Doorstep Dispensaree has been fined £275,000 for failing to comply with the GDPR (General Data Protection Regulation), making it the first organisation in the UK to be penalised for breaching its requirements.
The London-based pharmacy, which supplies medicines to thousands of care homes, left about 500,000 documents containing personal data in unlocked containers in the back of its premises.
The documents, dating from June 2016 to June 2018, included patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions.
What went wrong?
By failing to keep patients’ records secure, Doorstep Dispensaree violated the GDPR’s integrity and confidentiality principle, which states that personal data must be
processed in a manner that ensures appropriate security […], including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Doorstep Dispensaree failed to do this in two ways. First, it didn’t implement measures to guard against unauthorised accessed, instead leaving the personal data in an unlocked box that anyone could view.
Second, it failed to protect against accidental destruction, with the ICO noting that the boxes were exposed to the elements and had become water damaged.
Steve Eckersley, Director of Investigations at the ICO said:
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Haven’t there already been GDPR fines in the UK?
However, the ICO is liaising with other supervisory authorities before confirming those fines. It’s also giving both organisations the opportunity to provide evidence that could mitigate the size of the penalty.
As such, Doorstep Dispensaree is the first organisation in the UK to have formally been issued a fine – although it’s certainly not the first in Europe.
Plenty of fines have been levied in the year and a half since the GDPR came into effect; the delay in the UK owes to the fact that the ICO expedited the investigations into British Airways and Marriott International due to their high-profile nature.
With the ICO moving on to more routine investigations like this one, we could see a consistent flow of fines in the future. Thousands of complaints have been made in the past year, so it has no shortage of possibilities for investigations.