Pharmacy fine a ‘first’ for UK’s ICO under GDPR

(United Kingdom) The ICO in the UK has issued its first GDPR fine, levying GBP 275,000 against a pharmacy company based in London. Compliance Week reports as follows:

The U.K. Information Commissioner’s Office (ICO) on Friday announced a £275,000 (U.S. $356,000) fine levied against London-based pharmacy Doorstep Dispensaree for violations of the EU’s General Data Protection Regulation.

The fine is the first the ICO has handed out under the GDPR, despite making headlines earlier this year with record-setting penalties against British Airways and Marriott. Both companies were issued notices of intention in July regarding their respective fines; the ICO has until six months from the date the notices were submitted to issue a final penalty notice, which can be appealed.

During the six-month period, British Airways and Marriott were each given 21-day windows to make representations to the ICO to fight their respective penalties. An ICO spokesperson recently told Compliance Week both cases are still ongoing.

In the case of Doorstep Dispensaree, the ICO cites failing to ensure the security of special category data as reason for the fine. The ICO said the pharmacy “left approximately 500,000 documents in unlocked containers at the back of its premises” and that the documents included names, addresses, dates of birth, National Health Service (NHS) numbers, medical information, and prescriptions belonging to an unknown number of people.

(Privacy press clipping sourced via Compliance Week)
Jurisdiction: United Kingdom

Key takeaways:


  • The report is somewhat puzzling, considering that both Marriott and British Airways were said to have been fined under the GDPR earlier in 2019. Compliance Week however points out that these cases involved notices of intention, rather than definite fines. The first definite GDPR fine goes to Doorstep Dispensaree Ltd, as issued by the ICO on 20 December 2019.

  • In information given to Compliance Week, the ICO has confirmed that both the Marriott and British Airways cases remain pending as company lawyers exercise their rights of appeal. As a recap, both notices of intention were for large amounts – GBP 99 million and GBP 183 million respectively.

  • The Doorstep Dispensaree Ltd fine was largely imposed as a regulatory response to the reportedly careless conduct of the company in handling a special category of personal data under the GDPR, namely medical information. The company’s medical files were stored at the back of one of its facilities, unlocked and apparently exposed to the elements. This manner of storage failed to adequately protect the data against accidental damage or loss. The ICO would have in mind the dissuasive effect of a monetary penalty upon the company. Fines are typically applied in cases which indicate that there has been carelessness or an intentional disregard of data privacy obligations.

Leave a Reply

Your email address will not be published. Required fields are marked *