Since it’s a New Year, and an opportunity presented itself, I’m trying something new. In this series, if it continues, I will be looking at various incidents and pulling out the lessons we can, should, or must learn in security. This first article looks at the first penalty levied by the ICO under GDPR, against Doorstep Dispensaree.
There are a few lessons to pull out of this case, but for those who want to look at the details themselves the full ICO penalty notice is available from their website.
The ICO identified a number of failings after they were called in by the MHRA, who had found some curious containers while executing a search warrant for their own investigation. In a courtyard behind the premises they found:
- 47 unlocked crates
- 2 disposal bags
- 1 cardboard box
These unsecured containers, stored outside, contained around half a million documents – some water damaged – with personal information including medical and prescription information dating from 2016-2018. Shortly after they were informed, the Commissioner sent a request for additional information, a list which will be familiar to anyone who has banged their head against GDPR enough: data retention and disposal policies, privacy notice, explanation of why some data had been retained since 2016 and was stored in this way, and various other standard bits of evidence.
In response Doorstep Dispensaree did not cover themselves in glory by denying knowledge of the matter. Things escalated when they then refused to answer questions following a second request, apparently confusing the ICO and MHRA investigations. After an Information Notice was issued requiring the information, then appealed and upheld, they provided about half of the information claiming protection under the DPA 2018 that providing the rest would expose them to prosecution by the MHRA.
As part of their documentation, they did kindly provide the National Pharmacy Association template Data Protection Officer Guidance and Checklist, and Definitions and Quick Reference Guide. Other documents did not mention the GDPR, and the template were the original templates from the National Pharmacy Association.
In all Doorstep Dispensary were found to have contravened Articles 5, 13, 14, 24 and 32 to some degree or another. It’s a good thing for them that no information was stolen, as the ICO would have been unlikely to look on them kindly if anything had happened – especially as given the serious compliance failures it is unlikely any notification of the breach would have been forthcoming until the MHRA investigation flagged it up, and certainly not within the required 72 hours.
Doorstep Dispensaree failed to dispose of the data securely, fairly clearly as some of it dated from 2016. An attempt was made to have the penalty assigned to a waste disposal company, blaming them for not having picked up the waste, which the ICO dismissed. While no evidence that the company was contracted was provided, Doorstep Dispensaree also failed to implement their own claimed shredding procedures, and in any case as the data controller they are ultimately accountable for the breach.
Apparently storing sensitive personal information in unlocked boxes in an accessible yard is not considered secure storage or processing. As this is fairly obvious, the main point of interest here is that the ICO picked up on water damage to the documents being another failing. In information security terminology, there was a failure to ensure integrity and availability along with confidentiality. There is more to information security than simply locking data away.
The ICO commented that eventually Doorstep Dispensaree did provide a more comprehensive set of policies. Unfortunately many were still in template form and had been acquired as a response to the investigation. The lesson here is that once an investigation has started, it’s probably too late to start downloading policy templates – best to put a framework in place beforehand.
While the ICO were generous enough to only consider on-going infringement from May 2018, they remarked that the age of the data caused some concern about retention.
Your privacy notice requires you to state who the controller is and how to contact them, the nature of the processing and the basis (and with special category data the additional basis for processing), the categories of personal data you collect and work with, all parties involved in the processing of data, how long it is retained, the rights of the data subjects, and where personal data is collected. It must also be written in clear, unambiguous language and be freely available to data subjects.
What’s particularly interesting about this case compared to many of the headlines about cyber-related data protection incidents, is that no data was stolen. The fact that it could have led to distress and damage to individuals is sufficient.
The improvements Doorstep Dispensaree claims to be making have been taken into account, even though some of the policy documents presented are still in template format.
It is very clear that the lack of early co-operation did more to hurt than help Doorstep Dispensaree’s case. Later co-operation and attempts to improve were taken into account, and the original proposed penalty of £400 000 was finalised as £275 000.