06 January, 2020
On 17 December 2019, the Information Commissioner's Office (ICO) announced that it intended to fine Doorstep Dispensaree Limited (Doorstep) £275,000 for breaches of the General Data Protection Regulation (GDPR).
Doorstep were reported to the ICO by the Medicines and Healthcare products Regulatory Agency (MHRA), who were conducting its own investigation into the firm, after it discovered approximately 500,000 documents being stored in a rear courtyard of its premises. The documents contained information relating to names, dates of birth, medical information and prescription details, data which would fall under the scope of Article 9 of GDPR.
Following the report by MHRA, Doorstep were informed by the ICO in August 2018 of its concerns relating to sensitive personal data being processed insecurely. Doorstep responded to the ICO later that month stating that it denied any knowledge of the matter. Following a further denial in September 2018, the ICO issued an Information Notice under s142(1)(a) of the DPA 2018. Doorstep appealed the Notice at the First Tier Tribunal in January 2019. The appeal was dismissed.
Doorstep subsequently failed to comply with the Notice in a timely fashion, leading to the ICO threatening to pursue an Information Order and or issue a penalty. Doorstep answered the ICO in March 2019 stating that it had declined from providing the information requested as it believed that by doing so it would be "exposing itself to prosecution in the MHRA's existing criminal proceedings against it". Doorstep did, however, provide the ICO with a number of documents that had been requested. Many of which had though not been updated since April 2015 well before the adoption of GDRP.
In June 2019, the ICO issued Doorstep with both a Notice of Intent to impose a penalty and a Preliminary Enforcement Notice outlining the rationale for a proposed penalty of £400,000. The ICO took into account that although none of the data subjects were aware of the breach, it was held that pursuant to Article 13 and 14 of GDPR, the breach may had caused distress.
In its Penalty Notice, the ICO determined Doorstep to be a controller for the purposes of GDPR and the Data Protection Act 2018. Although it had engaged with a third party provider who were contracted to dispose of the document's, and who Doorstep contended were in breach, the ICO judged that the third party were acting as a processor acting on the instruction of Doorstep.
Doorstep have 28 days from the date of the ICO's judgment to lodge an appeal with the First-Tier Tribunal. It was, however, announced by MHRA in November 2019 that it would be taking no further action against Doorstep.
The judgment demonstrates that the data subject's knowledge of a breach is irrelevant as it is the relative size of the entity; the ICO is prepared and willing to pursue offenders fully. Moreover, failure to co-operate with the ICO will almost certainly have a detrimental effect on the outcome of any investigation.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.