Chemist + Druggist is part of Pharma Intelligence UK Limited

This is operated by Pharma Intelligence UK Limited, a company registered in England and Wales with company number 13787459 whose registered office is 5 Howick Place, London SW1P 1WG. The Pharma Intelligence group is owned by Caerus Topco S.à r.l. and all copyright resides with the group.

This copy is for your personal, non-commercial use. Please do not redistribute without permission.

Printed By


Pharmacy fined £275k in first GDPR breach of patient data in UK

A London-based pharmacy has been fined £275,000 after it breached data protection laws by failing to safely store sensitive patient information.

Doorstep Dispensaree, based in Edgware, north London, stored approximately 500,000 documents containing care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions in its courtyard, according to the data protection regulator, the Information Commissioner’s Office (ICO).

This led to some documents being found “soaking wet...indicating that they had been stored in this way for some time”, according to the enforcement notice issued last week (December 17).

This is the first fine issued by the ICO under the General Data Protection Regulation (GDPR), which came into effect in May 2018, the regulator said.

According to the ICO investigation, Doorstep Dispensaree’s data protection policies had not been updated since April 2015 and were therefore not compliant with GDPR requirements.

The ICO has ordered Doorstep Dispensaree to improve its data protection practices within three months or face further penalty notices. These could see the pharmacy pay up to 4% of its annual turnover in fines.

MHRA investigation

The regulator launched its investigation into Doorstep Dispensaree’s “insecurely stored documents” after it was alerted to the situation by the Medicines and Healthcare products Regulatory Agency (MHRA), which was conducting its own enquiry into the pharmacy’s “alleged unlicensed and unregulated storage and distribution of medicines”.

Following a search of the Edgware branch on July 24 last year, the MHRA found Doorstep Dispensaree was storing “47 crates, two disposal bags and one cardboard box full of documents containing personal data” in unlocked containers at the back of its premises.

The documents – which were dated from January 2016 to June 2018 – were “not secured and not marked as confidential waste”, according to the ICO’s enforcement notice.

“Careless” storage of data

Doorstep Dispensaree claimed the documents were securely stored because the courtyard was locked. However, the ICO did not accept this reasoning and said the pharmacy itself admitted that residents in the flats above the branch could access the area through a fire escape.

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect,” ICO director of investigations Steve Eckersley said.

The ICO has given the pharmacy a deadline of January 17 to pay the fine.

Is your pharmacy GDPR-compliant?

Related Content


£32 per hour

Apply Now
Latest News & Analysis
See All



Ask The Analyst

Please Note: You can also Click below Link for Ask the Analyst
Ask The Analyst

Thank you for submitting your question. We will respond to you within 2 business days. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts