Coronavirus and Police Use of Drones

Man operating a drone at sunset using a controller

The police have an important rule to play in the current coronavirus lockdown.  However their actions must at all times be proportionate, transparent and (above all) lawful. Only yesterday, British Transport Police admitted they had wrongly charged a woman who was fined £660 under coronavirus legislation. Marie Dinou was arrested at Newcastle Central Station on Saturday after she refused to tell police why she needed to travel. A police and Crown Prosecution Service review said she was charged under the wrong part of the Corona Virus Act. The court will be asked to set the conviction aside.

This is not the only recent incident of the police overstepping the mark. By now most of us will have seen the story about a couple walking their dog in the Peak District. The video was filmed by a drone operated by the Derbyshire Police Drone Unit, and broadcast to the nation on BBC news. According to Derbyshire Police’s Twitter feed (which broadcast the same 90 second footage) the police force wanted to reinforce the government message of ‘stay at home’ and to point out this was not getting through, by effectively ‘shaming’ the couple who were captured on camera.

The video has sparked huge controversy from various circles including civil liberties campaign group Big Brother Watch and a leading member of the judiciary. According to the BBC, Big Brother Watch has described the move as ‘sinister and counter-productive’. Ex Supreme Court Judge, Lord Sumption, has also been very critical.
In BBC Radio 4’s World at One, Lord Sumption made it clear that the police have no legal power to enforce Government Ministers ‘wishes’ and guidance about non-essential travel. Although the government has enacted the Coronavirus Act 2020, this does not give the police any powers to stop individuals from non-essential travel or walking in isolated places. Lord Sumption’s criticism is most tellingly summed up in the following quotation:

“This is what a police state is like, it is a state in which the government can issue orders or express preferences with no legal authority and the police will enforce ministers’ wishes.”

At Act Now we are not able to comment on whether the police have the powers to do this but we respectfully accept Lord’s Sumption’s view that they did not. Our concern is whether the filming and broadcasting of these individuals was GDPR compliant.
Our conclusion is that it was not.

The use of drones poses a privacy risk. The Police Force took the decision to process this personal data for their own purposes (“to get the message across”). They are therefore Data Controllers and must comply with the General Data Protection Regulation (GDPR) in relation to this processing. Images of individuals constitute personal data where it is possible to identify them from those images (GDPR Article 4(1)). It is entirely possible that the individuals captured in that Derbyshire police video could be identified by their clothing, hair colour and the presence of their dog.

Drones can be used to film people in many locations, often without the knowledge of those being filmed. In these circumstances, the processing of personal data must be lawful (GDPR Article 5 (1)). It is questionable which Article 6 basis the police could rely on here. Arguably processing is necessary for a ‘task carried out in the public interest’. However one would have to ask why it was necessary to film and broadcast these individuals. The police could not rely on ‘legitimate interests’ because this does not apply to processing carried out by public authorities in performance of their task (GDPR Article 6 (1)(f)).

Even if the police could identify a lawful basis, the next question is whether this processing is fair. The ICO guidance states that Data Controllers should only process data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. I would argue that it is highly unlikely that anybody walking their dog in an isolated part of the Peak District would have any reasonable expectation that they would be secretly filmed by a drone and that their images would be broadcast to the nation in an attempt to shame them. So it seems highly unlikely that this processing is fair.

GDPR also requires transparency when processing personal data. This means data subjects should be made aware that their personal data is being processed and why.
The ‘normal’ transparency requirements (usually the GDPR (Articles 12-14) are less onerous for the police when they are processing personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018. However, the police admitted themselves that the filming was for the purposes of ‘getting a  message out’ and this does not fit easily within the definition of law enforcement purposes under S.31 DPA 2018. At best the police could try and argue that the processing was for the purposes of preventing threats to public security, but it is really difficult to see how this would succeed when it was just a couple walking their dog on an isolated stretch of path.

The police did not comply with the Information Commissioner’s tips on responsible drone use, in particular the advice about thinking carefully about sharing images on social media. The ICO cautions that drone users should avoid sharing images that could have unfair or harmful consequences. There is also little evidence that the Police had due regard to at least the first three guiding principles laid down in the Surveillance Camera Code of Practice or whether they conducted a Data Protection Impact Assessment.

