The long awaited and much anticipated first UK fine issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) has landed and it is certainly worth considering.

In July 2018, the ICO received an email from the Medicines and Healthcare Products Regulatory Agency (MHRA), who were investigating a London-based pharmacy in relation to alleged regulatory issues regarding the storage and distribution of medicines.

During their investigation, MHRA discovered what they estimated to be 500,000 documents in nearly 50 unlocked crates and bags, stored in a yard behind the pharmacy’s premises. These documents contained various personal data, including names, addresses, dates of birth, medical information and prescription information.

In light of the report made by MHRA, the Commissioner wrote to the pharmacy highlighting her concerns and requesting cooperation by the pharmacy with the ICO’s investigation into various allegations of breaches of the GDPR.

This marked the start of a lengthy period of poor-communication and co-operation with the ICO in which the pharmacy failed to respond, failed to respond adequately or provided insufficient and unsatisfactory information to the Commissioner.

The Commissioner found a clear breach of the GDPR in that documents were evidently not processed securely, as they were stored outside, in unlocked crates, many of which were exposed to the elements and were water damaged. The GDPR requires more than simply protecting against unauthorised or unlawful processing (which the pharmacy did not ensure in any event) but also protection against ‘accidental loss, destruction or damage’ of personal data.

Ultimately, the Commissioner considered the breach to be extremely serious. In deciding whether to levy a fine, and if so, what level of fine would be appropriate, the Commissioner had regard to a number of important factors, including:

  • The nature, gravity and duration of the breach. The Commissioner noted that special category data was involved, that data subjects were readily identifiable and linked to their medical information and that the dates of some of the documents (some dating back to 2016) suggested that the breach had been ongoing for a period of time.
  • The intentional or negligent character of the infringement. The Commissioner referred to the ‘considerable evidence of extremely poor data protection practice’ and the ‘cavalier attitude’ of the pharmacy in her report.
  • The little to no evidence that the pharmacy had implemented appropriate technical and organisational measures to ensure the protection of data, as required by the GDPR.

It is interesting to note that during the investigation period, the pharmacy did eventually provide a suite of data protection documents to the Commissioner. Many of these were draft guidance or still in template form and were therefore not adequate. The Commissioner particularly noted that the pharmacy’s privacy notice was lacking in key information required under the GDPR and that where policies were in place that on the face of it were factually compliant with the GDPR, the actions on the ground were certainly not.

As a result, the Commissioner levied a penalty in the sum of £275,000 against the pharmacy, which has one month to pay the fine. The pharmacy has also been issued with an enforcement notice, requiring it to update all policies and procedures within 3 months, and carry out mandatory staff training, among other requirements. The pharmacy is exposed to a further fine if it fails to meet the actions specified in the enforcement notice.

The considerations and reasoning behind the Commissioner’s decision to impose a fine under the GDPR make for an important and interesting read. It is clear that simply having purportedly compliant data protection documents in place is not sufficient enough to protect you in the event of a breach (although compliant documents are certainly a mitigating factor that will be considered). The Commissioner discussed in detail the significant failings of the privacy notice that the pharmacy had in place, highlighting further the need to have properly drafted documents.

The pharmacy’s failure to respond appropriately to the Commissioner was also a key consideration influencing the level of the fine. It is imperative to seek legal advice immediately if you find yourself on the wrong side of an ICO investigation. If you have received correspondence from the ICO, or require training or a data protection audit in order to draft compliant data protection documents, please contact Angela Gorton.

For those in the GP Practices sector,  a key point arising from this investigation, is that the ICO was ‘tipped-off’ about the potential data breach by the pharmacy’s regulator, who were on site investigating a separate, unrelated issue. Of course GP Practices are subject to routine regulatory scrutiny and are well versed in what is expected of them from the relevant regulatory aspect. This investigation serves as a reminder that data protection is a continuous obligation, investigations can be started from any number of sources, and indeed the ICO may simply decide to pay you a spot check visit.

It is therefore vitally important that data protection policies are always up to date and staff are adequately and regularly trained in data protection to ensure that the risks of a data protection breach are mitigated as much as possible. Here at Lupton Fawcett we are able to assist in all things GP Practices and data protection related, so please do not hesitate to contact, head of GP Practices, for further assistance.



Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at

  • This field is for validation purposes and should be left unchanged.