First Ever UK GDPR Penalty is €325k for London Pharmacy

The first ever General Data Protection Regulation (GDPR) penalty in the United Kingdom has been sanctioned against a London-based pharmacy by the Information Commissioner’s Office (ICO)

ICO has fined Doorstep Dispensaree €325,000 (UK£275,000) by the Information Commissioner’s Office (ICO) in relation to its ‘cavalier attitude to data protection’. This decision was taken after it was discovered that Burnt Oak Broadway, Edgware based pharmacy placed 500,000 medical documents that included sensitive information in unsecured and unlocked containers, disposal bags and in a cardboard box.  These files were identified during a Medicines and Healthcare Regulatory Agency (MHRA) investigation that was examining alleged unlicensed and unregulated storage.

The enforcement notice published by ICO revealed that the range of data included in the files incorporated names, addresses, dates of birth, medical information, NHS numbers and prescriptions dated from between January 2016 to June 2018. These documents can allow data subjects to be identified and linked to data concerning their health.

ICO published a statement in relation to the breach which stated that the documents were “not secure and they were not marked as confidential waste”, adding that some “were soaking wet, indicating that they had been stored in this way for some time. Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”

It went on to say that the precise amount of individuals impacted by the breach has yet to be accurately calculated, however it is estimated that the documents “related to around 78 care homes.” It said: “Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected. Taking all the above factors into account, the commissioner has decided to impose a penalty in the sum of £275,000.”

Steve Eckersley, Director of Investigations at the ICO said: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Under GDPR, which became enforceable on May 25 2018, data protection agencies in the European Union can sanction penalties of up to €20m or 4% of annual global revenue for the previous financial year, whichever figure is higher.

In addition to the GDPR fine, Doorstep Dispensaree has also been issued an enforcement notice due to the significance of the contraventions. This notice has instructed them to improve its data protection measures and was sent with a three-months deadline. If enhancements are not implemented by this time then it is possible that ICO could sanction another enforcement action.