On balance, the Derbyshire Police’s decision to film individuals taking a walk in an isolated area, in order to get a message across about not travelling unnecessarily was at best misguided, and at worst unlawful. The coronavirus is changing almost all aspects of our daily lives, and social distancing and self-isolating are the new norms. However, when the police take action it is still vital that they comply with their legal obligations in relation to the processing of personal data.

More on this and other developments in our FREE GDPR update webinar. Looking for a GDPR qualification from the comfort of your home office? Our GDPR Practitioner Certificate is now available as an online option.

gdprcert-online

Posted in CCTV, GDPR, Privacy, Uncategorized | Tagged , , | 3 Comments

The Morrisons Supermarket Case: Employers Breathe a Sigh of Relief

assorted vegetable lot

Photo by Matheus Cenali on Pexels.com

The long-awaited decision in the Supreme Court appeal by Morrison Supermarkets was handed down yesterday. WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 concerned an appeal by Morrisons from an earlier decision by the Court of Appeal.  The latter agreed with the previous High Court judgement that Morrisons was liable for the actions of its former employee who stole and then maliciously posted the payroll details of his colleagues online before leaving his job. Employers will now breathe a big sigh of relief. The earlier decisions seem to suggest that no matter what precautions an employer takes, it would still be liable for the actions its rogue employees.

Let’s look at the facts in a bit more detail before turning to the judgment.

The Facts

In January 2014 a file containing personal details of almost 100,000 Morrisons’ employees was posted on a file sharing website and later a CD, containing a copy of the data, was received by three UK newspapers. The file contained names, addresses, gender, date of birth, home and mobile phone numbers, National Insurance numbers, bank sort codes, bank account numbers and salary details. None of the newspapers published the story and one of them informed Morrisons who called the police after having the file removed from the file sharing website.

Andrew Skelton, a senior IT auditor at Morrisons, who had previously been subject to disciplinary action for another matter, had been tasked with preparing the file for Morrisons’ auditors, when he decided to take his revenge. He was charged with various offences and later sentenced to eight years in prison.

Over 5,000 employees of Morrisons later brought a group legal action for damages. They argued that Morrisons was liable for Skelton’s malicious misuse of their personal data. The judge ruled that Morrisons had not breached the Data Protection Act 1998 (this case started before GDPR came into force) because they had adequate security in place to protect the data, in compliance with the then 7th Data Protection Principle. He ruled that Morrisons was not primarily to blame for the incident but it was vicariously liable for Skelton’s malicious actions as his employer. The judge took account of, amongst other things, the fact that Morrisons had selected Skelton for a trusted position which involved transferring the personal data to their auditors, KPMG. The Court of Appeal agreed.

The Judgment

The case was primarily about the employment law principle of “vicarious liability.” It aimed to answer the question; when is an employer liable for the actions of an employee when they deliberately behave in a way designed to harm their employer and others? Are they still acting within the scope of their employment or “on a frolic of their own”?  The facts of the case also meant that data protection officers and lawyers were watching with bated breath and asking “Can an employer be legally responsible for data breaches caused entirely by their employee?”

The Supreme Court unanimously allowed Morrisons’ appeal. It ruled that whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed.

However, Morrisons lost on the argument that the Data Protection Act 1998 (DPA) operated so as to exclude vicarious liability. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach.

This case only went as far as it did because the aggrieved employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employees actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the now 6thData Protection Principle.

Practical Steps

Data Controllers and Processors need to consider doing the following:

  1. Check your data protection and security policies and procedures. Who has access to personal data? Is it based on a need to know? Are they a trusted employee?
  2. Undertaking regular compliance and access audits and reviews. Carry out Data Protection Impact Assessments for high risk processing.
  3. Introduce mandatory (and refresher) data protection training for all staff. Our e-learning course is ideal for this.
  4. Revise your data breach notification procedure. Ask yourself what your detection and response capabilities are.
  5. Check your insurance policies.  Are you covered for actions of rogue employees as well as innocent ones?

More on this and other developments in our GDPR update webinar.  Looking for a GDPR qualification from the comfort of your home office? Our GDPR practitioner certificate is now available as an online option.

gdprcert-online

Posted in GDPR, Uncategorized | Tagged | Leave a comment

Amazon: What does it know about us?

