The ICO issues its first GDPR fine

On 20 December 2019, the Information Commissioner’s Office (“the ICO”) issued its first GDPR fine to Doorstep Dispensaree Limited (“Doorstep”), a London pharmacy which supplies medicines to customers and care homes, for the sum of £275,000.

This article examines the issues raised by the ICO through its investigations and the important considerations for businesses to bear in mind in light of their data protection obligations.  

The discovery

Doorstep is a provider of pharmaceutical services to care homes in the UK. On 24 July 2018, approximately 500,000 documents were found in unlocked containers at the back of Doorstep's premises in Edgware by the Medicines and Healthcare Products Regulatory Agency (“MHRA”), who was at the premises to conduct its own investigation into the alleged unlicensed and unregulated storage and distribution of medicines by Doorstep. The MHRA notified the ICO of its discovery of the documents on 31 July 2018.

The dates of the documents in question ranged from January 2016 to June 2018 and contained personal data including the names, addresses, dates of birth, NHS numbers, medical information and prescription information of Doorstep’s customers. None of the documents found were marked as confidential waste and were not securely stored.

The ICO’s investigation

The ICO was concerned that personal data had been processed insecurely and in contravention of the GDPR. Accordingly, on 15 August 2018 the ICO wrote to Doorstep requesting information regarding its compliance with the GDPR. The ICO's Penalty Notice stated that Doorstep initially seemed to deny any knowledge of the matter and did not respond adequately to the ICO's questions. As a result, on 25 October 2018, the ICO issued an Information Notice.

Doorstep appealed the Information Notice, but this was dismissed by the First-Tier Tribunal (Information Rights) on 28 January 2019. Doorstep had declined to provide information that might expose it to prosecution in the MHRA's existing criminal proceedings but provided a number of its data handling procedures and guideline documents to the ICO.  

The ICO found, amongst other things, that most of Doorstep’s policies and guidelines had not been updated since April 2015 – well before the GDPR came into effect in the UK. The policy documents provided to staff were also found to be vague in their practical advice and the few documents which did make reference to the GDPR were simply templates from the National Pharmacy Association (a trade organisation) which had not been incorporated by Doorstep.

Doorstep’s breaches of GDPR

The ICO, in its Penalty Notice, found that Doorstep was in contravention of several provisions of the GDPR. 

Although Doorstep alleged that any penalty should be issued against Joogee Pharma Limited, a licensed waste disposal company operating under contract to Doorstep, the ICO concluded that Joogee was a data processor acting on the instructions of Doorstep and carrying out data processing on its behalf.

Article 5(1)(f) – The ‘confidentiality and integrity’ of personal data

The ICO considered that Doorstep had infringed Article 5(1)(f) in the following ways:

• It had not implemented technological measures such as the secure storage or physical shredding of data which gave rise to the risk of unauthorised access.
• It had not implemented organisational measures such as adequate data protection policies.
• There was an unacceptable risk of the accidental loss or destruction of data because of the way it was stored. This was highlighted by the ingress of water into some of the documents.

Article 24(1) – Risk Assessment

For the same reasons above, the ICO decided Doorstep was in breach of Article 24(1).  The volume and sensitivity of the data gave rise to a high risk to the rights and freedoms of the data subjects, warranting significantly more stringent data security measures than Doorstep applied.

Article 32(1) – Security and Processing

Doorstep had infringed Article 32(1) because despite the high level risk to the data subjects, Doorstep did not adopt appropriate and cost effective measures such as the shredding and secure storage of data. 

Articles 13 & 14 – Information to be Provided

The Privacy Notice provided by Doorstep to the ICO did not contain all of the information required by Articles 13 and 14.

Factors relevant to issuing the fine

In deciding whether Doorstep’s GDPR contraventions were serious enough to warrant a fine, the ICO had regard to the factors under Article 83(1). Some of the relevant considerations by the ICO are as follows:

(1) Nature of the breach

In the case of Doorstep, the fact that the data it held was extra sensitive and contained Special Category Data meant that it was particularly important for Doorstep to have taken its data protection obligations more seriously.  The Commissioner considered that the breach "resulted from a highly culpable degree of negligence on the part of Doorstep Dispensaree".

Additionally, because of the sensitivity of the data, the ICO held it was particularly important to ensure that data subjects were provided with information required under Articles 13 and 14 but Doorstep did not meet its regulatory obligations in this respect. In this regard, it is worth noting that the ICO later held that these infringements were "a case of a negligent rather than a deliberate infringement".

(2) Gravity of the breach

The ICO considered the breach to be very serious because:

• It concerned highly sensitive information which was "left unsecured in a cavalier fashion".
• It was possible to readily identify the data subjects’ names and health data.
• There were significant shortcomings in the information provided to data subjects through Doorstep’s privacy policy. The data subjects had a right to know what Doorstep was doing with their data but were not told anything in near enough detail especially given the sensitive nature of the data.
• No data subject could reasonably expect that their personal data (including their health data) would be handed in the manner it was by Doorstep.

(3) Duration of the breach

The ICO was unable to determine exactly for how long the breach was occurring but was satisfied that Doorstep had been in breach of the GDPR since at least 25 May 2018 – the date which the GDPR came into force.  

(4) Number of data subjects affected

While the ICO could not determine how many data subjects were affected by the breach, there were approximately 500,000 documents that had been discovered. Given the volume of the documentation and the size of Doorstep’s business, it made it likely that the number of data subjects which may have been affected was in the hundreds, if not the thousands.  

(5) Damage suffered by data subjects

The ICO acknowledged the steps Doorstep is now taking to improve its written policies, contractual arrangements and level of training and took this into account when determining the appropriate amount of the penalty.

It was found however that it was a major failing by Doorstep, as a controller that routinely processed large quantities of highly sensitive health data, to not have in place the appropriate measures required under Articles 25 and 32.  Accordingly the ICO held that Doorstep bore full responsibility for these infringements and for the shortcomings of its privacy notice.

 (6) The degree of co-operation with the ICO

The ICO described Doorstep’s level of co-operation as “poor”, due to the multiple follow up e-mails which were required to achieve responses to its enquiries.

Points to note by organisations

(1) Changes made after an investigation do not affect the ICO’s assessment of the severity of the breach

• Changes to data handling policies and procedures after an investigation has commenced are unlikely to sway the ICO’s assessment of how serious defective practices were prior to the breach.
• Such changes may however mitigate against the level of any fine to be imposed.

(2) Organisations should keep their data handling policies and procedures up to date

• In assessing the severity of the breach and whether to award a fine, the ICO placed emphasis on the fact that Doorstep’s breach had been ongoing since at least the implementation of the GDPR.
• In determining this, the fact that Doorstep’s data handling policies and procedures were mostly dated from April 2015 was significant.
• Therefore, organisations should ensure that their policies and procedures are up to date and GDPR compliant, and should not wait for a potential breach before doing so.

(3) Controllers cannot sub-contract its obligations under the GDPR

• The presence of a sub-contractor does not absolve a data controller of its responsibility and obligations under the GDPR.
• Doorstep as a data controller was required to ensure the security of any processing undertaken by it or on its behalf.

(4) Special category data

• Organisations handling special category data have to take extra care as the GDPR requires heightened protection measures due to the increased personal element of such data.

(5) Organisations should comply effectively with data protection authorities

• The ICO noted Doorstep’s poor level of co-operation during the investigation.
• Organisations subject to an investigation should deal with data protection regulatory authorities appropriately.

(6) The GDPR is not just focused on electronic data

• While cyber security is important, this case shows the importance of organisations implementing measures to deal with hard copy data. This should include security measures and document disposal measures.