The Information Commissioners Office (ICO) has fined the Door Step Dispensaree £275,000 for failing to deal securely with paper records. There are some interesting elements to this case.
- The fine was for the lack of security over paper records. A reminder to organisations that the legislation doesn’t just relate to electronic information.
- Concerns about the security of information were reported to the ICO by the Medicine and healthcare Products Regulatory Agency (MHRA). It was as part of their inspection that they noted issues and reported them to the ICO. This shows that regulators are working together.
- Once the ICO started their enquiry it brought other issues and concerns to their attention.
Initially, the the storage of the paper records raised concerns. They were held unsecured, not marked as confidential and many of them were soaking wet. The Doorstep Dispensaree were asked by the ICO to provide information on their policies and procedures. Door Step Dispensaree declined to respond and the case was taken to court where they were told they had to provide the information. When they did respond, their policies and procedures had not been updated for many years and did not reflect the latest legislation. Most of the policies were also templates which had not been adapted to reflect the companies practices.
When the ICO issued their intent to fine Door Step Dispensaree, they stated that the fine should be issued against the waste disposal company that they were using, Joogee Pharma Limited. The ICO said that as Joogee were a data processor working on behalf of the Door Step Dispensaree and therefore working on their instructions, that Door Step Dispensaree were liable.
To make matters worse, the Door Step Dispensaree had not been following the procedures it had created with regard to retention and destruction and had not been shedding the confidential waste. They also did not have a contract in place with the waste disposal company, Joogee.
Additionally, the privacy notices that they had provided were inadequate and did not meet the standard required under GDPR.
Door Step Dispensaree ended up with a full review by the ICO and were found wanting in a number of areas. GDPR requires organisations to be able to evidence that they are complying with the legislation and Door Step Dispensaree could not provide this evidence, either in up to date policies or practices. It left the ICO no choice but to fine them for their poor practices.
How confident are you that your retention and destruction practices are secure?
If you want to see how long to retain information for have a look at our other blogs