Szczecin, Poland-November 2018: Amazon Logistics Center in Szczecin, Poland in the light of the rising sun,panorama

By Susan Wolf

If you are like me, and currently self-isolating, then it is entirely possible that you are spending more time than usual browsing the internet, doing online shopping, buying books on your Kindle or watching movies on Amazon Prime. However, if you are looking for something educational (and food for thought) then I would recommend you take the time to watch the Panorama documentary “Amazon: What They Know About Us” screened on BBC 1 on 17th February 2020. You can draw your own conclusions, but for me the documentary made scary viewing and raised so many data protection issues that it made my head ache.

The programme charts the almost exponential growth of Amazon from 1994, when it was an online book seller, to the current position as ‘corporate superpower’.
According to Wikipedia Amazon is now the second company in history to reach a market cap of $1 trillion and Jeff Bezos, Amazon’s Chief Executive and founder, is described as the richest person on the planet. Whilst a great deal of this is already well known, the programme sheds light on Amazon’s more recent entry into other markets, and it is these current and prospective ventures that are particularly concerning from a data protection and privacy perspective.

It’s all about the data

Right from the start, Amazon fully understood the value of  personal data. Its mission to be the ‘earth’s most customer centric’ company sounds very positive. However such ‘altruistic’ ambitions disguise the company’s mission of turning our personal data into big bucks. As one commentator, a Harvard Business School Professor notes, users of Amazon are not in fact just customers, they are ‘sources of raw material’ and that raw material is the personal data that Amazon collects every time we interact with it.

So how does Amazon collect so much data?

As early as 1995 Amazon recognised that it could use the data supplied by its online  purchasers, through their browsing history and online purchases, to predict what books, music or videos they might be interested in purchasing. Later they appointed computer scientists to use algorithms to record and track all the personal data to create ‘digital DNA profiles’ of customers. By selecting one individual customer they had the capacity to predict ‘everything about that person’ based on what that customer clicked and didn’t click (their click streams histories).

As Amazon expanded into Amazon Market Place it invited other sellers onto the platform, in order to become the “everything store”. Amazon used a standard agreement with third party sellers that enabled them to sell their products on the Amazon platform, but effectively gave Amazon the rights over the sellers’ customer data.
These agreements allowed Amazon to operate as both a retailer and a marketplace and to use customer data from third party sellers to secure a competitive advantage against them. In July 2019, the EU Competition Commission opened up an investigation into the possible anti-competitive behaviour of Amazon, which could result in a possible fine of up to 10% of its annual global turnover under EU competition rules.

Of course, anybody using the Amazon website is entitled to review the company’s Privacy Notice to see what personal data is collected and why it is processed.
However, even to my relatively trained eye this doesn’t really convey the full extent of how much personal data Amazon collects from people whenever they use an Amazon service. One privacy campaigner made a request to Amazon for details of her click stream history (as anyone can do under the right of access using Article 15 of the GDPR). She was shocked to discover that 100 purchases had generated 15,000 pieces of information about her, based on her click stream. Amazon were able to tell which days she had taken holidays, or was sick, or when she couldn’t sleep at night.

The sheer volume of personal data that Amazon collects, and processes is demonstrated by the fact that Amazon operated a data warehouse called ‘Helix’ to analyse customers’ personal data ‘over the entirety of their lifetime’. It processes the data of hundreds of millions of people worldwide.

What about Alexa?

The BBC documentary also touches on one question that I have frequently heard people ask: ‘Can Alexa (Amazon’s voice assistant) listen to my conversations?’. The answer is yes. Amazon acknowledges that their workers can listen to anything that you say when the Amazon Echo’s blue light is on, and some of these private conversations are transcribed. If that’s disturbing, then Amazon’s ambitions for Alexa are even more worrying.

Amazon aspires for most things in the home to be Alexa enabled. This could result in the entire activity in the home being recorded. The more people interact with Alexa the more information that Amazon will be able to collect, or as one person said, it wants everything that people do in their homes to be ‘mic’d’ and recorded.

Coupled with this the company has obtained a patent that will enable Alexa to embed certain ‘sniffer’ algorithms to identify ‘trigger words’ that will enable Amazon to send direct marketing messages to Alexa users. Amazon says it has no current plans to do this, but equally is doesn’t refute the possibility. Commentators say that this increased data collection, particularly collecting data about people in their homes, will enable Amazon to start influencing and shaping people’s behaviour, and this constitutes a real threat to democracy and privacy.

