London pharmacy first to be fined under the GDPR

22nd January 2020 Media Law

The introduction of the General Data Protection Regulation (GDPR) in May 2018 bolstered significantly the powers of the Information Commissioner’s Office (ICO) and saw the introduction of much tougher fines where a data controller is found to have breached its data protection obligations. The ICO has the power to issue fines of up to €20m or 4% of annual global turnover, whichever is greater.

In what is understood to be the first fine issued under the GDPR, a London-based pharmacy has been fined £275,000 for its failure to properly store and ensure the security of “special category” patient data. “Special category” data includes health data, information about your sexuality or political beliefs. An enforcement notice was also issued requiring the pharmacy to improve its processes. 

Doorstep Dispensaree

Doorstep Dispensaree, based in north London, supplies medicines to customers and care homes. As part of its business, it holds sensitive patient data relating to its customers, including full names, dates of birth, addresses, NHS numbers and medical information.

The ICO launched an investigation following the Medicines and Healthcare Products Regulatory Agency (MHRA) raising concerns with the regulator about how Doorstep Dispensaree stored documents. At the time, it is understood that the MHRA was carrying out its own unrelated investigation into the pharmacy’s suspected unregulated and unlicensed distribution and storage of medicines.

Following the execution of a search warrant by the MHRA on 24 July 2018, it discovered that the pharmacy left approximately 500,000 documents containing sensitive patient data outside its premises in unlocked containers, including in crates, disposal bags and a cardboard box. Some of those documents had been destroyed by the rain, having been left exposed to the elements. The ICO concluded that documents may have been neglected for some time, since they were found to be ‘soaking wet’.

The MHRA’s enquiries suggested the data related to approximately 78 care homes but it is understood that this is disputed and the exact number of care homes involved could not be identified.

The investigation by the ICO

Following the execution of the search warrant by the MHRA, the ICO launched its own investigation. 

According to the official Penalty Notice issued on 17 December 2019, the pharmacy’s initial response seemed to indicate that it denied any knowledge of the alleged breach. The Commissioner subsequently issued an Information Notice compelling Doorstep Dispensaree to provide information about its processes. Doorstep Dispensaree unsuccessfully appealed that notice, and then subsequently failed to comply, referring to a concern that this may expose it to the risk of prosecution in the MHRA investigation. It did, however, provide a number of documents to the ICO on its data protection processes. (On 26 November 2019, the MHRA informed Doorstep Dispensaree it was taking no further action). 

Doorstep Dispensaree claimed documents were securely stored, as the courtyard in which they were stored was locked. This was not accepted by the ICO, who found that the courtyard could be accessed by residents in the flat above the branch through a fire escape. The ICO determined that Doorstep Dispensaree fell short of what the law, and people, expect in the protection of special category data.

Doorstep Dispensaree also suggested that any Penalty Notice should be issued against a waste disposal company it had contracted. Although, the ICO agreed that the waste disposal company might have been a data processor, it only acted under the instructions of the pharmacy and it was appropriate to issue the fine against Doorstep Dispensaree.

The Penalty Notice

The ICO concluded that in failing to process special category personal data in a manner to ensure appropriate security against unauthorised or unlawful processing, and the accidental loss, destruction or damage, and having failed to implement appropriate organisational measures, the pharmacy was in breach of its obligations as a data controller. A data controller’s obligations under the GDPR include protection against “accidental loss, destruction or damage” with the ingress of water a clear example of the pharmacy’s failure to take its obligations seriously.

In the first fine to be issued under the GDPR, the ICO fined Doorstep Dispensaree £275,000. In setting the fine, the ICO only considered contravention from 25 May 2018, when the GDPR came into effect. The ICO found the breaches by the pharmacy to be “repeated, and negligent in character”.

The fine stresses the importance of keeping patient data secure and disposing of any private information adequately and in line with the GDPR principles.

The ICO considered Doorstep Dispensaree‘s data protection policies fell far short of its obligations under the GDPR, having not been updated since April 2015 and with a failure to properly implement those policies said to be in place, including destruction policies. Doorstep Dispensaree was also issued with an enforcement notice, given the severity of its contraventions, and ordered to improve its processes within 3 months, or face further fines. 


The breach by Doorstep Dispensaree could affect hundreds, if not thousands, of customers.

Individuals impacted by the data leak also have the option of claiming compensation. Due to the severity of the breach and the sensitive personal data disclosed as a result, those claims may be substantial. 

If you have been affected by this breach, or believe that your personal data may have been unlawfully processed, please get in touch with the Data Law team at JMW Solicitors.

We're Social

Rebecca Young is a Partner located in Manchesterin our Commercial LitigationMedia LawIntellectual Property departments

View other posts by Rebecca Young

Let us contact you

View our Privacy Policy

Areas of Interest