Wednesday, January 15, 2020
On the 17 December 2019 the Information Commissioner’s Office in the UK (the “ICO”) issued its first penalty notice under the General Data Protection Regulation 2016 (the “GDPR”). Under the GDPR, the ICO carries out the same supervisory role in the UK as the Data Protection Commission carries out here in Ireland.
The notice issued against Doorstep Dispensaree, as a data controller, amounted to a fine of £275,000 – approximately €325,000 – and was made on the basis of “negligent rather than deliberate infringement” of the GDPR on a number of grounds.
The infringements made by Doorstep Dispensaree can be generally summarised as arising out of:-
Doorstep Dispensaree primarily provide a pharmacy and medicines distribution service to care homes in the UK. As a result of a separate investigation into their operation by a UK medical authority it came to the ICO’s attention that Doorstep Dispensaree had stored some 500,000 documents relating to personal data in an open and unsecured courtyard. Many of the documents had sustained water damage.
It is interesting to note that the ICO did not elect to undertake its own investigation into the storage of the materials but rather based its decision on correspondence with Doorstep Dispensaree and information provided by the relevant medical authority.
Contraventions of the GDPR
The ICO found that Doorstep Dispensaree had breached the following Articles of the GDPR:
In addition, the ICO found that there had been numerous infringements of the information requirements included in Articles 13 and 14 of the GDPR as the privacy notice provided by Doorstep Dispensaree did not contain all of the necessary information set out in these Articles. For example, the privacy notice did not: –
The ICO found the breach to be “extremely serious” and noted in particular Doorstep Dispensaree’s failure to implement and distribute a suitable privacy notice.
Having regard to all the circumstances (and that a penalty must be effective, proportionate and dissuasive) the ICO fined Doorstep Dispensaree £275,000 (approximately €362,000). This represents a significantly reduced amount from what appeared on the initial Notice of Intent (which was £400,000 or approximately €468,000).
In finalising the figure, the ICO had regard to the financial information about Doorstep Dispensaree available on the UK Companies House website as well as to representations made by Doorstep Dispensaree relating to their financial decision.
This fine should serve as a reminder of the importance of having a compliant privacy notice in place. Controllers should take care to ensure that all of the requirements of Articles 13 and 14 of the GDPR have been met in their privacy notices and that their privacy notices accurately reflect the practices of the organisation.