The UK Information Commissioner’s Office (“ICO”) issued its first penalty notice under the GDPR in December 2019.  Despite publishing notices of its intention to fine Marriott and British Airways in July 2019, the ICO has not yet taken its final enforcement action in these cases (and it is understood that the ICO has granted an extension for representations by the companies, until March 2020).  The £275,000 fine levied on Doorstep Dispensaree, a pharmaceutical company that provides various prescription medicines to care homes in the UK, therefore provides the first insight into the ICO’s approach to administrative fines under the GDPR (as further described below).

Key Takeaways

  • A lack of internal compliance, irrespective of its impact or damage to data subjects, may result in significant fines.
  • The use of a data processor does not diminish the responsibility of the data controller for compliance with the GDPR.
  • Cooperation with the ICO and prompt remediation of GDPR contraventions should be prioritised (as was also the position of the French data protection authority in connection with the fine levied on Futura Internationale).

Doorstep Dispensaree’s GDPR Violations

Doorstep Dispensaree was initially under investigation by the Medicines and Healthcare products Regulatory Agency (“MHRA”), who alerted the ICO to its discovery of approximately 500,000 documents containing personal data, discarded in a rear courtyard on Doorstep Dispensaree’s premises.  The documents contained names, addresses, dates of birth, NHS numbers, medical information and prescription details.  The crates, disposal bags and box in which the documents were stored were not marked as confidential waste, had not been secured and were accessible from neighbouring residential properties.  Some documents were soaking wet, which the ICO considered as an indication that the documents had been stored in this manner for some time.

The ICO described the treatment of the personal data as “careless” and giving rise to an “unacceptable risk” of unauthorised access and of accidental loss, destruction or damage (in breach of the GDPR principle of integrity as well as the GDPR requirement to implement appropriate technical and organisational measures to ensure data security).

The ICO also scrutinised Doorstep Dispensaree’s internal policies and procedures, noting that most had not been updated since April 2015, provided only “vague” practical advice to staff in relation to data protection, and/or were “generic templates” that did not appear to have been incorporated by Doorstep Dispensaree.  Doorstep Dispensaree’s privacy notices were also considered to be deficient (falling short of the requirements set out in Article 13 and 14 of the GDPR).

The Size of the Fine

The penalty notice makes reference to an earlier Notice of Intent published in June 2019 proposing a penalty of £400,000.  It unfortunately does not provide many details of the ICO’s method of calculating the fine or its rationale for subsequently reducing the fine to £275,000.  However, the ICO does explain that the size of Doorstep Dispensaree and its financial position (on the basis of both UK Companies House information and Doorstep Dispensaree’s representations) were taken into account.

Doorstep Dispensaree’s revenue is not publicly available.  However, based on its accounts filed with Companies House, it appears to be a “small company” within the meaning of the UK Companies Act 2006.[1]  If Doorstep Dispensary falls within the annual turnover threshold annual turnover condition for small company categorisation (£10.2 million or less), the £275,000 penalty equates to more than 2% of its annual revenue.  While initially appearing to be a small fine, this penalty may constitute a significant enforcement action by the ICO as a percentage of the company’s revenue.  As outlined below, the ICO considered Doorstep Dispensaree’s GDPR contraventions to be very serious.  In light of its mandate to impose fines that are “effective, proportionate and dissuasive”,[2] it is therefore unsurprising that the ICO has taken a firm line in this case.

Lessons Learned

In determining that Doorstep Dispensary’s contraventions of the GDPR were “serious enough to justify a significant fine” the ICO has provided some important lessons for data controllers.

  1. Internal compliance is critical

The penalty notice describes how Doorstep Dispensaree attempted to minimise the gravity of its practice and procedure-related violations (e.g., its failure to put in place appropriate internal compliance policies and issue GDPR-compliant privacy notices).  However, the ICO considered these violations to be “repeated and negligent in character. They would, taken on their own, be serious”, suggesting enforcement action by the ICO would have been warranted on this basis alone.

