The Information Commissioner's Office (ICO) has issued its first (final) fine under GDPR against a company called Doorstep Dispensaree (DSD). As is the case with such Monetary Penalty Notices (MPN), the ICO set out detailed reasons identifying the breaches of data protection law which occurred and the basis for the level of fine. Here is a summary of the main points arising from the MPN:
- The case primarily related to the failure to deal securely with paper records. It is a reminder that compliance is not just about electronic data or unauthorised access to personal data;
- The breaches came to light as a result of an investigation by another regulator who then informed the ICO. This wasn’t the typical case started via a complaint by an affected individual. It emphasises that other UK regulators will tip-off the ICO if they spot non-compliant practices;
- This set off a chain of enquiry by the ICO that extended beyond the failures to deal securely with the paper records, to other issues such as a lack of basic data protection policies, sufficient guidance and training for staff, through to a failure to issue adequate privacy notices to individuals whose data was being used and stored. This is a common pattern in ICO investigations – initial concerns lead to wider questions about compliance which in turn attract higher sanctions;
- The ICO emphasised that the Controller couldn’t lay the blame on its waste disposal contractors. It was the Controller’s responsibility to have an effective contract in place with its contractors and to ensure they were being complied with;
- Initially the ICO intended to levy a fine of £400,000 but appears to have reduced that to £275,000 having taken account of the impact a fine of £400,000 would have on this particular business.
A more detailed analysis of this decision is set out below.
Both in the build-up to GDPR, and following the announcement in July last year of the ICO’s intention to issue to British Airways and Marriott, a lot of commentary has understandably been focused on so-called “mega-fines” for personal data breaches. Final MPNs are still awaited in those two cases.
BA and Marriott involved third parties maliciously accessing massive amounts of data. In one sense the DSD case is more mundane. However, in another sense it is of greater interest because the errors that led to the ICO’s sanctions might resonate more with organisations on a day-to-day basis. DSD’s business involves supplying medicines to customers and care homes. It kept approximately 500,000 hard-copy records insecurely in bags, boxes and crates at the back of its London premises. The exact number of individuals involved was unclear, but the documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions of presumably numerous individuals with healthcare needs. Obviously, the medical data is particularly sensitive.
The storage of these records in this way first came to light when Medicines and Health Regulatory Agency (MHRA) executed a search warrant at DSD’s premises as part of a criminal investigation into alleged unlicensed dealings in medicines by DSD. The MHRA then told the ICO who contacted DSD. At first, DSD refused to cooperate. The ICO issued an information notice requiring answers to its questions. DSD unsuccessfully challenged the information notice in court. It then twice missed deadlines to comply after that. DSD seemed to be concerned about incriminating itself in the context of the separate MHRA investigation if it answered some of the ICO’s questions, but that did not stop the ICO pressing on with its investigation (in the end MHRA decided to take no further action in its criminal investigation).
Basic compliance failings
Although there was no specific incident arising from this careless approach that resulted in the need to report a personal data security breach, the ICO’s enforcement action focused primarily on breaches of principle and basic GDPR compliance requirements, in particular: (a) the Article 32 GDPR requirement that personal data be subject to both technical and organisational measures (appropriate to the nature of the data) to protect it adequately against unauthorised loss or access; and (b) the Article 13/14 GDPR requirement for transparency.
On the latter point, DSD was using wholly inadequate privacy notices (dating from several years before GDPR) that, amongst other things, omitted to inform data subjects about their rights and how to exercise them, as well as failing to identify what lawful grounds were relied upon to process the personal data.
Liability for sub-contractors
One argument advanced by DSD was to suggest that the ICO should instead take action against DSD’s waste disposal contractor. However, the ICO determined that the contractor was a Processor of the personal data in the documents, acting on DSD’s behalf. This is a useful reminder both of the starting position that Controllers will be held liable for the acts of their Processors (despite GDPR imposing some direct liabilities on Processors too), and of the fact that Controller/Processor relationships can frequently arise in the context of data held physically, as well as digitally.
Level of penalty
The initial lack of cooperation by DSD with the ICO was described as “poor” and an aggravating factor in the level of fine. However, some credit was given by the ICO for cooperation by DSD late in the day.
The ICO emphasised that the breach was serious (given the amount of personal data involved, the very sensitive nature of that data and the number of individuals affected, even if there was no evidence that any of the individuals were distressed – indeed, none of the affected individuals were probably even aware of the breaches). So, you do not need a hacking incident as a trigger in order for a breach to be deemed serious.
The failings in terms of the inadequate Privacy Notices were also a factor in the level of fine.
The penalty of £275,000 was reduced from the initial intent to fine of £400,000. The ICO made clear that the fine was judged at a level proportionate to the size of DSD, based on available financial information. Clearly, then, the comparative ability of a smaller organisation to service a very large fine (compared to a BA or a Marriott) can be a factor in the level of financial penalty. The ICO also took into account that DSD had begun to take steps to improve on compliance. So, even belatedly taking such steps may help to reduce sanctions.
In addition to the fine, the ICO separately issued an Enforcement Notice requiring evidence of improved compliance within three months in the following areas: (a) policies and procedures to ensure data protection compliance; (b) updated Privacy Notices for individuals whose data is being used and stored by DSD; (c) training to staff; and (d) the appointment of someone to oversee compliance.
If you require further information about anything covered in this briefing, please contact Ian De Freitas, Henry Sainty, or your usual contact at the firm on +44 (0)20 3375 7000. Further information can also be found on our Data Protection page.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2020