A London pharmacy business delivering medicines to customers and care homes has become the first business in the UK to be fined under the General Data Protection Regulation.
Doorstep Dispensaree, a company that operates in Cambridgeshire and the north London/Hertfordshire region, collects patients’ prescriptions from their GPs and delivers medicines to individual patients’ homes and to care homes.
It has been fined £275,000 by the Information Commissioners’ Office for failing to ensure the security of ‘special category data’.
This is based on a July 2018 investigation carried out by the MHRA with a search warrant that found the company had mishandled approximately 500,000 documents in its Edgware premises.
The documents were stored in unlocked containers at the back of the premises, and included “names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people” according to the ICO.
The documents dated from June 2016 to June 2018. Documents were not “appropriately protected against the elements” meaning some were “soaking wet”.
Following the investigation, the ICO looked into Doorstep Dispensaree’s data protection policies, which gave “further cause for concern” as they did not comply with GDPR – which was introduced in May 2018.
Data protection guidance issued to staff was “vague,” the commissioner found.
This is the first fine received by any UK business for non-compliance with GDPR. In addition to issuing the fine, the ICO has ordered the company to improve its data protection practices within three months.
Steve Eckersley, director of investigations at the ICO said: “The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”
Doorstep Dispensaree has been approached for comment.