ICO ‘dispenses’ its first GDPR fine

The background

The ICO’s involvement followed a tip-off in July 2018 from the Medicines and Healthcare products Regulatory Agency (MHRA) which was conducting its own investigation into DD’s practices. Whilst executing a search warrant, the MHRA had discovered in a rear courtyard 47 unlocked crates, 2 disposal bags and a cardboard box containing an estimated 500,000 documents with names, addresses, dates of birth, NHS numbers, medical information and prescriptions. The documents weren’t secure or marked as confidential. Some were apparently soaking wet.

The ICO raised its concerns with DD in August 2018. Following DD’s refusal to provide the information requested, the ICO issued an Information Notice in October. The Notice was unsuccessfully appealed by DD to the First-Tier Tribunal on the basis that, since a criminal investigation was underway, DD shouldn’t be compelled to provide evidence which could be used against it in criminal proceedings. The outcome was that Information Notice was upheld. The Tribunal’s view was that DD could have simply relied on s.143(6) DPA 2018 to withhold information that might be self-incriminating – it would then be up to the Commissioner to decide whether to apply to the court to enforce the Information Notice or to cancel it. 

When DD did eventually respond to the upheld Notice, it didn’t provide the ICO with all the information requested. Further, in relation to the procedures and policy documents provided by DD, most dated from April 2015 (i.e. pre-GDPR) and were in vague terms. Some templates had been sourced from a trade association and didn’t appear to have been incorporated by DD.

A Notice of Intent to impose a £400,000 fine was issued by the ICO in June 2019 (i.e. the month before BA and Marriott received theirs, to great media fanfare following public disclosures by those controllers in compliance with separate regulatory obligations) along with a Preliminary Enforcement Notice. DD made some written representations. By November 2019 the MHRA had seemingly informed DD that it was taking no further action due to a lack of evidence.

The breach

The contraventions set out in the Monetary Penalty Notice can be grouped into two types:

1. Security (Articles 5(1)(f), 24(1) and  32 GDPR) – leaving documents outside in unlocked containers where they could be accessed by neighbours and damaged by water ingress from “careless” storage; documents not being securely shredded in breach of a relevant policy; policies being “out of date and/or inadequate and/or generic templates”; inadequate records; concerns about retention.

2. Transparency (Articles 13 and 14 GDPR) – various deficiencies in DD’s privacy notice.

DD tried the ‘not me guv’ argument, suggesting that the licensed waste disposal company it had contracted with was at fault and should be fined instead. The ICO wasn’t impressed. As controller, DD was responsible.

In its Monetary Penalty Notice, the ICO sets out, by reference to the list at Article 83(2) GDPR, the factors it considered relevant to whether a fine was appropriate and, if so, in what amount. Nothing of any great surprise in the ICO’s reasoning which lead it to conclude that the breach was “extremely serious, and demonstrates a cavalier attitude to data protection”.

Key takeaways

• This fine is almost 10 times more than the pre-GDPR £35,000 issued against Bayswater Medical Centre in 2018 for a not too dissimilar incident involving the insecure storage of a large number of patient files at a disused premises.
• The fine here was reduced by some 30% from an initial £400,000 in the Notice of Intent, to a final £275,000. Making proper representations in response to a Notice of Intent can therefore make a very sizable difference to the final amount payable. Don’t forget that the final decision can also be appealed to the First-Tier Tribunal. Indeed, there is perhaps more incentive to do so if the 20% early bird discount previously offered by the ICO for not challenging a decision and making prompt payment is no longer available – as was seemingly the case here.
• Be cooperative with the ICO from the start. That doesn’t mean bending to its will. But the poor level of cooperation, which included requiring multiple chasing emails from the ICO, was noted here, and reflected badly on DD.
• Changes made after an investigation has commenced (here, putting in place various policies – albeit incompetently) might be a mitigating factor, but aren’t relevant to how seriously defective the practices were at the date of the breach. The ICO did, however, give some credit for improvements in administrative controls, namely written policies, contractual arrangements and the level of staff training offered.
• Audit your service providers, especially on security matters, throughout the relationship lifecycle. If checks had been undertaken by DD, these would have likely picked up the lack of secure waste disposal (assuming it was the supplier’s fault, as DD claimed).
• When engaging suppliers, make sure you’ve got a contract in place (which complies with the GDPR, where relevant) and have thought about how realistically to recover your losses from your supplier where they’ve messed up and you’re left holding the baby.
• Don’t forget that it’s not just data subject complaints and news reports which trigger investigations – reports from other regulators can too.
• Whilst this decision wasn’t formally based on a contravention of the privacy by design and default requirements of Article 25 GDPR, the ICO’s observation that “there is little to no evidence that measures to ensure data protection by design and default were in place” should be read as a sign of a future area of focus – **accountability**.