eversheds Sutherland, said: “There are likely many others for whom the disposal of personal data securely is an ongoing operational concern. Particularly for those businesses where they have a large number of smaller premises, where centralised controls are more difficult to implement. Here what was actually happening on the ground was contrary to their own policy and supposedly arrangements with a service provider.”
“In addition to the storage breach itself, they were also sanctioned for non-compliance in other areas. Notably an inadequate privacy notice. One of the first cases in which we have seen the ICO comment.”
“It further demonstrates the co-operation between agencies, the investigation process, factors taken into consideration and that the final amount of the penalty notice was reduced following the initial notice from £400,000 down to £275,000, so it appears some consideration was given to representations made. As well as a fine, they also have further remediation work to undertake, so there is, in fact, a combination of tools in the ICO armoury being deployed here. Remediation effort costs could outweigh the fine itself,” Barrett said.
Doorstep Dispensaree is yet to respond.