ICO fines Pharmacy £275,000

Updated: Apr 14


The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data.


Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.


Full details of the investigation can be found here


The source for this article can be found here

Documents, some of which had not been appropriately protected against the elements and were, therefore, water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of the General Data Protection Regulations (GDPR).


The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy.


Steve Eckersley, Director of Investigations at the ICO, said:


The Information Commissioner’s Office (ICO) has fined a London- pharmacy £275,000 for failing to ensure the security of PII. Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left about 500,000 documents in unlocked containers behind its premises in Edgware.

The documents included names, addresses, dates of birth, NHS numbers, medical data and prescriptions belonging to an unknown number of people. Documents, several which had not been correctly protected against the elements and were, therefore, water damaged, were dated between June 2016 and June 2018. Failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage is an infringement of GDPR facts safety guidelines (GDPR).


The ICO launched its investigation into Doorstep Dispensaree after it became alerted to the insecurely stored documents by the medicines and Healthcare products Regulatory the agency, which was carrying out its own separate enquiry into the pharmacy.


In setting the fine, the ICO only was taken into consideration the contravention from 25 May 2018, when the GDPR came into effect.


Doorstep Dispensaree has also been issued an enforcement notice due to the significance of the contraventions and ordered to improve its data protection practices within three months.

Failure to do so could result in further enforcement action.


Steve Eckersley, Director of Investigations at the ICO stated:


The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect.


Join our mailing list

© 2018 - 2020 GDPR Community Ltd

  • Facebook
  • Twitter
  • Instagram