The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data.
Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
The Information Commissioner cited that Doorstep Dispensaree contravened Articles 5,24 and 32 of the GDPR, in that the firm failed to implement the appropriate organisational measures to ensure the appropriate security of the personal data it processes and has processed personal data in an insecure manner.
The Data Protection Act (DPA) cointains enforcement provisions in Part 6 which are exercisable by the Commissioner. It provides that the Commissioner may, by written notice (known as a penalty Notice), require the person to pay the Commissioner an amount in sterling specified in the notice.
The full notice can be read here