​ICO’s first GDPR fine reduced on appeal

Judge Moira Macmillan ruled the initial fine of £275,000 (then-U.S. $356,000) imposed on pharmacy Doorstep Dispensaree by the Information Commissioner’s Office (ICO) in December 2019 was disproportionately high because the data regulator had overestimated how many people might have been at risk as the result of a breach.

The ICO rapped Doorstep Dispensaree for its “careless” handling of sensitive personal data. The regulator said the company had left approximately 500,000 documents containing names, addresses, dates of birth, medical and prescription information, and National Health Service (NHS) numbers in unlocked containers at the back of its premises.

However, the tribunal judge said the ICO had not checked the figures upon being tipped off by the Medicines and Healthcare Products Regulatory Agency (MHRA), which had been carrying out its own regulatory enquiries into Doorstep Dispensaree at the time. Macmillan concluded only 73,719 documents had been seized by the MHRA as part of its probe, and that just 12,491 of those documents contained personal data. Further, 53,871 documents contained special category data.

Doorstep Dispensaree had tried to lay some of the blame on a waste disposal company, JPL, arguing that, as part of their arrangement, it had assumed the role of data controller. However, the judge maintained the pharmacy had overall responsibility.

Of the ICO’s five fines announced under the GDPR, three have been scaled back from their initially proposed values. Penalties against British Airways and Marriott International finalized in October 2020 were significantly reduced from their intended figures in part because of the effects of COVID-19.