In addition to the penalty notice, the ICO has issued an enforcement notice to address Doorstep Dispensaree’s “notable past failings” with respect to internal, procedural compliance measures.  The terms of the notice require revision of internal policies and procedures, appointment of appropriate data protection personnel and delivery of staff training.

  1. Special attention must be paid to special category data

The security of special category data (such as health data, as was present in this case) requires the “utmost care” and a controller of such sensitive data “ought to be well aware of its data protection obligations and be taking them far more seriously.”  The ICO makes clear that data controllers of sensitive personal data are held to a higher standard.

  1. The gravity of a GDPR violation is not contingent upon its impact

The ICO acknowledged that data subjects were not necessarily aware of Doorstep Dispensaree’s  “very serious” contraventions of the GDPR and, therefore, would not be likely to suffer damage or distress.

However, the ICO noted that highly sensitive information pertaining to hundreds, possibly thousands, of data subjects (a large proportion of whom are likely to be elderly or otherwise vulnerable) had been “left unsecured in a cavalier fashion”.  Additionally, Doorstep Dispensaree’s privacy notices constituted a “significant infringement” of data subjects’ right to transparency because “no data subject would reasonably expect that personal data relating to their health would be handled in the manner that it was handled by Doorstep Dispensaree.

The data subjects’ lack of awareness was not, therefore, considered to be mitigating in any way.  In fact, the ICO applied the counterfactual and reasoned that were they to become aware, the data subjects could experience high levels of distress.

  1. Data controllers are primarily responsible for GDPR compliance

Despite having engaged a third party service provider for licenced waste disposal, the ICO determined that Doorstep Dispensaree should bear full responsibility for the GDPR violations that had ensued.  The absence of technical or organisational measures to protect personal data and to ensure data protection by both design and default, was assessed by the ICO to be a “major failing for a controller that routinely processes large quantities of highly sensitive health data”.  The ICO did not consider the involvement of a data processor to absolve Doorstep Dispensaree of responsibility.  It reasoned that as the data controller, Doorstep Dispensaree was required to ensure the security of any processing undertaken by it or on its behalf by a processor acting on its instructions.

  1. Cooperation with regulatory investigations is highly advisable

Doorstep Dispensaree’s level of cooperation with the ICO’s investigation was considered “poor” and included denying knowledge of the matter when initially contacted by the ICO, as well as failing to provide answers to the ICO’s questions.  The ICO issued an Information Notice in October 2018, which Doorstep Dispensaree (unsuccessfully) appealed and to which it later responded, further refusing to provide any information on the basis that it could risk self-incrimination.  On the other hand, the ICO does appear to have given some credit to Doorstep Dispensaree for eventually making representations to the ICO and for subsequently taking actions to improve its data protection practices.

  1. Remediation measures should be undertaken without delay

When quantifying the appropriate penalty to levy, the ICO gave credit for the fact that Doorstep Dispensaree’s infringements relating to data storage are no longer ongoing: the documents were seized and secured.  Efforts currently or intended to be made by Doorstep Dispensaree to improve its data processing policies, contractual arrangements and staff training were also considered by the ICO, and regarded as likely to mitigate the ongoing violations of Article 13 and 14 if properly implemented.

  1. Negligent conduct will give rise to significant penalties

Doorstep Dispensaree was not considered by the ICO to have acted deliberately.  However the ICO highlighted the “considerable evidence of extremely poor data protection practice, amounting to significantly negligent conduct”.  Notwithstanding a lack of intention on the part of Doorstep Dispensaree, the ICO assessed its data protection failures to be “systematic” and levied a fine that is potentially the  most impactful fine (by reference to the size of the business) imposed, or intended to be imposed, in the UK under the GDPR to date.

[1] A company is classified as ‘small’ if any two of the following criteria are fulfilled: (i) a turnover of £10.2 million or less; (ii) £5.1 million or less on its balance sheet; and (iii) 50 employees or less.

[2] Article 83 of the GDPR.