Data Protection: First UK GDPR fine

Data Protection: First UK GDPR fine

 

In late December the UK Data Protection Authority, the Information Commissioner’s Office (ICO), announced its first fine under GDPR. The fine was at the lower end of the scale after Doorstep Dispensaree Ltd., a company running a pharmacy based in Edgware in London, was fined £275,000. The ICO also issued an Enforcement Notice against the company requiring it to undertake a program of work to improve its data protection compliance within 3 months.

 

What was this about?

 

Under GDPR, organisations are obliged to put in place adequate technical and organisational measures (TOMs) to prevent unauthorised access to personal data. In this case Doorstep Dispensaree left 500,000 documents exposed showing names, addresses and medical information in unlocked containers in a courtyard at the back of its premises. Whilst there seems to have been no evidence of the data having been taken, the ICO felt that the pharmacy had not put adequate TOMs in place.

In July 2018 the ICO received a referral from the Medicines and Healthcare products Regulatory Agency (MHRA) which was conducting its own enquiry into the pharmacy’s alleged unlicensed and unregulated storage and distribution of medicines. The MHRA found 47 crates, two disposal bags and one cardboard box with documents containing personal data in unlocked containers at the back of the pharmacy’s premises. The MHRA seized the documents and put them in secure storage. The MHRA subsequently discontinued its investigation.

 

What did the ICO say?

 

Steve Eckersley, Director of Investigations at the ICO said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

The ICO also issued an enforcement notice against Doorstep Dispensaree on 17 December 2019. As well as the data breach, the ICO said that it was concerned that the company had inadequate data protection policies and procedures in place. One of the ICO’s concerns was that policies had not been updated since 2015. The ICO also had concerns about the company’s privacy policy. It must improve its data protection practices within three months or face further penalties. The measures required by the Enforcement Notice include:

  1. Updating its data protection policies and procedures
  2. Appointing a member of staff as a DPO or Information Governance Lead
  3. Mandatory training for all staff within the next 6 months with regular refreshers at least once every 2 years; and
  4. Updating the privacy policy

The company must also provide evidence to the ICO that those steps have been taken.

 

What has Doorstep Dispensaree said?

 

Doorstep Dispensaree claimed the documents were securely stored because the courtyard was locked.  However, the ICO did not accept this and said the pharmacy itself admitted that residents in the flats above the branch could access the area through a fire escape.

Doorstep Dispensaree also said that another company was responsible for the breach. However the ICO decided that this company was in fact Doorstep Dispensaree’s data processor rather than a data controller in its own right.

 

What does this case tell us?

 

This case tells us a number of things including:

1.  Hardcopy data is important. Many GDPR and information security programs concentrate just on electronic data. Hardcopy data breaches can be more damaging given the ease with which data can be taken without specialist skills.

2.  As we predicted prior to GDPR coming in, the security and integrity of data is important. We have had similar cases in the UK previously involving health data (see for example here https://www.corderycompliance.com/client-alert-lessons-for-healthcare-providers-after-ico-enforcement-action-against-hca/) and cases involving medical records are always likely to be prioritised.

3.  Fines will not always be at the upper end. Fines under GDPR can be up to 4% or €20m. Doorstep Dispensaree’s last filed accounts don’t seem to show its turnover but it seems likely that €20m would be the relevant figure here and £275,000 is clearly a relatively small fine in comparison. There have been probably around 2,500 GDPR fines across the EU so far and many of them are for relatively small amounts. We’re expecting news this year relating to two much larger fines against BA (https://www.corderycompliance.com/uk-dpa-to-fine-ba-for-data-breach/) and Marriott (https://www.corderycompliance.com/ico-intention-to-fine-marriot-99-million-for-data-breach/) where Notices of Intent were raised in 2019. The ICO recently confirmed that it had agreed extensions until the end of March 2020 in finalising these cases. The Doorstep Dispensaree case could be  a sign of hope for both as here the ICO’s initial Notice of Intent proposed a fine of £400,000 which was reduced after the company’s submissions to the ICO and after the ICO took into account the remedial work it had done after the MHRA visit.

4.  When they do spot a possible security vulnerability, organisations need to deal with it quickly and efficiently. You can find some tips on dealing with a data breach in our short film here http://bit.ly/navfilmdraft and details of GDPR Navigator, our system for handling data breaches here http://bit.ly/breachnav

5.  Organisations should make sure that their policies and procedures are up-to-date. The case emphasises that once there is an investigation, it will not necessarily be confined to the breach itself. The organisation’s general data protection hygiene may also be considered leading to possible additional enforcement action.

6.  Data Protection Authorities must be treated with respect. Investigations like this are serious and organisations need to make sure that they deal with them properly. In most cases that is likely to mean that specialist counsel must be instructed to liaise with the regulator. It would appear that the company here made some errors in the way in which it dealt with the ICO’s initial investigation and that seems to have compounded the situation for them. The ICO then issued an Information Notice legally requiring the company to address their concerns. This notice was appealed unsuccessfully.

A copy of the ICO’s Enforcement Notice is here https://ico.org.uk/media/action-weve-taken/enforcement-notices/2616741/doorstop-en-20191217.pdf. A copy of the Monetary Penalty Notice is here https://ico.org.uk/media/action-weve-taken/mpns/2616742/doorstop-mpn-20191217.pdf.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Related Articles:
Latest Articles:
About the author:

Jonathan is an experienced lawyer with a concentration on technology and compliance. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries involving emerging technology, corporate governance, ethics code implementation, reputation, internal investigations, marketing, branding and global privacy policies. Jonathan has counselled a range of clients on breach prevention, mitigation and response. He has also been particularly active in advising multi-national corporations on their response to the UK Bribery Act 2010 and its inter-relationship with the U.S. Foreign Corrupt Practices Act (FCPA).

Jonathan is one of three co-authors of the LexisNexis definitive work on technology law, “Managing Risk: Technology & Communications”. He is a frequent broadcaster for the BBC and other channels and appeared on BBC News 24 as the studio guest on the Walport Review.

In addition to being a lawyer, Jonathan is a Fellow of The Chartered Institute of Marketing. He has spoken at conferences in the U.S., Canada, China, Brazil, Singapore, Vietnam, the Middle East and across Europe. Jonathan qualified as a lawyer in the UK in 1991 and has focused on technology, risk and governance matters for more than 20 years. In April 2017 Thomson Reuters listed Jonathan as the 6th most influential figure in risk, compliance and fintech in the UK. Jonathan was ranked as the 14th most influential figure in data security worldwide by Onalytica in their 2016 Data Security Top 100 Influencers and Brands Survey.

Jonathan is a Solicitor of the Senior Courts of England & Wales. In addition Jonathan is admitted as a Solicitor (non-practising) in Ireland.