So you might have missed it in the run up to Christmas but, on 20th December 2019, the ICO issued its first GDPR fine. Due to a number of serious breaches of the GDPR, the ICO fined a London pharmacy £275,000. This is a reduced sum from the original ICO’s intention to fine of £400,000. The pharmacy – Doorstep Dispensaree Ltd – was also issued with an enforcement notice by the ICO.
In other words, the ICO decided not just to issue a monetary penalty but also to require the pharmacy to carry out certain changes to its data protection compliance within a 3 month period and to also provide evidence to the ICO of these changes.
Click here to read the ICO’s announcement.
What happened?
The pharmacy was found to have left at least 47 crates including very sensitive information on patient’s health (approx. 500,000 hard copy documents) in an unsecured area where the storage facilities did not prevent unauthorised access or accidental loss. The pharmacy had also not been appropriately transparent with individuals as required under the GDPR. It had additionally taken no actions to mitigate any possible damage to individuals’ privacy.
Is this really the first GDPR fine from the ICO?
While there was a lot of news coverage of the ICO’s announcements relating to security breaches by British Airways and Marriott International in July 2019, these were only intentions to fine and not the actual fines themselves (though we may receive confirmation on these shortly). But what we now have in the Doorstep Dispensaree enforcement action is the first GDPR fine by the ICO.
What does the enforcement action tell us?
Briefly, the circumstances surrounding Doorstep Dispensaree’s failures to comply with the GDPR and their subsequent interactions with the ICO, demonstrated a poor understanding of data protection compliance and the ICO’s role. Doubtless the pharmacy’s inadequate conduct and response to the ICO contributed significantly to the ICO’s decision to fine and issue an enforcement notice.
The ICO asked the pharmacy to provide information including a copy of its privacy notice, retention policy, and a policy relating to secure disposal of personal data. When the pharmacy eventually provided certain documents to the ICO in response to these requests, the ICO considered these documents to be mostly non-compliant with the GDPR, policy templates which hadn’t been finalised and implemented, and documents that included little practical guidance to staff on their responsibilities.
A pharmacy such as Doorstep Dispensaree was routinely dealing with special category data (health data) on vulnerable individuals within care homes. The ICO took this into account when considering what enforcement action was appropriate.
What lessons can be learned?
While your organisation may not be a pharmacy and (hopefully) does not have a cavalier (as quoted by the ICO) attitude to GDPR compliance as shown by Doorstep Dispensaree, it’s important to note the ICO’s focus on examining policies, procedures and training. If it comes to it, organisations need to be ready to explain to the ICO their GDPR compliance framework including any ongoing compliance gaps.
We offer GDPR HealthCheck services for organisations seeking to understand their level of compliance and risk. Please contact Victoria Hordern for more information.