Doorbells and Drones

In 2019 Amazon made nearly $12 billion profit and used some of that profit to buy into other lucrative markets that enable it to collect yet more data about people.
The BBC documentary charts the purchase of ‘’Ring’ a manufacturer of smart video doorbells. These doorbells allow users to record anyone who comes to their door, and are marketed as a means of ensuring the security of people’s homes (See Ring UK). However, in practice they are most likely to capture images of friends and neighbours and people delivering goods. (Forgive me for being sceptical but I wonder how many burglars or intruders are polite enough to ring first). However, Amazon is known to have given 1000 ‘Amazon Ring’ doorbells to three police forces in the UK and these are being embraced by Suffolk Police for their crime fighting potential. (Amazon may have provided free doorbells to other police forces but, in response to a BBC freedom of information request, only three police forces have confirmed that they have received the free doorbells.)

At this point you may be thinking that extra home security is a good thing. However, in America Amazon has created a ‘Ring Neighbours app’ that  enables ‘ring’ users to share footage with others to create a digital neighbourhood scheme. This data is being shared with 913 US police forces who can obtain the data with the resident’s consent and without a warrant. There are concerns that the app may become available here in the UK.

According to Amazon the ring doorbells are not marketed as a surveillance device. However Tony Porter, the Surveillance Camera Commissioner considers that if the app were to be introduced into the UK it would change the dynamic of the surveillance from being a community form of reassurance to a state form of surveillance.
This clearly needs to be addressed by the Information Commissioner and through the General Data Protection Regulation. Tony Porter states that “we could end up living in a surveillance state.”

Then there is the Prime Air Drone; a delivery aerial drone equipped with cameras and sensors. Two weeks after its launch in 2019, Amazon was granted patent rights to allow it to use delivery drones for aerial home security. Amazon calls this ‘surveillance as a service’ and that the drone would be an ‘opt in’ service. However, even a fully consented opt in by subscribers of this service would not address the privacy issues of others who would inevitably be filmed by such drones. According to the Surveillance Commissioner, this could take us into a whole new area of unregulated territory and a shift into a surveillance state.

Save for some statements by the Surveillance Camera Commissioner, the documentary doesn’t address the data protection issues in particular whether the activities of Amazon comply with the General Data Protection Regulation(GDPR). However, it quite clearly raises numerous issues about lawful and transparent processing and several other GDPR compliance issues.

Jeff Bezos’ take on this is that the Amazon’s use of our data should be for us to decide. The implication being that if users aren’t happy then they don’t need to use Amazon services. However, as one former Amazon Executives says, “don’t necessarily see it as Big Brother if it is done carefully”, which probably reflects the fact that most people don’t really know the full extent of what is going on.

Susan Wolf is an associate with Act Now Training.

More on this and other developments in our GDPR update webinar.  Looking for a GDPR qualification from the comfort of your home office? Our GDPR practitioner certificate is now available as an online option.

gdprcert-online

Posted in Amazon, GDPR, Privacy, Uncategorized | Tagged , , | Leave a comment

Act Now Supporting Innovative Digital DPIA Project

EQaZlPcXsAEyAX4

Act Now Training is pleased to announce that it is supporting a new public sector collaboration to co-design and develop a digital approach to Data Protection Impact Assessments (DPIAs).

This innovative six month project will help Data Controllers conducting DPIAs to ensure that a ’Data Protection by Design and Default’ approach is embedded into the process. The project is also supported by the Information Commissioner’s Office, NHSX and the Information and Records Management Society.

Greater Manchester Combined Authority, the London Office of Technology and Innovation, Norfolk County Council and the University of Nottingham are leading the project which follows on from a successful alpha phase undertaken last year. A full project overview can be read here: https://cc2i.org.uk/digital-dpia/

Ibrahim Hasan, Director of Act Now Training, said:

“We are really pleased to be supporting this innovative new project alongside the Information Commissioner’s Office, NHSX and the IRMS. A digital DPIA solution will be a valuable tool to help DPOs ensure that privacy and data protection are at the heart of every new data driven project.”

Are you a public authority wishing to a share in this exciting new project and shape the future of the Digital DPIA? Using a proven co-funding approach (similar to crowdfunding, but on a corporate level), the collective is actively looking for partners to join them in this cost-neutral project.

