On 20 December 2019, the UK’s independent regulator for data protection and information rights law – Information Commissioner’s Office (ICO), issued a €320,000 (£275,000) GDPR fine to a Doorstep Dispensaree pharmacy based in London.
The ICO’s fine was based on the fact that the pharmacy had insufficient technical and organizational measures to ensure the security of a special category of data.
To be more exact, the Doorstep Dispensaree, stored approximately 500,000 documents dated between June 2016 and June 2018, with patients’ names, addresses, dates of birth, and other medical records in unsecured and unprotected storage.
The ICO stated:
“Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.”
The Doorstep Dispensaree was also issued an enforcement notice and was ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.