Doorstep Dispensaree, based in Edgware, north London has been fined a whopping £275,000 by the Information Commissioner’s Office (ICO) for “cavalier” disposal of records about vulnerable care home residents.
The pharmacy, which supplies medicines to individuals and care homes, stored approximately 500,000 documents containing care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions in its courtyard.
They had stored the sensitive patient data in 47 crates, two disposal bags and one cardboard box full of documents containing personal data” in unlocked containers at the back of its premises.
This led to some documents being found “soaking wet…indicating that they had been stored in this way for some time”, according to the enforcement notice.
Doorstep Dispensaree claimed the documents were securely stored because the courtyard was locked. However, the ICO did not accept this reasoning and said the pharmacy itself admitted that residents in the flats above the branch could access the area through a fire escape.
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect,” ICO director of investigations Steve Eckersley said.
Adding: “Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”
These documents were dated between January 2016 and July 2018.
The ICO have issued previous fines, but this is the first recorded penalty levied under a new EU-mandated General Data Protection Regulation (GDPR) in the UK.
The company was fined for failing to ensure the security of special category data.
Since 2018, the ICO has issued 22 monetary fines totalling over £3 million under the Data Protection Act 1998 and 23 fines totalling over £2 million under the Privacy and Electronic Communications Regulation.
The ICO also issued a fine of £15,000 as well as a further £6,000 in costs to Cambridge Analytica for failing to comply with an enforcement notice issued by it in May last year that directed the firm to provide a citizen with details of his personal data processed by it.
This first fine by the ICO was levied for failing to ensure the security of special category data.
The ICO has given the pharmacy a deadline of January 17 to pay the fine.
It shows that the ICO is starting to fine businesses of all sizes – not just the big organisations like Marriot and British Airways.
The ICO were made aware of the breach by the Medicines and Healthcare Products Regulatory Agency (MHRA) who carried out a search at the pharmacy premises last year. They were conducting its own enquiry into the pharmacy’s “alleged unlicensed and unregulated storage and distribution of medicines”.
The ICO concluded that the company had failed to ensure the “appropriate security” of the personal data it processes and had “processed personal data in an insecure manner”, in contravention of GDPR Articles 5(1) (f), 24(1) and 32.
In setting the fine, the ICO considered the contravention only from 25 May 2018, when the GDPR came into effect.
The fine was also scaled down from an initial £400,000 judgment.
They were ordered to improve its data protection practices within three months or face further penalty notices. These could see the pharmacy pay up to 4% of its annual turnover in fines.
An accompanying ICO penalty notice, published on 17 December 2019, said: “The data subjects can be very readily identified and linked to data concerning their health.
“Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”
While the ICO said the number of people “affected by the breach cannot be confirmed,” it estimated that the documents “related to around 78 care homes”.