The penalty is due to be paid by this Friday (17 January 2020). However, being mindful that the penalty must be effective, proportionate and dissuasive the Commissioner decided to lower the proposed penalty, imposing a penalty of £275,000 instead. In assessing the appropriate penalty, the Commissioner referred to Doorstep’s breach as ‘extremely serious’, and one that demonstrated a ‘cavalier attitude to data protection’. This was rejected by the Commissioner, who was satisfied that Joogee had acted as data processor only, relying on Doorstep’s instructions and leaving it to Doorstep as data controller to determine the purpose and means of the data processing. Doorstep tried to suggest that any penalty should be issued against its licenced waste disposal company, Joogee Pharma Limited. The Commissioner originally proposed a penalty of £400,000 for Doorstep’s breach. However, upon inspection most of these documents had not been updated since April 2015, meaning they pre-dated the implementation of the GDPR by 3 years (not ideal in demonstrating GDPR compliance). The Commissioner then sent not one, but two chaser emails, with the second chaser threatening Doorstep with the issue of a penalty.ĭoorstep eventually responded to the questions on 1 March 2019, providing a number of data protection documents. The chain of events that followed resulted in Doorstep being issued with an Information Notice (which Doorstep unsuccessfully appealed), requiring it to provide the information initially requested by the Commissioner. Doorstep was also given a second chance when the Commissioner wrote again in September 2018 (repeating the questions about GDPR compliance) but it responded later that month with a further refusal to answer the questions. The Commissioner first wrote to Doorstep on 15 August 2018 with her concerns and a number of GDPR compliance questions, and whilst Doorstep responded via its solicitor 6 days later it failed to answer the Commissioner’s questions and instead tried to deny any knowledge of the matter. It’s worth noting that this fine wasn’t imposed without warning (or without the opportunity for Doorstep to address/explain its inadequate storing facilities).
In total the MHRA estimated there to be approximately half a million documents containing personal data.
#Jydge ito advise caution full#
The ICO found that Doorstep had failed in ensuring the security of special category personal data, following an investigation by the Medicines and Healthcare products Regulatory Agency (“MHRA”) that discovered:Īll packed full of poorly stored personal data (including NHS numbers, medical information and prescriptions), with nothing to mark the documents as confidential waste – the discovery was actually made in a rear courtyard with residential access, and some of the documents were sopping wet (suggesting that they had been there for some time). In a decision given just before Christmas, the ICO has imposed a hefty £275,000 fine on Doorstep Dispensaree Limited for its breaches of the GDPR.
0 kommentar(er)
