On 20 December 2019, the UK’s independent regulator for data protection and information rights law – Information Commissioner’s Office (ICO) has issued a €320,000 (£275,000) GDPR fine, to a Doorstep Dispensaree pharmacy based in London.
The ICO’s fine was based on the fact that the pharmacy had insufficient technical and organizational measures to ensure the security of a special category of data.
To be more exact, the Doorstep Dispensaree, stored approximately 500,000 documents, dated between June 2016 and June 2018, with patients’ names, addresses, dates of birth, and other medical records in unsecured and unprotected storage.
The ICO stated:
“Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.”
The deadline to pay the fine is set by the ICO for January 17. The Doorstep Dispensaree has also been issued an enforcement notice and was ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.
As it is stated in the enforcement notice, it was issued in relation to the contraventions of the data protection principles set out in Article 5 of the GDPR, the data subject’s rights set out in Article 13 and Article 14 GDPR and the obligations of the controller in Articles 24 (1) and 32.
Is this fine the beginning of a trend, indicating that in 2020 ICO will show less tolerance and understanding for the violators, remains to be seen.
If you enjoyed reading this article subscribe to our newsletter and we will notify you when there is a new article published!