A pharmacy fined £275,000 for mishandling patients’ sensitive personal data has had its penalty reduced by just under two thirds after appealing the case at a tribunal.
In late 2019 Doorstep Dispensaree, a delivery business serving care homes and other patients in Cambridgeshire and the north London/Hertfordshire region, became the first UK company to be fined for breaching the General Data Protection Regulation (GDPR). The Information Commissioner’s Office, acting on a tip-off from the MHRA, found it had mishandled around 500,000 documents.
Documents identifying patients and revealing personal information such as addresses, prescriptions and NHS numbers had been stored in unlocked containers in the company’s Edgware premises, with some “soaking wet” as a result of not being properly protected, the ICO said.
However, Doorstep Dispensaree appealed against both the fine and the enforcement notice issued by the ICO, arguing that the ICO had vastly overestimated the number of documents stored in the containers after viewing a sample of the papers seized by the MHRA.
The pharmacy also argued that some of the personal data contained in the document was the responsibility of JPL, a waste disposal company it had engaged, with the rest the responsibility of care homes that had returned documents to the pharmacy.
Hearing the case, tribunal judge Moira MacMillan rejected these arguments, ruling that while JPL had breached some data processing requirements Doorstep Dispensaree still bore overall responsibility for the way in which data was handled.
However, she identified serious issues with the evidence used by the ICO to determine the scale of the fine, concluding that 73,719 documents had been seized by the MHRA and not around 500,000, as had been reported by the ICO. She also found that 12,491 documents contained personal data and 53,871 contained special category data.
She decided that while a fine was necessary due to the “gravity of the contraventions,” it should be reduced from £275,000 to £92,000.
Judge McMillan said: “The commissioner relies on evidence that was produced during an investigation carried out for a different purpose. It therefore lacks important details about the nature of the personal data concerned, not least an accurate calculation of the number of documents recovered.
“The commissioner has also elected not to rely on witness evidence, nor to produce evidence of the origin of the personal data being processed by JPL. By contrast, [Doorstep Dispensaree] has audited all of the documents, and the evidence it has produced is necessarily a more reliable source of information.”
This is the third time the ICO has been forced to reduce fines imposed for GDPR breaches, after partly successful appeals from British Airways and the Marriott hotel chain.
Doorstep Dispensaree has been approached for comment.