By Dave McKay | July 13, 2020
It’s Not Just About Digital
The ICO fined Doorstep Dispensaree Ltd £275,000 for, among other things, failing to keep sensitive data securely and failing to provide an adequate privacy policy to data subjects.
What They Did Wrong
Doorstep Dispenaree provide pharmaceutical dispensary services to carehomes. They had c. 500,000 documents containing personally indentifiable data in unlocked containers behind their premsises. They were being investigated by the Medicines and Healthcare Products Regulatory Agency (MHRA) regarding alleged unlicensed and unregulated storage of medicines. On finding the unsecured personal records, the MHRA contacted the ICO.
The ICO concluded that Doorstep Dispenaree had failed to ensure appropriate security measures were in place to protect the personal data against unauthorised or unlawful processing and accidental loss, destruction or damage. They had also failed to provide necessary privacy notice information in accordance with the GDPR.
Collaboration Between Regulators Will Become the Norm
One of the ICO’s stated strategic goals is to work more closely with other regulators. This breach came to the ICO’s attention via the MHRA. Businesses should be aware that being investigated by one regulator might well lead to investigations fromother regulators.
It’s Not All About Data Breaches
Doorstep Dispensaree’s data had not been accessed by any third party. The infraction was a failure to take appropriate technical and organisational measures. Some of the paper data records were water damaged. This is accidental damage, and means those records were inaccessible.
Sensitive Data Has a High Enforcement Value
The type of data that is involved in am infraction will directly influence the severity of the penalty. Medical records are special category data. In this many of the data subjects were classed as vulnerable, heightening the gravity of the breach.
The ICO Also Cares About Privacy Policies
The ICO found that the company’s privacy policy did not include all the mandatory information laid out under Articles 13 and 14 of the GDPR. The enforcement action further illustrates how an investigation by the ICO looks at all parts of your GDPR system, not just the elements related to the immediate infraction.
Privacy by Design and Default Was Ignored
The ICO found that there was “little to no” evidence that measures to ensure privacy by design and by default were in place. They described this as a “major failing”. Data Protection Impact Assessments including recommendations and an audit trail of actions to implement those recommendations would have provided evidence that consideration had been given to the safeguarding and control of the data during storage, processing and transmission.
Source: Global Compliance News