A London pharmacy has incurred the UK’s first ever data protection fine of £275,000 for breaching the EU General Data Protection Regulation (GDPR).

Doorstep Dispensaree, has been fined £275,000 by the Information Commissioner’s Office (ICO) for its “cavalier attitude to data protection” after leaving 500,000 medical documents containing sensitive information in unlocked containers, disposal bags and in a cardboard box. 

The documents had been discovered whilst the Medicines and Healthcare Regulatory Agency (MHRA) were conducting an investigation into alleged unlicensed and unregulated storage.

According to an enforcement notice issued by the ICO, the documents included names, addresses, dates of birth, medical information, NHS numbers and prescriptions dated from between January 2016 to June 2018. 

The ICO said that the documents were “not secure and they were not marked as confidential waste”, stating that some “were soaking wet, indicating that they had been stored in this way for some time.”

These documents can allow data subjects to be identified and linked to data concerning their health. 

“Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable,”

The Watchdog

The number of people affected by the breach cannot be confirmed, however it is estimated that the documents “related to around 78 care homes.”

“Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected,” read the notice.