ICO fines pharmacy £275,000 for careless storing of personal data

The ICO fined a pharmacy £275,000 and issued an enforcement notice after it failed to store personal data securely.

What complaint was received by the ICO? 

Doorstep Dispensaree Limited (“Doorstep) supplies medicines to customers and care homes. The ICO received a complaint from the Medicines and Healthcare Products Regulatory Agency (“MHRA”). During a search of Doorstep’s premises under a search warrant, MHRA had discovered numerous unlocked crates with around 500,000 documents containing personal data at the back of the premises. The documents ranged from January 2016 to June 2018. Some documents contained special category data, including medical information and prescriptions. MHRA complained to the ICO.

What action did the ICO take? 

The ICO investigated the complaint. It found Doorstep had failed to implement appropriate safeguards to protect the data it held and criticised Doorstep’s “cavalier attitude” to data protection. It concluded it had retained some data longer than necessary and its data protection policies and processing records were inadequate. It had also not complied with its policies. Finally, the ICO noted Doorstep had provided insufficient information to individuals on how it would use their data. The ICO issued:

• A £275,000 fine and
• An enforcement notice to improve its data protection practices within three months.

In setting the fine, the ICO only considered the contravention from 25th May 2018 onwards, when the GDPR came into effect.

What are the implications of this case on employers and employees? 

The ICO fine is unsurprising given the extent of unsecured data. Its report noted Doorstep’s failure to co-operate with its investigations.

Organisations often focus on storing personal data online. However, they need to give the same attention to the way they store hard copy data. Using lockable storage and securely destroying hard copy data are simple, cost-effective steps to help protect personal data. The ICO’s findings on the lack of suitable data protection policies also reflect the importance of having up to date policies and adhering to them.