'Cavalier attitude to data protection' attracts first UK GDPR fine

The UK Information Commissioner’s Office (ICO) has finally issued its first fine under the General Data Protection Regulation (GDPR). 

D

oorstep Dispensaree, a pharmaceutical supplier, has been fined £275,000 (NZ$539,000) for dumping 500,000 sensitive medical documents about aged care residents in unlocked containers outside its London premises. The ICO described the company as demonstrating a “cavalier attitude to data protection”. 

While the company acknowledged to some extent its failure to securely store or process the data, according to the ICO the company had “sought to downplay the seriousness” of breaches relating to its lack of appropriate privacy policies and procedures, including a suitable privacy notice. The ICO said it had found “considerable evidence of extremely poor data protection practice, amounting to significantly negligent conduct”.

Surely the ICO has already fined other companies?

But wait, I hear you say – what about the mega million-pound fines already awarded against British Airways (£183 million or NZ$359 million) and Marriott Hotels (£99 million or NZ $194 million)? Well, those were merely notices of an intention to fine each organisation, issued within days of each other in July 2019. 

The ICO has agreed an extension to 31 March 2020 before confirming each penalty. However, it has not yet offered any further details as to the progress of its investigations. That makes the Doorstep Dispensaree decision all the more interesting as we finally get to see some of the ICO’s reasoning as set out in the Penalty Notice.

Lack of accountability criticised

The ICO was highly critical of the company’s overall lack of transparency and accountability. The penalty notice states that Doorstep Dispensaree did not have appropriate privacy policies and procedures in place, and those that did exist were criticised as being “out of date…and inadequate and/or generic templates”. Moreover, practical information provided to staff about privacy was “vague”. 

Don’t overlook your privacy policy…

In the wake of the New Zealand Privacy Commissioner’s recent widely read blog post on consent and the need for easily accessible and comprehensible privacy policies under New Zealand privacy law, the ICO’s comments on the failings of Doorstep Dispensaree’s Privacy Notice are particularly relevant.

Doorstep Dispensaree’s Privacy Notice (usually referred to as a “privacy policy” in New Zealand) was found to lack much of the information required under the GDPR. The “very serious shortcomings in the information provided to data subjects” were considered to be a “significant infringement of the data subjects’ right to transparency”.

Poor privacy policies cause distress and confusion

It’s also interesting to see how the ICO characterises the likely damage to affected individuals, particularly in relation to the failings of the Privacy Notice. The ICO says the omission of the requisite information from the Privacy Notice “may have caused distress in the form of confusion or uncertainty about Doorstep Dispensaree’s processing of sensitive personal data”. 

Those statements were made even while the ICO noted that the data subjects were understood to be unaware of the breach. But it noted that if data subjects were to become aware of the breach, it “could cause high levels of distress”.

Originally published in CIO magazine, 29 January 2020.