A webinar on the project and approach is being hosted on Wednesday 12th at 2pm. Led by Stephen Girling, Information Governance Project Manager at GMCA and Lianne Hawkins, Head of Service Design at Looking Local, this webinar will cover:

  • The background and outcomes of the original Digital DPIA alpha project undertaken by GMCA – including the headline business case
  • The benefits of a uniform approach to DPIAs across public sector
  • The work packages planned to deliver a digital DPIA solution
  • Partner benefits and their motivation to be part of this collaborative approach
  • Project partners timelines & what’s involved

We would encourage all our blog subscribers to register for the webinar here: http://bit.ly/2ScGdi2 A recording of the webinar will also be available. Please email  irene.zdziebko@cc2i.org.uk 

Posted in dpia, GDPR, GMCA, ICO, Uncategorized | Tagged , , , | Leave a comment

PrivSec London Conference: Act Now Announces Winners of Free Tickets

DPWF Draw image

Act Now is pleased to announce the winners of the 7 free delegate tickets for the  PrivSec London Conference taking place on 4th and 5th February 2020. We are exhibiting at this two day event which will deliver  top-level strategic content, insights, networking, and discussion around data protection, privacy and security. In addition to leading content, tickets will include refreshments, lunch and access to exclusive post-event content.

And the winners are…

1.    Alison Hope of Greenwood Academies Trust
2.    Tony Sheppard of GDPR In Schools
3.    Rhiannon Platt of Royal Devon & Exeter NHS Foundation Trust
4.    Jamie Pickering of The Valuation Office
5.    Claire Owen of Cumbria County Council
6.    Amanda Godridge of Hampshire County Council
7.    Sam Smith of Herefordshire Council

Congratulations to all the winners who will receive an email informing them of how to claim their free ticket. Thank you to all of those who expressed an interest.

Act Now is in full conference mode now. Like last year, we hope to be exhibiting at the ICO Data Protection Practitioner’s Conference in Manchester.

In April, Ibrahim Hasan will travel to Las Vegas to address the 21st Annual NAPCP Commercial Card and Payment Conference. Ibrahim will be talking about the California Consumer Privacy Act (CCPA) which comes into force on 1st January 2020. It is sometimes known as the US equivalent of GDPR and provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

In May we will be exhibiting at the IRMS Conference in Birmingham. If you are attending any of these conferences, come and say hello on our stand and talk to us about our range of  GDPR Update Workshops,  E learning and Certificate Courses (Oh and collect some freebies!)

Posted in Data Protection, Privacy | Tagged , , | Leave a comment

The New Year Honours Data Breach

man in santa claus costume

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However more media attention this year has been on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26thDecember. The Cabinet Office said the list was downloadable from its website for around an hour and was taken down in the early hours of Saturday. The vast majority of people on the list had their house numbers, street names and postcodes published with their name.

Such a breach can result in the Information Commissioner’s Office (ICO) issuing a fine of up to 4% of a company’s annual global turnover or £17m, whichever is greater. It comes hot on the heels of the first GDPR fine issued to a London based pharmacy. Doorstep Dispensaree Ltd was fined £275,000 for careless storage of the medical data of half a million people. We are also waiting for a final decision on whether, and how much, British Airways and Marriot International will be fined after both were issued with Notices of Intent for millions of pounds.

The Cabinet Office, which (ironically) manages the UK’s cybersecurity, has apologised for the breach and said it is investigating the cause. The ICO is also “making inquiries.” Can the Cabinet Office expect a large fine? Article 83(2) of GDPR requires the ICO, when deciding whether to impose a fine and the amount, to have due regard to various factors including (amongst others):

  • The nature, gravity and duration of the infringement
  • The number of data subjects affected and the level of damage suffered by them
  • The intentional or negligent character of the infringement
  • Any action taken by the responsible party to mitigate the damage suffered by data subjects
  • The degree of cooperation with the ICO, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the ICO, in particular whether, and if so to what extent, it was notified of the infringement
  • Any other aggravating or mitigating factor applicable to the circumstances of the case

Whilst this data breach involved over 1000 people, the effect on each will be different. The leak could endanger the lives of some of them e.g police and government officials. “A number of those receiving honours are employed in extremely sensitive positions in the police and intelligence agencies,” Richard Walton, the former head of counterterrorism at Scotland Yard, told the Sunday Times.

