Pharmacy fined £275,000 by ICO under GDPR

A London pharmacy has been fined for inappropriate handling of patient data which breached the General Data Protection Regulation (GDPR).

The pharmacy which supplies medicines to customers and to care homes, was storing a large volume of documents, containing personal information, in unlocked containers at the back of its premises.

The documents in the containers included health information, and prescriptions. The papers were water damaged, and were not held securely, as the area could be accessed by residents living in nearby flats. In addition, papers which were no longer required had been retained, rather than shredded, contrary to the company’s Data Handling Policy.

Under the GDPR, firms can be fined for failing to process data in a way that secures against unauthorised or unlawful processing and accidental loss, destruction or damage.

The Information Commissioner’s Office (‘the ICO’) also found that the pharmacy’s data protection policies were inadequate and outdated, and insufficient records were kept of data processing activities and security measures. The ICO stated that the Privacy Notice provided by the pharmacy did not contain all of the information required by the GDPR. Given the highly sensitive nature of the data, and the vulnerability of the individuals affected by the data breach, the ICO stated that the breach was “extremely serious” and demonstrated a “cavalier approach to data protection”.

The pharmacy was also issued with an enforcement notice, requiring it to improve its data protection processes.

This case highlights the importance of regularly reviewing data protection policies and procedures to ensure that they are robust, up-to-date and being properly applied. As demonstrated by the ICO’s actions, failure to do so risks both substantial financial penalties and reputational damage.

If you have any queries about any aspect of Data Protection law, please contact Anna McCarthy or another member of our Data team.