In a decision given just before Christmas, the ICO has imposed a hefty £275,000 fine on Doorstep Dispensaree Limited for its breaches of the GDPR. The ICO found that Doorstep had failed in ensuring the security of special category personal data, following an investigation by the Medicines and Healthcare products Regulatory Agency (“MHRA”) that discovered:
- 47 unlocked crates;
- 2 disposal bags; and
- 1 cardboard box,
all packed full of poorly stored personal data (including NHS numbers, medical information and prescriptions), with nothing to mark the documents as confidential waste – the discovery was actually made in a rear courtyard with residential access, and some of the documents were sopping wet (suggesting that they had been there for some time). In total the MHRA estimated there to be approximately half a million documents containing personal data.
It’s worth noting that this fine wasn’t imposed without warning (or without the opportunity for Doorstep to address/explain its inadequate storing facilities). The Commissioner first wrote to Doorstep on 15 August 2018 with her concerns and a number of GDPR compliance questions, and whilst Doorstep responded via its solicitor 6 days later it failed to answer the Commissioner’s questions and instead tried to deny any knowledge of the matter. Doorstep was also given a second chance when the Commissioner wrote again in September 2018 (repeating the questions about GDPR compliance) but it responded later that month with a further refusal to answer the questions.
The chain of events that followed resulted in Doorstep being issued with an Information Notice (which Doorstep unsuccessfully appealed), requiring it to provide the information initially requested by the Commissioner. The Commissioner then sent not one, but two chaser emails, with the second chaser threatening Doorstep with the issue of a penalty.
Doorstep eventually responded to the questions on 1 March 2019, providing a number of data protection documents. However, upon inspection most of these documents had not been updated since April 2015, meaning they pre-dated the implementation of the GDPR by 3 years (not ideal in demonstrating GDPR compliance).
The Commissioner originally proposed a penalty of £400,000 for Doorstep’s breach. Doorstep tried to suggest that any penalty should be issued against its licenced waste disposal company, Joogee Pharma Limited. This was rejected by the Commissioner, who was satisfied that Joogee had acted as data processor only, relying on Doorstep’s instructions and leaving it to Doorstep as data controller to determine the purpose and means of the data processing.
In assessing the appropriate penalty, the Commissioner referred to Doorstep’s breach as ‘extremely serious’, and one that demonstrated a ‘cavalier attitude to data protection’. However, being mindful that the penalty must be effective, proportionate and dissuasive the Commissioner decided to lower the proposed penalty, imposing a penalty of £275,000 instead. The penalty is due to be paid by this Friday (17 January 2020).
Whilst this case comes as a word of warning in particular to any companies that are in possession of medical information, whether that be NHS numbers or prescriptions, there is a lesson there for any companies holding confidential data: store your information securely and keep your data protection documentation up to date.
Our commercial team specialises in data protection and all things GDPR, so please get in touch with us if you have any concerns over GDPR compliance – we are happy to advise and update (or put together) your suite of data protection documents to ensure your compliance with the GDPR.