Legal News | 17.01.20
ICO Fines – Why you should ensure personal data is secure
Since the implementation of GDPR in May 2018, the Information Commissioner’s Office (ICO) have now started to impose fines on companies for failure to adhere to the new regulations. Wansbroughs will be keeping an eye on this topic and reporting any future updates. A couple of recent case examples are detailed below.
ICO fine Doorstep Dispensaree Ltd for failure to secure special category personal data
In December 2019, the Information Commissioner’s Office (ICO) imposed its first fine under GDPR of £275,000 on Doorstep Dispensaree Ltd (Doorstep) for failing to ensure the security of special category personal data.
Doorstep is a pharmacy business who supply medicines to customers and care homes. Doorstep left 500,000 documents in unlocked containers at the back of their premises. These documents included names, addresses, dates of birth, NHS numbers, medical information and patient’s prescriptions (data concerning health is classed as special category personal data).
The situation was first alerted to the ICO by the Medicines and Healthcare products Regulatory Agency (MHRA), who were conducting their own investigation into the pharmacy for ‘alleged unlicensed and unregulated storage and distribution of medicines’. During their search of the property in July 2019, they discovered 50 unlocked containers containing personal data, dated from January 2016 to June 2018.
Doorstep Dispensaree believed the documents were stored in the correct way because the courtyard they were kept in was locked. However the ICO did not accept this argument.
The severity of the penalty and enforcement notice shows the importance of ensuring adherence with GDPR rules and the consequences the ICO will impose if not.
ICO fine £500,000 for failure to secure information of at least 14 million people
Back in January 2018, the Information Commissioner’s Office (ICO) fined Carphone Warehouse, which is part of the DSG Retail Limited (DSG) group, £400,000 after their computer system was compromised as a result of a cyber-attack in 2015. The company’s failure to secure the system allowed unauthorised access to over 3 million customer’s personal data and around 1000 employee’s personal data.
However, it seems as if the company has not learnt its lesson and in January this year (DSG) was fined £500,000 by the ICO under similar circumstances.
The ICO investigation found that the cyber-attacker had installed malware on 5,390 point of sale tills at Currys PC World and Dixons Travel stores between July 2017 and April 2018, resulting in approx 3,300 separate complaints to the company as of March 2019. They managed to gain access to 5.6 million payment card details, as well as personal information from at least 14 million people. The kind of personal information collected were names, email address, home address and previous credit checks.
It was decided that the company had breached the Data Protection Act 1998 by having poor security and failing to take adequate steps to protect personal data, such as having inadequate software patching, an absence of local firewall and a lack of network segregation and routine security testing.
Because of these failures, the ICO stated that the personal data involved would significantly affect individual privacy, leaving customers vulnerable to financial theft and identity fraud. As a result of this, they fined the company the maximum amount possible of £500,000.
Due to the acts occurring before the implementation of the new General Data Protection Regulation (GDPR), the maximum £500,000 fine was all that could be given to DSG. However if the acts had occurred in May 2018 or after, the fine would be up to £17 million or 4% of the company’s global turnover. For DSG this could have resulted in a £172 million fine!
How can we help?
Investigations like this are serious and companies need to make sure that they deal with them properly. If you suspect you may have breached any of the regulations under the GDPR, then specialist solicitors should be instructed.
The general rule is that you must ensure your processing of personal data is lawful, fair and transparent. There are many practical steps to follow to ensure compliance with GDPR but these steps will be different for different types of business and so an audit inspection may be effective to determine these.
However, with the above case in mind, it may be useful to get some legal advice on the condition of your company’s stored data anyway, to avoid getting yourself in a similar situation.
Last updated 17/01/2020