Doorstep Dispensaree has been fined £275,000 for failing to obey with GDPR (General Data Protection Regulation), this makes it first organisation in the United Kingdom to be punished.
About 500,000 records holding personal data in opened containers were left unattended in a back room of the London-based pharmacy, which sells medicine to thousands of care homes.
The documents, dating from June 2016 to June 2018, included the names, addresses, birth dates, NHS numbers, medical information and prescriptions of the patients.
Through failing to keep records of patients safe, Doorstep Dispensaree violated the GDPR’s integrity and confidentiality principle, which states that personal data must be processed in a manner that ensures appropriate security […], including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Doorstep Dispensaree has failed in two ways. Firstly, it didn’t implement measures to guard against unauthorised accessed, instead leaving the personal data in an unlocked box that anyone could view.
Secondly, it failed to protect against accidental destruction, with the ICO noting that the boxes were exposed to the elements and had become water damaged.
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Director of Investigations, ICO
You could argue that this isn’t the first GDPR fine in the UK, because the ICO has previously stated its intention to fine British Airways and Marriott International.
However, the ICO is liaising with other supervisory authorities before confirming those fines. It’s also giving both organisations the opportunity to provide evidence that could mitigate the size of the penalty.
As such, Doorstep Dispensaree is the first organisation in the UK to have formally been issued a fine – although it’s certainly not the first in Europe.
Plenty of fines have been levied in the year and a half since the GDPR came into effect; the delay in the UK owes to the fact that the ICO expedited the investigations into British Airways and Marriott International due to their high-profile nature.
With the ICO moving on to more routine investigations like this one, we could see a consistent flow of fines in the future. Thousands of complaints have been made in the past year, so it has no shortage of possibilities for investigations.