ICO hand over first GDPR fine to pharmacy

Following the implementation of the General Data Protection Regulations (GDPR) in May 2018, there has been little news of fines from the Information Commissioner’s Office (ICO). That is until recently, when the ICO issued its first penalty notice on 17 December 2019 to a pharmacy in London. Brian Bannister, Solicitor in our Company Commercial department, reviews the circumstances of the fine and how other organisations can avoid the same situation.

Doorstep Dispensaree Ltd (DDL), a London based company which supplies medicines to individuals and elderly care home residents, has been handed a fine of £275,000 under the GDPR for security failings. The ICO were alerted by the Medicines and Healthcare products Regulatory Agency (MHRA), who were undertaking their own investigation. While the ICO has previously indicated its intention to fine the Marriott International hotels group just over £99 million for a data breach involving around 300 million customer records, and British Airways approximately £183 million where the data breach affected over 500,000 customer records, we still await the ICO’s final determination in both cases (which would be subject to appeal in any event). Notwithstanding the relatively small size of the fine, the DDL case is important for the detailed judgement handed down by the ICO, explaining its reasoning.

There were a number of issues detailed in the notice, mainly regarding the measures taken to by the pharmacy to ensure the security of some 500,000 medical documents containing sensitive data, and the failure to take adequate steps to ensure that such records were disposed of in a sufficiently confidential and timely manner. Also relevant to the ICO’s view of the pharmacy’s ‘cavalier attitude to data protection’ was its initial refusal to answer the ICO’s requests for further information. Indeed, when the ICO issued a formal Information Notice, the pharmacy appealed to the First-tier Tribunal (Information Rights) and, despite having lost that appeal, continued for a period to withhold some of the information requested on the grounds of possible self-incrimination in any future criminal prosecution by the MHRA.

As part of the disclosure the pharmacy was prepared to make following the failed appeal, the ICO was provided with copies of various data-handling policies. The ICO held as a matter of fact that most of these documents had not been updated since April 2015 and did not reflect the pharmacy’s actual practice. Where the documentation did refer to GDPR, the wording was a word-for-word transcription of templates provided by the National Pharmacy Association. A key failure to follow the documented procedures related to the shredding of records no longer required. While this was contracted out to a third-party provider, there was no evidence of the pharmacy exercising any oversight to ensure this was done either in accordance with its stated data-retention policy (some records left in a yard at the back of the premises in various containers dated back to January 2016) or in a manner that ensured the data was kept secure up to the point of shredding. The ICO was very clear that it was the pharmacy which was the data controller, and the third-party shredder was a processor required to act in accordance with the pharmacy’s instructions. The pharmacy’s failure to exercise oversight in practice did not thereby render the third party an independent controller: the pharmacy could be held liable for the acts and omissions of its supplier.

The pharmacy were initially ordered to pay a fine of £400,000, however this was reduced to £275,000 taking into account, amongst other mitigating factors, the published finances of the pharmacy (any penalty must be effective, proportionate and dissuasive). The ICO also took into account of remedial measures which the pharmacy had subsequently put in place, but remained concerned that some stated procedures were still in boiler-plate form (thus possibly not reflecting actual practice) and its privacy notice was not yet GDPR-compliant.

Steve Eckersley, Director of Investigations at the ICO, commented, “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

GDPR compliance

While the organisation in this instance was fined due to the lack of care regarding paper files, GDPR also applies to electronic files, with this case as an example of the consequences of not being adequately compliant with the rules.

Even though the GDPR has been in place for almost two years, it comes as no surprise that there are still organisations that have not reviewed and changed their policies or processes, and could now be left open to fines and further action. For businesses who have made the appropriate changes, the task is not over as there must be constant monitoring across an organisation, as well as reporting any breaches.

There are seven key principles under the GDPR, which are:

• Lawfulness, fairness and transparency – this principle relates to the appropriate lawful basis for processing certain data, whether that be through consent or legitimate interest, that consideration has been shown for how that processing may impact the individuals, and that the organisation is open and honest about their intentions with the data.
• Purpose limitation – this principle requires organisations to provide clarity on their purposes for processing data, that those purposes are recorded in an appropriate privacy notice and that any new use of the data is lawful and in accordance with the original reason for processing the data.
• Data minimisation – this principle leaves the organisation with only the information that is required to carry out that specific purpose, and that the information is periodically reviewed with anything no longer needed being removed.
• Accuracy – this principle requires the organisation to have the processes in place to review the data they hold regularly and that they comply with the individual’s right to rectification.
• Storage limitation – under this principle, the organisation has considered issues such as length of storage of data, retention periods and erasure or anonymising data.
• Integrity and confidentiality (security) – this principle ensures that the data being held is done so securely.
• Accountability – this principle places the accountability for compliance on the organisation.

Making your business GDPR compliant is not an overnight task, as you will also need to review your supplier contracts to determine your processor relationships with them, you may need to appoint a Data Protection Officer, you will need to conduct a full review of all of the data you process; the list goes on. However, an understanding of these seven key principles is the best place to begin. If you have questions about your GDPR compliance, you can contact Brian Bannister on 023 8071 7466 or email brianbannister@warnergoodman.co.uk.  Alternatively, you may find the following resources useful:

• GDPR - A Double Edged Sword
• GDPR - Much Ado About Nothing
• GDPR - Transparency update
• GDPR is here - are you compliant yet?
• GDPR: Controller, Joint Controller, Processor or a Mere Recipient?
• GDPR: News update on B2B Communications
• Your GDPR Checklist
• What do Article 13 and Article 14 really mean?
• Not another Data Protection Act
• Are you preparing for GDPR?

This article has been published as part of the latest issue of our Commercial Brief.  To receive a copy of our Commercial Brief directly, you can complete our form to subscribe, or email events@warnergoodman.co.uk. 

ENDS

This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.