Layer 1

Pharmacy fined £275k in first GDPR breach of patient data in UK

A London-based pharmacy stored patients' data in its courtyard

A London-based pharmacy has been fined £275,000 after it breached data protection laws by failing to safely store sensitive patient information.

Doorstep Dispensaree, based in Edgware, north London, stored approximately 500,000 documents containing care home patients’ names, addresses, dates of birth, NHS numbers, medical information and prescriptions in its courtyard, according to the data protection regulator, the Information Commissioner’s Office (ICO).

This led to some documents being found “soaking wet...indicating that they had been stored in this way for some time”, according to the enforcement notice issued last week (December 17).

This is the first fine issued by the ICO under the General Data Protection Regulation (GDPR), which came into effect in May 2018, the regulator said.

According to the ICO investigation, Doorstep Dispensaree’s data protection policies had not been updated since April 2015 and were therefore not compliant with GDPR requirements.

The ICO has ordered Doorstep Dispensaree to improve its data protection practices within three months or face further penalty notices. These could see the pharmacy pay up to 4% of its annual turnover in fines.

MHRA investigation

The regulator launched its investigation into Doorstep Dispensaree’s “insecurely stored documents” after it was alerted to the situation by the Medicines and Healthcare products Regulatory Agency (MHRA), which was conducting its own enquiry into the pharmacy’s “alleged unlicensed and unregulated storage and distribution of medicines”.

Following a search of the Edgware branch on July 24 last year, the MHRA found Doorstep Dispensaree was storing “47 crates, two disposal bags and one cardboard box full of documents containing personal data” in unlocked containers at the back of its premises.

The documents – which were dated from January 2016 to June 2018 – were “not secured and not marked as confidential waste”, according to the ICO’s enforcement notice.

“Careless” storage of data

Doorstep Dispensaree claimed the documents were securely stored because the courtyard was locked. However, the ICO did not accept this reasoning and said the pharmacy itself admitted that residents in the flats above the branch could access the area through a fire escape.

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect,” ICO director of investigations Steve Eckersley said.

The ICO has given the pharmacy a deadline of January 17 to pay the fine.

Is your pharmacy GDPR-compliant?

C A, Community pharmacist

From their website -

"• Emergency and out of hours service.
• Free structured medication training.
• Free medication audit in line with CQC standards.
• Free equipment loan.
• Free medication waste removal service."

Maybe they are doing too much for free? And I hope they have the right licences for waste removal or that could land them with more fines!

Leon The Apothecary, Student

The mind boggles sometimes...

"(MHRA), which was conducting its own enquiry into the pharmacy’s “alleged unlicensed and unregulated storage and distribution of medicines”"

Says it all really, this company probably has an online doctor/pharmacy division that gives out opiates like smarties as well. This isn't a small scale data breach that you might see in a community pharmacy. This is a massive breach and should be dealt with severley. I'm sick of these cowboy firms getting off with a slap on the wrists.

C A, Community pharmacist

"(MHRA), which was conducting its own enquiry into the pharmacy’s “alleged unlicensed and unregulated storage and distribution of medicines”"

You say "says it all really," and I say isn't it someone elses job to monitor the standards of "the safe and effective practice of pharmacy at registered pharmacies"?

Is it, but the wholesaling comes under the MHRA remit so they would be doing inspections as well as the GPHC (if they have a DSP contract). I'm guessing this company is a small scale wholesaler with a hub dispensary for care homes and maybe a few branches.

The main point being there are several of these doctor/pharmacy/wholesaler "all in one" services springing up with questionable standards to say the least.

Benie Locum, Locum pharmacist

Doormat Dispernsary would probably be more apt for community.


Industry Pharmacist, Head/Senior Manager

You'll see more fines like this. It's a conspiracy to close pharmacies down. Pharmacists in community are dispensable. I hope my former community collegeues are actively looking at other careers.

John NotaPharmacist, Pharmaceutical Adviser

Or, Pharmacies could not store important & confidential information in the back garden...


Alexander The Great, Community pharmacist

I'll be amazed if that fine doesnt force them to close!

Pharma Tron , Community pharmacist

It surprises me that a Pharmacy called Doorstep Dispensaree was so slap dash and haphazard with professionalism...

Alasdair Morrison, Product Development

It hurts my brain trying to work out why called themselves that.

Job of the week

Support Pharmacist
Queen Elizabeth Hospital and Heartl
up to £47,500 dependent on hours (30-40 hours flexible)