The Information Commissioner’s Office (ICO) has fined London-based pharmacy, Doorstep Dispensaree Ltd, £275,000 for failing to protect the data of their patients. The pharmacy which supplies medicines to care homes and other customers, left about 500,000 documents in unlocked containers at the back of their office in Edgware.
The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions of customers. This information is all classified as special category under GDPR.
What is GDPR?
General Data Protection Regulation (GDPR) is a data protection law that came into effect in May 2018. The regulation guides the way businesses process and protect data. Under GDPR, your business should be protecting data against the following things:
- Unauthorised or unlawful processing
- Accidental loss
As a business, protecting your customer’s data should be at the top of your priority. And not doing so will lead to a fine and damage to your business’ reputation. Doorstep Dispensaree failed to protect their customer’s data and was consequently fined for their gross negligence. The pharmacy is the first company to receive a fine for bad practices after the enactment of GDPR in May 2018.
The ICO launched an investigation into Doorstep Dispensaree after an alert from Medicines and Healthcare Products Regulatory Agency. At the time, the agency was investigating the pharmacy over alleged unlicensed and unregulated storage and distribution of medicines. After its own investigation, the ICO concluded that the company failed to ensure the “appropriate security” of the personal data it processes and had “processed personal data in an insecure manner”, in contravention of GDPR articles.
Statement from ICO
Steve Eckersley, Director of Investigations at the ICO said:
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Doorstep Dispensaree has three months to improve their data protection practices. And failure to comply could lead to worse penalties / enforcement action.
Jamal Ahmed, Director of award winning GDPR consultancy Kazient Privacy Experts comments,
“Doorstep Dispensaree failed to respect the privacy of their customers and was wholly negligent in employing any technical or organisational measures to protect their personal information. I am pleased to see the ICO issuing a financial penalty. Hopefully this will encourage others to treat personal information with the respect it deserves.”
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.