The Information Commissioner’s Office (‘ICO’) has issued the first fine to an organisation under the General Data Protection Regulation 2016 (‘GDPR’), pursuant to s155 of the Data Protection Act 2018, which implements the GDPR. The fine is for £275,000.00 and has been imposed on ‘Doorstep Dispensaree Limited’, which has a right to appeal the decision within 28 days of the penalty notice.

The GDPR came into force in English law on 25 May 2018. The ICO considered the organisation’s failures to protect data from that date onwards, before which the previous regime’s rules would be applicable. The ICO found the breaches to be extremely serious and to demonstrate ‘a cavalier attitude to data protection’.

The organisation was a data controller, which was handling special category data, namely ‘personal data concerning health’. It controlled records dating back a number of years, including 500,000 documents relating to the medical prescription supplies for care homes and individual pharmacy customers, including the personal details of a number of vulnerable and elderly patients.

The breaches pertained to the method of storage as well as the lack of destruction of the data. The records had not been securely destroyed by shredding, which the organisation claimed to be a part of its policy at the relevant time, and indeed many papers had not been destroyed at all. The documents were instead left outside their premises in unlocked containers, to which there was potential access from nearby residential flats. As far as storage was concerned, this was held to be entirely inadequate, because the data was also not stored in such a way as to guard against accidental loss, destruction or damage. There was ingress of water into the documents, showing that they were stored in a ‘careless way’.

Further, there was little to evidence that measures were in place to ensure data was being protected by design and default, as required by Article 25 of the GDPR. The organisation’s conduct was found to be ‘very poor’ and ‘significantly negligent’, rather than a deliberate infringement of Article 13 and 14 of the GDPR.

The penalty was considered to be effective, proportionate and dissuasive. The monetary amount of the fine imposed was held to be commensurate with the breach, whilst it took into account the representations made by the organisation itself, and its financial standing.

The decision is a reminder to all persons who handle sensitive personal data and act as data controllers or data processors. Under the GDPR regime, breaches in the form of failures to protect this data with adequate safeguards can lead to severe financial penalties, as well as potential reputational damage for organisations.

It is clear that failure to protect data is not fine.