Bitter Pill For The ICO To Swallow As Fine On Pharmacy Reduced

• Published date: 29 September 2021
• Subject Matter: Food, Drugs, Healthcare, Life Sciences, Privacy, Data Protection, Biotechnology & Nanotechnology
• Law Firm: Shepherd and Wedderburn LLP
• Author: Mr Ruairidh Leishman

In a recent appeal by a pharmacy, Doorstep Dispensaree Limited ("Doorstep"), against a Monetary Penalty Notice and an Enforcement Notice issued against it by the Information Commissioner's Office (the "ICO"), Doorstep was partially successful, specifically against the level of fine imposed by the ICO under the Monetary Penalty Notice. The decision of the First-Tier (Information Rights) Tribunal (the "Tribunal") provides guidance that is applicable to other cases involving monetary penalties imposed by the ICO for data protection breaches.

Doorstep's data breach

Doorstep operates as both a 'closed' online pharmacy and as a retail pharmacy. Following the execution of a search warrant by the Medicines and Healthcare Products Regulatory Agency ("MHRA") at Doorstep's premises relating to a different matter, the ICO was notified that 47 stacked, unlocked crates had been recovered from the yard at the premises, and that all of these contained personal data and special category personal data relating to Doorstep's pharmacy business. Approximately half a million records were said to have been recovered.

The fine

On 17 December 2019, the ICO issued Doorstep with a Monetary Penalty Notice and an Enforcement Notice under the Data Protection Act 2018 (the "DPA 2018"), and imposed a fine of '275,000. The ICO's Director of Investigations said "the careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss".

In setting the level of fine, the ICO only considered the contravention from 25 May 2018 - the date from which the GDPR came into effect in the UK.

The Tribunal's decision

On 10 February 2020, Doorstep appealed and the fine was reduced from '275,000 to '92,000, but the Enforcement Notice was upheld.

The first issue - where does the burden of proof lie?

Doorstep argued that the burden of proof lay with the ICO as the regulator. The ICO argued that the burden of proof was neutral, but that in any event, it was a secondary issue because the Tribunal had to carry out a full review of the merits and make new findings in fact.

The Tribunal said that when reaching its decision, it was not required to undertake a review of the reasonableness of the ICO's decision, but must decide whether it would reach the same decision itself on the basis of the evidence before it. However, it followed a Court of Appeal decision that said, "careful attention" must be paid to the reasons given by the ICO (as the original...