First fine issued for data protection breach

The Doorstep Dispensaree Ltd pharmacy has been slapped with a fine under strict data protection laws which came into effect in 2018. Doorstep Dispensaree Ltd left approximately 500,000 documents containing Special Category Data in unlocked containers at the back of its premises which saw the organisation ordered to pay a penalty of £275,000.

Due to their sensitive nature, stringent security measures needed to be in place to protect the data under laws derived from the General Data Protection Regulation (GDPR).

The GDPR defines Special Category Data as data revealing or concerning a person’s:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data (where used for identification purposes)
• health
• sex life
• sexual orientation

The documents held by the pharmacy included names, addresses, dates of birth, NHS numbers, medical information and prescriptions. Despite the courtyard where the containers were found being locked, they were vulnerable to unauthorised or unlawful access. The ICO therefore held that the lack of security infringed the GDPR’s security and data retention obligations resulting in the fine.

The ICO was also not satisfied with the pharmacy’s internal policies and privacy notices and issued an enforcement notice to the pharmacy under the Data Protection Act 2018 which gives the pharmacy three months to update all its policies and procedures, appoint an information governance lead or data protection officer, introduce mandatory and refresher training, update its privacy policy and provide evidence of compliance.

If your business is a data controller or processor and you are concerned about GDPR compliance, contact Brachers Employment team for further information and advice.

This content is correct at time of publication