“The release of the private addresses of these individuals into the public domain will mean that a threat and risk assessment will need to be undertaken resulting in some having new private security measures introduced into their homes,” he added.

The fact that the Cabinet Office took almost immediate action to remedy the situation and reported the data breach to the ICO will count in its favour. It has also said that it is contacting the individuals affected and providing them with guidance if they have security concerns.  As long as the Cabinet Office can satisfy the ICO that it had appropriate security measures in place and staff were aware of their data protection obligations, my personal view is that the ICO will exercise one of its less serious corrective powers, under Article 58(2) of GDPR, most probably a warning. Depending on what it discovers during its investigation, it may also issue an Enforcement Notice under Section 149 of the Data Protection Act 2018.

Training and awareness of staff involved in the data breach will also be one of the areas the ICO will wish to focus on during its investigation. Most of the audits and advisory visits completed recently feature recommendations on this topic. (See for example the report into North Bristol NHS Trust and Essex Police.) Our new e-learning course, GDPR Essentials is ideal for training frontline staff.

Even if the ICO decides not to impose a fine the Cabinet Office (at least in theory) faces the threat of legal action by those affected by the data breach.  Article 79 and 82 of GDPR give them a free-standing right to sue the Cabinet Office in the civil courts for compensation for the material and non-material damage suffered. A recent Court of Appeal decision as well as S.168 of the DPA make it clear that this includes distress. Much depends on the attitude of the affected individuals. Many may just be grateful for the accolade and will not want to sour relations with the Government. Others may put it down to human error and move on.

The Guardian reports that it was alerted to the list by a member of the public. So what of those who managed to download the full list, with the addresses, in the hour or so that it was available?  Section 170 of the DPA 2018 makes it a criminal offence to “… after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.”

There will be much to learn from conclusion of the ICO’s investigation into this high profile data breach. Whatever the outcome, it has certainly highlighted the importance of getting data protection right.  Furthermore, GDPR is now being mentioned in the same sentence as Sir Elton John, Ainsley Harriott and Olivia Newton-John. Proof, if it were needed, that data protection is cool!

These and other GDPR developments will be discussed in detail in our GDPR update workshop. Our new new e-learning course, GDPR Essentials will help you train your staff in 30 minutes. Watch the demo here

Photo by bruce mars on Pexels.com

 

Posted in Uncategorized | Leave a comment

First Fine under GDPR

canstockphoto3157426

The Information Commissioner’s Office (ICO) has issued the first fine under GDPR to a London-based pharmacy. Doorstep Dispensaree Ltd, has been issued with a Monetary Penalty Notice of £275,000 for failing to ensure the security of Special Category Data.

The company, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people. The ICO held that this gave rise to infringements GDPR’s security and data retention obligations. Following a thorough investigation the ICO also concluded that the company’s privacy notices and internal policies were not up to scratch.

The ICO launched its investigation into Doorstep Dispensaree after it was alerted to the insecurely stored documents by the Medicines and Healthcare Products Regulatory Agency, which was carrying out its own separate enquiry into the pharmacy. Steve Eckersley, Director of Investigations at the ICO, said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects and it falls short of what people expect.”

Doorstep Dispensaree has also been issued with an enforcement notice, under Section 149 of the Data Protection Act 2018, due to the significance of the contraventions. It has three months to:

Training seems to feature heavily in the ICO’s Enforcement Notice. GDPR requires all organisations to ensure that their employees are aware of their role in protecting personal data. How to do this without them spending valuable time away from the office or overspending the training budget?

GDPR Essentials is a new e learning course from Act Now Training designed to teach those working on the frontline essential GDPR knowledge in an engaging, fun and interactive way. In less than one hour employees will learn about the key provisions of GDPR and how to keep personal data safe. Click here to read more and watch a demo.

After issuing Notices of Intent to two high profile companies for millions of pounds (British Airways and Marriot) the Information Commissioner has finally issued an actual fine, albeit for a much lower amount and to a less well known company. Data Controllers and Processors need to read the penalty notice carefully and ensure that are not repeating the same mistakes as Doorstep Dispensaree Ltd.

These and other GDPR developments will be discussed in detail in our GDPR update workshop.

Posted in Fines, GDPR, Uncategorized | Tagged , , | 1 Comment