On the 17 December 2019 the Information Commissioner’s Office in the UK (the “ICO”) issued its first penalty notice under the General Data Protection Regulation 2016 (the “GDPR”). Under the GDPR, the ICO carries out the same supervisory role in the UK as the Data Protection Commission carries out here in Ireland.
The notice issued against Doorstep Dispensaree, as a data controller, amounted to a fine of £275,000 – approximately €325,000 – and was made on the basis of “negligent rather than deliberate infringement” of the GDPR on a number of grounds.
The infringements made by Doorstep Dispensaree can be generally summarised as arising out of:-
- Failure to properly store medical information (which is special category data under the GDPR); and
- Failure to adopt an appropriate privacy notice.
Doorstep Dispensaree primarily provide a pharmacy and medicines distribution service to care homes in the UK. As a result of a separate investigation into their operation by a UK medical authority it came to the ICO’s attention that Doorstep Dispensaree had stored some 500,000 documents relating to personal data in an open and unsecured courtyard. Many of the documents had sustained water damage.
It is interesting to note that the ICO did not elect to undertake its own investigation into the storage of the materials but rather based its decision on correspondence with Doorstep Dispensaree and information provided by the relevant medical authority.
Contraventions of the GDPR
The ICO found that Doorstep Dispensaree had breached the following Articles of the GDPR:
- Article 5(1)(f) – the integrity and confidentiality principle
- Article 24(1) – responsibility of controllers
- Article 32 – security of processing
In addition, the ICO found that there had been numerous infringements of the information requirements included in Articles 13 and 14 of the GDPR as the privacy notice provided by Doorstep Dispensaree did not contain all of the necessary information set out in these Articles. For example, the privacy notice did not: –
- Explicitly state that Doorstep Dispensaree is a data controller or provide contact details;
- State the legal basis for the processing or the conditions for processing special category data;
- Outline the categories of personal data concerned – Article 14(1)(d);
- Specify the legitimate interests relied on; or
- Inform the data subjects of their rights under data protection law.
The ICO found the breach to be “extremely serious” and noted in particular Doorstep Dispensaree’s failure to implement and distribute a suitable privacy notice.
Having regard to all the circumstances (and that a penalty must be effective, proportionate and dissuasive) the ICO fined Doorstep Dispensaree £275,000 (approximately €362,000). This represents a significantly reduced amount from what appeared on the initial Notice of Intent (which was £400,000 or approximately €468,000).
In finalising the figure, the ICO had regard to the financial information about Doorstep Dispensaree available on the UK Companies House website as well as to representations made by Doorstep Dispensaree relating to their financial decision.
This fine should serve as a reminder of the importance of having a compliant privacy notice in place. Controllers should take care to ensure that all of the requirements of Articles 13 and 14 of the GDPR have been met in their privacy notices and that their privacy notices accurately reflect the practices of the organisation.