On 20 December 2019, the UK’s independent regulator for data protection and information rights law – Information Commissioner’s Office (ICO), issued a €320,000 (£275,000) GDPR fine to a Doorstep Dispensaree pharmacy based in London.
The ICO’s fine was based on the fact that the pharmacy had insufficient technical and organizational measures to ensure the security of a special category of data.
To be more exact, the Doorstep Dispensaree, stored approximately 500,000 documents dated between June 2016 and June 2018, with patients’ names, addresses, dates of birth, and other medical records in unsecured and unprotected storage.
The ICO stated:
“Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.”
The Doorstep Dispensaree was also issued an enforcement notice and was ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.
The enforcement notice addresses violations of the fundamental data protection principles outlined in Article 5 of the GDPR, encompassing key aspects such as lawful processing, fairness, transparency, and the responsible handling of personal data.
Additionally, it pertains to infringements concerning data subject’s rights, focusing on the information provided to individuals when their personal data is collected.
Furthermore, the notice highlights breaches in the obligations of the data controller, emphasizing compliance measures outlined in Articles 24(1) and 32, which involve ensuring data security and demonstrating adherence to GDPR regulations.