The pharmacy left 500,000 documents in unlocked containers at the back of its premises.
Failing to ensure the security of special category of personal data may trigger large fines under the GDPR.
Are your devices password-protected? Do you make sure that you only use cloud services that encrypt the data? If your answer to these questions is ‘yes’, then one could say that you have the cybersecurity essentials covered but… wait! This does not necessarily mean that the data you process is safe. What about physical security? This one is as important as cybersecurity, but businesses seem to care less about this because it is part of the ‘analogue world’. However, it involves several risks that have triggered some fines since the GDPR started to apply, specially when it comes to failing to ensure the security of special category of personal data.
The latest fine in this regard was imposed by the ICO on Doorstep Dispensaree Ltd, a London-based pharmacy, on 20th December. They will have to pay £275,000 for failing to ensure the security of special category of personal data.
The pharmacy left approximately 500,000 documents, dated between June 2016 and June 2018, in unlocked containers at the back of its premises. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Unfortunately, similar breaches take place more often than what could be expected. A school was fined by the Spanish DPA (AEPD) in a similar sense last year. The employees of the cleaning service threw documents into a container, including student’s exams containing personal data, without taking appropriate measures for the destruction of such documents.
Why is this a breach of the GDPR?
Leaving any type of personal data in unlocked containers is a breach of the GDPR as anyone could access the information without any legitimate basis. Furthermore, in this case the documents contained health information, which is a special category of personal data that needs additional protection.
Failing to ensure the security of special category of personal data is therefore a serious breach of the GDPR.
What does the GDPR say?
Article 32.1 GDPR states that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. It seems that the technical and the organisational measures were missing in this case, or at least they were not appropriate to ensure the level of security corresponding to the risk.