Cordery

Legal.Compliance.

Doorstep Dispensaree Further Appeal Fails

Introduction

The UK’s Upper Tribunal (“the Tribunal”) recently rejected an appeal in the case of Doorstep Dispensaree Limited v The Information Commissioner (“the ICO”), including on the basis that the decision of the First-tier Tribunal did not involve an error on a point of law concerning the legal issue of which standard of proof should apply.

Previously the UK’s First-tier Tribunal reduced an ICO Monetary Penalty Notice (i.e. a “fine”) for data protection breaches imposed by the UK regulator the ICO under EU GDPR on the basis that the number of individuals affected by the breach had been significantly overestimated by the ICO; we wrote about that appeal here https://www.corderycompliance.com/doorstep-ico-fine-reduced/, and we wrote about the original ICO decision here https://www.corderycompliance.com/first-uk-gdpr-fine/. This article looks at this latest higher ruling in brief.

What’s this all about?

In July 2018 the Medicines and Healthcare Products Regulatory Agency (“MHRA”) undertook a search (under a warrant) at premises (a yard) used by a waste disposal business which had been tasked (as data processor) with destroying material containing personal data for which Doorstep Dipsensaree (a pharmacy) was the data controller. The owner of Doorstep Dipsensaree also owned the waste disposal business and the premises in question.

The MHRA informed the ICO that 47 stacked, unlocked crates had been recovered from the premises which contained both personal data and special category personal data that related to Doorstep Dipensaree’s pharmacy business. The MHRA subsequently sent the ICO a memory stick containing images and video footage of the premises at the date of the search warrant, as well as sample documents. The MHRA told the ICO that approximately 500,000 documents had been recovered and that the data in question concerned residents in care homes including the following data: names; addresses; dates of birth; National Health Service numbers; medical information; and, details of prescriptions. Similar material was also found in two disposal bags and in a cardboard box. Needless to say, under EU GDPR (and UK GDPR), being so-called special category data, health data requires extra protection.

In December 2019, having initially considered imposing a fine of £400,000, the ICO imposed its first fine under EU GDPR of £275,000 on Doorstep Dispensaree for leaving around half a million documents unsecured at the back of its premises.

At the time of the search, many of Doorstep Dipensaree’s data protection policies and procedures were not up to date and did not comply with EU GDPR: only two policies referred to EU GDPR, which were provided as blank templates; there was no data retention policy; the “Standard Operating Procedure – Disposals of Medicines Policy” had been backdated to August 2018, having been drawn up in February 2019; and, the other policy documents had not been updated to reflect EU GDPR. The ICO therefore also ordered Doorstep Dispensaree to comply with various measures including updating all of its policies and procedures to ensure data protection law compliance.

Doorstep Dispensaree appealed against the fine before the UK’s First-tier Tribunal which allowed the appeal in part (due to the lower number of documents containing special category personal data actually determined to have been involved) and cut the fine by two-thirds from £275,000 to £92,000; the compliance measures that the ICO had ordered Doorstop Dispensaree to undertake were upheld by the First-tier Tribunal.

Doorstop Dispensaree then brought an appeal to the Upper Tribunal, a number of which were fact-specific, also arguing that the so-called criminal standard of proof (beyond reasonable doubt) applied in appeals against the imposition of an ICO fine, rather than the lower civil standard (on a balance of probabilities).

What did the Tribunal rule?

All the grounds of appeal were dismissed by the Tribunal. As the Tribunal itself noted, the main issue of potentially wider interest in the appeal concerned the standard of proof in proceedings before the First-tier Tribunal in an appeal against an ICO fine. The Upper Tribunal decided that, in sum, in such proceedings, disputed matters of fact are to be resolved according to the civil standard of proof rather than the criminal standard (i.e. “balance of probabilities” rather than “beyond reasonable doubt”).

This is the first appeal concerning (EU) GDPR to be heard and decided upon by the Upper Tribunal.

What are the takeaways?

The takeaways for organizations are as follows:

  • It is always worth considering whether a fine for infringement of data protection/privacy law can be appealed – consider carefully reviewing the basis on which the regulator has based its findings and consequent fine;
  • Make sure that your policies and procedures are complete, up to scratch and up to date, including your respective data retention and data destruction/disposal policies;
  • Always ensure that you take special care with personal health data; and,
  • Last but by no means least, always make sure that you dispose of personal data securely, whether in electronic format or hard copy format!

Resources

We report about data protection issues here https://www.corderycompliance.com/category/data-protection-privacy/.

We report about compliance issues here https://www.corderycompliance.com/news/.

We have written about the ICO’s fine on B.A. here https://www.corderycompliance.com/ico-fines-ba-for-data-breach/ and the ICO’s fine on Marriott here https://www.corderycompliance.com/ico-fines-marriott-for-data-breach/.

The Upper Tribunal’s judgment can be found here: https://www.gov.uk/administrative-appeals-tribunal-decisions/doorstep-dispensaree-ltd-v-the-information-commissioner-2023-ukut-132-aac.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 347 2365
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.