£275,000 ICO Fine For London Based Pharmacy

Information security isn’t just limited to how we store data in the cyber world and protect it from cyber criminals who want nothing more than to use the information for malicious purposes. 

Information security also covers how organisations store documents that contain personal information. 

The Information Commissioner’s Office (ICO) fined Doorstep Dispensaree Ltd £275,000 after they failed to ensure the security of their documents which contained personal information relating to their patients. 

The London based pharmacy left approximately 500,000 documents dated between June 2016 and June 2018 in unlocked containers at the back of its premises in Edgware.  

The documents contained names, addresses, dates of birth, NHS numbers, medical information and prescriptions which belonged to an unknown number of patients. 

Some of the documents in question, weren’t protected against the weather, which resulted in a number of them becoming water damaged.  

This is an infringement of the GDPR Regulation, as it states: 

“Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage in an infringement of the General Data Protection Regulation.” 

The information security issue was discovered by the Medicines and Healthcare Products Regulatory Agency, who were carrying out a separate enquiry into the pharmacy. They then notified the ICO who began their own investigations. 

Steve Eckersley, Director of Investigations at the ICO said: 

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.” 

In setting the fine, the ICO only considered the contravention from 25th May 2018, when the GDPR came into effect. 

Doorstep Dispensaree has also been issued with an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months. Failure to do so could result in further enforcement action.