Pharmacy gets first UK fine for GDPR breaches

Shallow focus photo of a patient charts with focus on the middle

A London-based pharmacy has been fined £275,000 for “careless” storage of patient data – the first penalty levied under a new EU-mandated data protection regime in the UK.

Doorstep Dispensaree – which supplies medicines to individuals and care homes – left some 500,000 documents in unlocked containers at the back of its premises in Edgware, says the Information Commissioner’s Office (ICO), the independent UK watchdog for data privacy.

The unsecured documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people, some of which became water damaged. The documents were dated between June 2016 and June 2018.

The breach was spotted and reported to the ICO as part of a separate investigation into the pharmacy by the Medicines and Healthcare Products Regulatory Agency (MHRA).

Failing to guard the data against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the General Data Protection Regulation (GDPR) introduced in 201, says the ICO.

The fine might have been much larger, but only covered the period from 25 May 2018, after the GDPR was in effect. It was also scaled down from an initial £400,000 judgment.

While the fine related to paper records in this instance, the GDPR applies equally to digital records and is an indication of the scale of the penalties that can be incurred if sensitive patient data isn’t kept securely.

Paula Barrett, partner and global co-lead of privacy and cyber security law at Eversheds Sutherland, said the ICO’s action also made reference to an inadequate privacy notice, and there are “likely many others for whom the disposal of personal data securely is an ongoing operational concern.”

“As well as a fine, they also have further remediation work to undertake, so there is in fact a combination of tools in the ICO armoury being deployed here,” continued Barrett. “Remediation effort costs could outweigh the fine itself.”

Doorstep Dispensaree has also been issued an enforcement notice and ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action, says the ICO.

While the ICO said the number of people affected couldn’t be confirmed, it has estimated that the documents relate to around 78 care homes in the southeast of England.

“Given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected,” says the penalty document (PDF).