First Ever UK GDPR Penalty is €325k for London Pharmacy

The Information Commissioner’s Office (ICO) in the UK has issued the first ever General Data Protection Regulation (GDPR) penalty, against a London-based pharmacy.

Doorstep Dispensaree was hit with a €325,000 (UK£275,000) due to, what was termed, its ‘cavalier attitude to data protection’. It has been discovered that the pharmacy placed 500,000 medical documents that included protected personal information in unsecured and unlocked containers, disposal bags and in a cardboard box.  These files were found as part of a  during a Medicines and Healthcare Regulatory Agency (MHRA) investigation which was looking into alleged unlicensed and unregulated storage of files.

The enforcement notice that was made public by ICO stated that the variety of data included breached names, addresses, dates of birth, medical information, NHS numbers and prescriptions dated from between January 2016 to June 2018. These documents make it possible for data subjects to be identified and linked to data concerning their health.

ICO issued a statement in relation to the GDPR violation that said the documents were “not secure and they were not marked as confidential waste”, adding that a portion of them “were soaking wet, indicating that they had been stored in this way for some time. Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”

It continued: “Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected. Taking all the above factors into account, the commissioner has decided to impose a penalty in the sum of £275,000.”

Steve Eckersley, Director of Investigations at the ICO remarked: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Along with the GDPR fine, Doorstep Dispensaree has also been sent an enforcement notice due to the serious nature of the breaches that took place. This has directed them to strengthen data protection measures within three-months. If enhancements are not in place by then another enforcement action could be applied by ICO.