London | Manchester | Birmingham | Newcastle | Hull

Secure your data - call (0800) 612 4065

Contact Us Today
Blog /

GDPR Pharmacy fine: how your practice can ensure compliance

GDPR Pharmacy fine: how your practice can ensure compliance

The Information Commissioners Office (ICO) has reportedly fined a pharmacy in London for failing to securely store medical documentation. This is the first fine issued to a healthcare practice by the ICO under the General Data Protection Regulation (GDPR) which came into effect on the 25th May 2018.

The fine clearly shows how serious the ICO is taking noncompliance and the importance of implementing a records management policy.

The company

The organisation in question supplies prescriptions and medication to thousands of care home residents across the London area. The documents are incredibly confidential in nature, containing personal information such as names, addresses, date of births, NHS numbers and prescription / medical information. Given the nature of the business, it appears that a high percentage of the affected individuals are elderly or vulnerable, making this incident extremely seriously. 

Was the data secure? 

The ICO has reported that approximately 50,000 documents were stored outside in unlocked containers, disposal bags and cardboard boxes in the rear courtyard of the pharmacy’s premises. As every healthcare practice will be aware, securely storing medical records, whether electronic or handwritten, is essential for patients continuing care. Up to date records are also vital for defending complaints or clinical negligence claims that may arise in the future. 

Storing confidential records in unlocked containers which are accessible to members of the public poses significant theft and fraud concerns. Furthermore, without adequate protection, the documents were at risk of accidental loss, destruction and damage. In a penalty notice, the ICO confirmed that many of the paper-based documents had in fact been water damaged.

The ICO reported that failing to “process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage” is an infringement of the General Data Protection Regulation (GDPR). In particular, the privacy notice falls short of the requirements of Article 13 and 14 of GDPR. 

The ICO have fined the London based pharmacy £275,000; however, it has been alleged this fine could have been significantly more if the period included dates before the enforcement of GDPR in 2018.

How to ensure compliance? 

We always advise businesses to consider GDPR and implement a clear and defined records management policy. However, organisations who operate within the healthcare industry should be even more conscientious of this. Processing and storing special category data comes with great responsibility, and businesses should have robust security provisions to ensure documents are secure and protected.  

As leading document scanning providers, we frequently receive enquiries from businesses who want to ensure they are complying to GDPR, but don’t know where to start. We believe that online access to digitised documentation enables you to take control of your records, allowing for easy search with immediate and controlled access to the documents you need.

However, if document scanning isn’t within your scope or budget, we also provide accredited document storage services. Unlike the pharmacy fined for noncompliance to GDPR, Storetec have invested in state of the art storage facilities to give your documents the best security and protection. With internal and external CCTV, restricted building access controls and live box tracking, we can take care of your documents throughout their entire lifetime. We can even catalogue your records on document, file or box level, providing you with a clear inventory of your records in storage.

As for managing your archive of boxes, we have specially designed a cloud-based records management system called i-Trac. Winner of Records Management Product of the Year 2019, on i-Trac businesses, can arrange the destruction of boxes which have met their retention date, order flatpacks for storage and request digital retrievals.

If you would like more information on GDPR or advice on how to ensure your company is compliant, please do not hesitate to contact us. Whether you require a quick chat or would prefer to have a face to face meeting, we can help.