In the first use of fining powers under the General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) has fined a London pharmacy £275,000 for failing to ensure the security of special category data.

According to a notice published today, Doorstep Dispensaree Ltd, which supplies medicines to individuals and care homes, left some 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.

Documents, some of which had not been appropriately protected against the elements and were therefore water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the GDPR, which came into force in the UK in May 2018. 

The ICO investigated Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out a separate inquiry.

Steve Eckersley, ICO director of investigations, said: 'The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.’

The administrative fine was imposed under S.155 of the Data Protection Act 2018, which implements the GDPR. In setting the fine, the ICO considered the contravention only from 25 May 2018, when the GDPR came into effect.  

Commenting on the penalty, Jon Baines, data protection specialist at London firm Mishcon de Reya, said:  'All organisations should read the penalty notice carefully – it will contain much to guide them on what bad practice looks like, and how it might result in a hefty fine.'