The Information Commissioner’s Office’s (ICO) recent decision to fine a London-based pharmacy £275,000 for failing to ensure the security of special category personal data is significant for pharmacies. Richard Hough explains...

The decision is significant for pharmacies because it reinforces the importance of complying with the requirements of the General Data Protection Regulation (GDPR), which has been transposed into UK law by the Data Protection Act 2018, particularly when handling sensitive patient data.

What has happened?

Doorstep Dispensaree Ltd (DDL), a pharmacy-operating company, left approximately 500,000 documents in unsecured containers at the back of its pharmacy premises in Edgware. The information contained in the documents included the names, addresses, dates of birth, NHS numbers, medical information and prescription details of patients. 

The ICO was alerted to this matter by the Medicines and Healthcare products Regulatory Agency, which was already in the process of investigating DDL.

Under GDPR, processors of personal data must guarantee that such data is processed in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage; failure to do this is considered an act of infringement.

Upon investigation, Steve Eckersley, director of investigations at the ICO, stated that DDL “fell short of what the law expects… and of what people expect.”

Due to the significance of the breach, in addition to the fine, the ICO will now monitor DDL for a further three months.

What is significant about this decision?

Personal data that concerns a person's health is considered special category personal data under Article 9(1) of the GDPR. Such data is given extra legal protection because of its sensitivity. What is clear is that people are now more conscious of who holds and has access to their personal data, particularly when this data contains sensitive health information.

The ICO’s decision echoes this stance. It is therefore crucial that businesses, especially healthcare business such as pharmacies, which deal with large volumes of special category personal data, fully comply with GDPR requirements.

What can I do to manage the risk?

The ICO noted several aggravating factors which influenced the level of the fine. This included DDL’s out of date written procedures on handling personal data (and its non-compliance with its own procedures), DDL had no data retention policy (to ensure that data was not stored for longer than necessary) and the absence of measures to ensure that such a breach would not happen in the first place. The ICO additionally noted the cavalier attitude that DDL had towards data protection.

Data protection is often presented in a confusing and legalistic way. However, the best way to ensure GDPR compliance is to have in place a comprehensive, regularly audited and updated data protection policy to which all pharmacy staff adhere.

A good policy will comply with the following GDPR principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security) and; accountability.

All patient data must at all times be kept confidential and secure. If such data is stored on an online paperless system, you must make sure that you have encrypted it by using secure passwords.

Access to patients’ data should be monitored and any unsuitable access or use should be dealt with immediately.

You should ensure that you have reviewed the data you hold and have established and documented the lawful basis for processing (in the case of data derived from prescriptions, you would rely on the processing being necessary to comply with a legal obligation).

When storing records, there should be a justification for retention (for example, you should consider how long you should retain a patient’s special category personal data where the patient has died or if there are grounds for believing the patient no longer uses the pharmacy).

All staff who process personal data should be made aware of the importance of patient confidentiality and a pharmacy’s legal and professional requirements to comply with this legal obligation.

The DDL case highlights that the commercial consequences of non-compliance can result in large fines.

Pharmacy owners should be aware that ICO decisions are public, that negative attention is likely to be attracted to an infringing business and those patients who feel that a business becomes less trustworthy may be inclined to take their custom elsewhere, where they feel their information will be better protected.

GDPR compliance is therefore hugely important and pharmacy owners should continually audit their compliance, and make changes to their data processing practices where necessary.

Richard Hough is a partner at Brabners LLP.