UK & Europe
Insurance & Reinsurance
On 20 December 2019, the Information Commissioner’s Office (“the ICO”) issued its first GDPR fine to Doorstep Dispensaree Limited (“Doorstep”), a London pharmacy which supplies medicines to customers and care homes, for the sum of £275,000.
This article examines the issues raised by the ICO through its investigations and the important considerations for businesses to bear in mind in light of their data protection obligations.
Doorstep is a provider of pharmaceutical services to care homes in the UK. On 24 July 2018, approximately 500,000 documents were found in unlocked containers at the back of Doorstep's premises in Edgware by the Medicines and Healthcare Products Regulatory Agency (“MHRA”), who was at the premises to conduct its own investigation into the alleged unlicensed and unregulated storage and distribution of medicines by Doorstep. The MHRA notified the ICO of its discovery of the documents on 31 July 2018.
The dates of the documents in question ranged from January 2016 to June 2018 and contained personal data including the names, addresses, dates of birth, NHS numbers, medical information and prescription information of Doorstep’s customers. None of the documents found were marked as confidential waste and were not securely stored.
The ICO was concerned that personal data had been processed insecurely and in contravention of the GDPR. Accordingly, on 15 August 2018 the ICO wrote to Doorstep requesting information regarding its compliance with the GDPR. The ICO's Penalty Notice stated that Doorstep initially seemed to deny any knowledge of the matter and did not respond adequately to the ICO's questions. As a result, on 25 October 2018, the ICO issued an Information Notice.
Doorstep appealed the Information Notice, but this was dismissed by the First-Tier Tribunal (Information Rights) on 28 January 2019. Doorstep had declined to provide information that might expose it to prosecution in the MHRA's existing criminal proceedings but provided a number of its data handling procedures and guideline documents to the ICO.
The ICO found, amongst other things, that most of Doorstep’s policies and guidelines had not been updated since April 2015 – well before the GDPR came into effect in the UK. The policy documents provided to staff were also found to be vague in their practical advice and the few documents which did make reference to the GDPR were simply templates from the National Pharmacy Association (a trade organisation) which had not been incorporated by Doorstep.
The ICO, in its Penalty Notice, found that Doorstep was in contravention of several provisions of the GDPR.
Although Doorstep alleged that any penalty should be issued against Joogee Pharma Limited, a licensed waste disposal company operating under contract to Doorstep, the ICO concluded that Joogee was a data processor acting on the instructions of Doorstep and carrying out data processing on its behalf.
Article 5(1)(f) – The ‘confidentiality and integrity’ of personal data
The ICO considered that Doorstep had infringed Article 5(1)(f) in the following ways:
Article 24(1) – Risk Assessment
For the same reasons above, the ICO decided Doorstep was in breach of Article 24(1). The volume and sensitivity of the data gave rise to a high risk to the rights and freedoms of the data subjects, warranting significantly more stringent data security measures than Doorstep applied.
Article 32(1) – Security and Processing
Doorstep had infringed Article 32(1) because despite the high level risk to the data subjects, Doorstep did not adopt appropriate and cost effective measures such as the shredding and secure storage of data.
Articles 13 & 14 – Information to be Provided
The Privacy Notice provided by Doorstep to the ICO did not contain all of the information required by Articles 13 and 14.
In deciding whether Doorstep’s GDPR contraventions were serious enough to warrant a fine, the ICO had regard to the factors under Article 83(1). Some of the relevant considerations by the ICO are as follows:
(1) Nature of the breach
In the case of Doorstep, the fact that the data it held was extra sensitive and contained Special Category Data meant that it was particularly important for Doorstep to have taken its data protection obligations more seriously. The Commissioner considered that the breach "resulted from a highly culpable degree of negligence on the part of Doorstep Dispensaree".
Additionally, because of the sensitivity of the data, the ICO held it was particularly important to ensure that data subjects were provided with information required under Articles 13 and 14 but Doorstep did not meet its regulatory obligations in this respect. In this regard, it is worth noting that the ICO later held that these infringements were "a case of a negligent rather than a deliberate infringement".
(2) Gravity of the breach
The ICO considered the breach to be very serious because:
(3) Duration of the breach
The ICO was unable to determine exactly for how long the breach was occurring but was satisfied that Doorstep had been in breach of the GDPR since at least 25 May 2018 – the date which the GDPR came into force.
(4) Number of data subjects affected
While the ICO could not determine how many data subjects were affected by the breach, there were approximately 500,000 documents that had been discovered. Given the volume of the documentation and the size of Doorstep’s business, it made it likely that the number of data subjects which may have been affected was in the hundreds, if not the thousands.
(5) Damage suffered by data subjects
The ICO acknowledged the steps Doorstep is now taking to improve its written policies, contractual arrangements and level of training and took this into account when determining the appropriate amount of the penalty.
It was found however that it was a major failing by Doorstep, as a controller that routinely processed large quantities of highly sensitive health data, to not have in place the appropriate measures required under Articles 25 and 32. Accordingly the ICO held that Doorstep bore full responsibility for these infringements and for the shortcomings of its privacy notice.
(6) The degree of co-operation with the ICO
The ICO described Doorstep’s level of co-operation as “poor”, due to the multiple follow up e-mails which were required to achieve responses to its enquiries.
(1) Changes made after an investigation do not affect the ICO’s assessment of the severity of the breach
(2) Organisations should keep their data handling policies and procedures up to date
(3) Controllers cannot sub-contract its obligations under the GDPR
(4) Special category data
(5) Organisations should comply effectively with data protection authorities
(6) The GDPR is not just focused on electronic data