The pharmacy was being investigated by the Medicines and Healthcare products Regulatory Agency (MHRA) for separate concerns. When searching the premises for its own investigation, the MHRA found 47 unlocked crates, two disposal bags and one cardboard box full of documents containing personal data left in the pharmacy's outside courtyard. MHRA estimated that there were 500,000 documents and could not estimate the number of data subjects involved.
The data contained names, dates of birth, addresses, medical information and prescription details. Many of the data subjects were elderly and vulnerable as the pharmacy dealt with prescriptions to 15 care homes. The documents were not secured and were wet when found, suggesting they had been stored this way for some time.
The pharmacy did not assist with the ICO's investigation, and at first refused to answer the questions posed by the ICO. This led the ICO to issue an information notice under the Data Protection Act 2018 which requires the recipient to provide the ICO with information.
When the pharmacy did respond, many of their compliance documents were out of date and did not make any reference to the GDPR. Some documents were templates from trade associations and had not been incorporated or tailored by the pharmacy to their practices.
When deciding how much to fine, the ICO took into account the steps the pharmacy had taken since the investigation to improve its practices. The ICO considered the size of the pharmacy and their financial position, and in attempting to make the penalty "effective, proportionate and dissuasive" they were fined £275,000.
Those responsible for data protection in your organisation might find the following notes useful reminders for their own compliance.
The pharmacy claimed that the data was secure because the yard where the documents were stored, was locked. The ICO reminded them that the GDPR requires data controllers to protect data against accidental loss, destruction or damage. Outside storage, which allowed documents to get wet, was not at all adequate.
The pharmacy also claimed that they used a shredding company who were at fault. However, there was no contract in place with a shredding company, and documents dating back to 2016 remained un-shredded. If you are using data processors (service providers who process personal data on your behalf) ensure that the contract with them is GDPR compliant and that they are complying with the GDPR.
The Commissioner noted that the pharmacy's data protection documents were out of date, inadequate or were generic templates. They did not have a retention policy. If you are using templates from associations or trade bodies, make sure they are tailored to your organisation and reflect your actual practices. Ensure you have all the documentation required under the GDPR, for example, a record of processing activities.
A larger organisation with a higher turnover would have almost certainly been issued a more substantial fine. The ICO is not shying away from issuing larger fines to bigger organisations. While the ICO is yet to announce the exact figures that will be issued to Marriot and BA for their GDPR breaches, it is expected that they will be in the tens of millions.