The first fine issued in the UK under the GDPR was reduced in August following appeal.
In December 2019, the Information Commissioners Office (ICO) issued a fine for £275,000 to a London-based pharmacy, Doorstep Dispensaree, for failing to protect special category data. The fine was large because the data was patient data and included NHS numbers, medical information and prescription details. The information was all held on paper which was kept “out the back” of the pharmacy and some of it was water damaged by the weather.
In fact, this storage solution would not have been appropriate for any personal data nor any records you might need to consult in future! But to store special category data in such conditions is particularly poor. Special category data is information that relates to physical or mental health, philosophical or religious beliefs, race, ethnicity, sexuality, biometric or genetic data or details of Trade Union membership. These categories of personal data have been designated “special”, worthy of special attention and care. Organisations have a duty to respect this by affording them additional protection.
Initially, the ICO issued a notice of intent to fine the dispensary £400,000, but this was reduced to £275,000 after “representations” were made to the Regulator. This story illustrated so well the additional care and attention expected by the ICO from data controllers who handle this type of sensitive information. But it did not end there.
In spite of the ICO’s reduction, the pharmacy appealed the fine. As a result, in August this year the amount was significantly reduced to £92,000 by tribunal. One of the reasons given for reducing the fine was that the number of documents exposed was found to be less than was originally thought by the Regulator. The breach actually involved 66,638 documents rather than 500,000. Of those exposed, 53,871 contained special category data.
So far, the ICO has issued just five fines for breaches of the GDPR. While none have been completely overturned, three have now been substantially reduced, one is still under appeal and the fifth, a very recent case, is now very likely to appeal. These reductions must raise questions about what authority the ICO has in practice to levy significant fines for breach of the UK-GDPR.
It is, of course, always worth bearing in mind the damage caused by a well-publicised breach to an organisation’s reputation and credibility. In the UK, the EU and the US, the public are increasingly turning to privacy campaigners to seek compensation on their behalf, by launching group legal action cases against companies who treat their personal data recklessly or negligently. Organisations still stand to lose out when they show disregard for people’s personal data.