Late last year the UK Information Commissioner's Office ("ICO") issued its first formal monetary penalty notice under the General Data Protection Regulation ("GDPR"). The ICO fined Doorstep Dispensaree GBP 275,000 for, among other things, failing to keep sensitive data securely and providing an inadequate privacy notice to data subjects.
This fine was based on a number of fundamental breaches by Doorstep Dispensaree: for example, most of its internal policies had not been updated since before the entry into force of the GDPR. However, it still provides some useful practical lessons for those with a more sophisticated compliance program, and an insight into the enforcement priorities of the UK regulator. Nearly two years after the GDPR entered into force on 25 May 2018, the Doorstep Dispensaree penalty remains the only opportunity to examine the ICO's approach to fines under the GDPR.
The company, which provides pharmaceutical dispensary services to thousands of care homes, had left around 500,000 documents containing personal data in unlocked containers in an outside space behind its premises. The documents included name, address, date of birth, NHS numbers, medical information and prescriptions. The documents were dated between June 2016 and June 2018, and were exposed to water and damaged.
The ICO was made aware by the Medicines and Healthcare Products Regulatory Agency ("MHRA"), which was conducting its own separate enquiry into the company regarding alleged unlicensed and unregulated storage of various medicines.
The ICO found that the company had failed to ensure appropriate security measures were in place to protect the personal data against unauthorised or unlawful processing and accidental loss, destruction or damage, as well as failing to provide necessary privacy notice information in accordance with the GDPR.
What does this enforcement action tell us?
- Regulators are taking an increasingly collaborative approach. One of the ICO's own strategic goals is to work more closely with other regulators. This breach came to the ICO's attention via the MHRA. Therefore, organisations under scrutiny from other regulators should also remain alert to the possibility of a seemingly-unrelated investigation revealing holes in its data protection practices and leading to the involvement of the ICO.
- It's not all about data breach. Doorstep Dispensaree's data had not been accessed by any third party: the ICO found that there was a failure to take appropriate technical and organisational measures, although the personal data was not stolen or lost but was damaged. This highlights the importance of not just protecting personal data from theft or accidental loss, but also protecting it from being damaged or being made inaccessible.
- Sensitive data on vulnerable individuals is a high enforcement priority. This is a reminder of the need to be cognisant of the nature and volume of the data you are processing, the sensitivity of the personal data and the risks to data subjects when looking at the level of data protection measures you need to have in place. Not only was the data special category data, but it is likely that a large proportion of it related to elderly or otherwise vulnerable individuals, heightening the gravity of the breach. Taking all of this into account, the ICO's enforcement action in this context chimes with Objective 1 in its Regulatory Action Policy: to focus on breaches (i) involving highly sensitive information, (ii) adversely affecting large groups of individuals, and/or (iii) impacting vulnerable individuals.
- The ICO is focusing on privacy notice information requirements. The ICO found that the company's privacy notice did not include all the information required under Articles 13 and 14 of the GDPR. The fact that Doorstep Dispensaree "paid little or no attention to its regulatory obligations" in respect of its privacy notice, especially in light of the sensitive nature of the data it was processing, was clearly an important factor in the ICO's decision. The enforcement action is a further illustration of how privacy notice information requirements are becoming an increasing focus of enforcement under the GDPR.
- Privacy by design and default is always relevant. This enforcement action highlights the importance of privacy by design and by default, which is relevant to all processing activities. The ICO found that there was "little to no" evidence that measures to ensure privacy by design and by default were in place, which was cited as a "major failing" given the routine processing of large quantities of highly sensitive health data.
- Improvements made after an investigation has started can significantly mitigate the monetary penalty. The monetary penalty would have been £400,000, but was reduced to GBP 275,000 for mitigating factors such as improving policies and procedures, which is a reminder that mitigating the impact on data subjects and remedying any non-compliance can be useful in the context of enforcement action. This is notwithstanding that the ICO also noted in its monetary penalty notice that the company refused to comply with requests and emails from the ICO for information. The company also unsuccessfully tried to appeal a subsequent Information Notice issued by the ICO, and failed to comply with the Information Notice in a timely fashion. Although the ICO noted that the level of co-operation by the company was poor, it concluded this had not hampered either the remedying or mitigating of the infringement. The ICO did give credit for the co-operative approach the company later demonstrated and actions taken to improve its data protection practice.
- The level of future fines remains difficult to predict. GBP 275,000 is towards the lower end of the scale of financial penalty available to the ICO under the GDPR, although the lack of information in Doorstep Dispensaree's published accounts makes it difficult to assess on a turnover basis. In the monetary penalty notice the ICO refers to the gravity of the breach and Doorstep Dispensaree's financial position in general terms, and to the need for the penalty to be "effective, proportionate and dissuasive", but it doesn't provide any methodology that would enable predictions to be made about the size of the financial penalty likely to be imposed in future cases.