Whilst everyone was getting ready for the festive period and holiday season in December 2019, the Information Commissioner's Office ("ICO") was also busy although not exactly in the same way. This is because on 20 December 2019, it issued a monetary penalty notice under the General Data Protection Regulation 2016/679 (“GDPR”) and the Data Protection Act 2018 against Doorstep Dispensaree Ltd ("Doorstep"). This is the first enforcement notice in England & Wales that has been issued under the GDPR and its certainly one to pay attention to as it concerns the most sensitive personal data: data to do with your health.
Background
Doorstep is a London-based pharmacy that primarily supplies medicines to customers and care homes. It was found to have left 47 crates, 2 disposal bags and one box containing personal data at the back of its premises in Edgeware. Here, there were approximately 500,000 documents that included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to individuals. As the documentation had not been kept securely, the ICO fined Doorstep £275,000 for failing to ensure the security of special category data (which in this case is health data). As Doorstep was only incorporated in England & Wales in 2015 and has only one director (who also happens to be the member with significant control), the amount of the fine that the ICO has issued is substantive.
What can we learn from this enforcement action?
There are several lessons that one can learn from the ICO's enforcement action against Doorstep and we have summarised our top 3 key lessons below.
Lesson 1: Engage and co-operate with all regulators. Regulators overseeing different sectors and areas do communicate and share information. When engaging and disclosing information to one regulator, an organisation should be mindful that such information can be shared with another regulator and it should act strategically, co-operatively and transparently when engaging with all regulators.
In Doorstep's situation, the ICO was made aware of its lack of care for special category data due to the Medicines and Healthcare Products Regulatory Agency ("Agency"). This is because the Agency was carrying out a criminal investigation into Doorstep and notified the ICO of its concerns with Doorstep's treatment of special category data. Instead of co-operating with the ICO from the onset, Doorstep ignored it, then denied any statements put forward by it and subsequently and wrongly appealed the information notice that the ICO had issued it. The time lost and the cost incurred certainly played a part in damaging its relationship with the ICO.
Lesson 2: Put in place policies and procedures that apply specifically to your organisation.
Organisations are required to have clear, detailed and tailor-made data protection policies and procedures. Merely populating a generic template (including those created by industry association bodies) with an organisations name and a few other sentences is not acceptable. Organisations should put in place documentation that is relevant and specifically applies to their business and is also effectively implemented by staff. Documentation must be regularly reviewed and updated.
In Doorstep's situation, the ICO ordered it to provide a copy of (a) its privacy notice; (b) a description of its technical and organisational measures to ensure the security of personal data; (c) its retention policy or equivalent guidance; and (d) its policy or guidance relating to the secure disposal of personal data. The ICO found Doorstep's policies were out of date (one being dated with 2015) generic (i.e. had been taken from the National Pharmacy Association) and were not incorporated and applied by the business (in that staff did not follow their internal procedure of shredding any waste that included special category data). The ICO was especially critical of the data privacy notice and highlighted that where special category data is being processed, it is imperative that an organisation has a detailed and informative data privacy notice.
Lesson 3: Ensure that your contractual relationships with clients and third parties consider data protection.
Organisations need to ensure that they have robust contractual arrangements that consider data protection with their clients and third parties. This may, for example, include incorporating an organisation's data privacy notice within its terms of business and ensuring that agreements with third parties that are data processors include the clauses required under Article 28(3) of the GDPR (click here to find out more). It's also important for an organisation to ensure that it manages its relationship with third parties and that its contracts are being performed accordingly.
In Doorstep's situation, it informed the ICO that it had a relationship with a company that was responsible for collecting and shredding its medical waste. However, as there was no contract in place, there was no evidence of such a relationship for the ICO to see. Doorstep also claimed that it should not receive a monetary penalty notice and instead it should be issued to its third party supplier, Joogee Pharma Limited which it does have a contract with. The ICO rejected this view and stated that Doorstep is a data controller and that Joogee Pharma Limited is a data processor which would act upon Doorstep's instruction. It is indicated that Doorstep did not manage its contractual relationship with Joogee Pharma Limited and was subsequently trying to pass the blame over to it.
Aria Grace Law
We advise large companies and legal service providers on data protection matters. We are experienced data privacy experts and can assist your organisation with reviewing and enhancing your data protection program as well as with engaging with regulators such as the ICO. If you would like to find out more or instruct us to help you, please contact us on compliance@aria-grace.com.
Privacy Update by Puja Modha, Partner at Aria Grace Law 14.01.2020