Pharmacy fined £275k in first GDPR breach of patient data in UK
A London-based pharmacy has been fined £275,000 after it breached data protection laws by failing to safely store sensitive patient information.
Doorstep Dispensaree, based in Edgware, north London, stored approximately 500,000 documents containing care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions in its courtyard, according to the data protection regulator, the Information Commissioner’s Office (ICO).
This led to some documents being found “soaking wet...indicating that they had been stored in this way for some time”, according to the enforcement notice issued last week (December 17).
This is the first fine issued by the ICO under the General Data Protection Regulation (GDPR), which came into effect in May 2018, the regulator said.
According to the ICO investigation, Doorstep Dispensaree’s data protection policies had not been updated since April 2015 and were therefore not compliant with GDPR requirements.
The ICO has ordered Doorstep Dispensaree to improve its data protection practices within three months or face further penalty notices. These could see the pharmacy pay up to 4% of its annual turnover in fines.
The regulator launched its investigation into Doorstep Dispensaree’s “insecurely stored documents” after it was alerted to the situation by the Medicines and Healthcare products Regulatory Agency (MHRA), which was conducting its own enquiry into the pharmacy’s “alleged unlicensed and unregulated storage and distribution of medicines”.
Following a search of the Edgware branch on July 24 last year, the MHRA found Doorstep Dispensaree was storing “47 crates, two disposal bags and one cardboard box full of documents containing personal data” in unlocked containers at the back of its premises.
The documents – which were dated from January 2016 to June 2018 – were “not secured and not marked as confidential waste”, according to the ICO’s enforcement notice.
“Careless” storage of data
Doorstep Dispensaree claimed the documents were securely stored because the courtyard was locked. However, the ICO did not accept this reasoning and said the pharmacy itself admitted that residents in the flats above the branch could access the area through a fire escape.
“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect,” ICO director of investigations Steve Eckersley said.
The ICO has given the pharmacy a deadline of January 17 to pay the fine.