On August 9, 2021, the UK First-Tier Tribunal (General Regulatory Chamber) (“FTT”) reduced a fine imposed by the UK Information Commissioner’s Office (“ICO”) against Doorstep Dispensaree Ltd (“DDL”) from £275,000 to £92,000, a reduction of approximately two thirds. DDL, which supplies medicines to customers and care homes, was fined in December 2019 for failure to comply with the EU General Data Protection Regulation (“GDPR”). The ICO also issued an Enforcement Notice, requiring DDL to take certain actions to bring its processing into compliance.
The fine was the first issued by the ICO under the GDPR, and was imposed after the ICO found that DDL had left approximately 500,000 documents, which contained names, addresses, dates of birth, NHS numbers, medical information and prescriptions, in unlocked containers at the back of its premises. This constituted a failure to secure personal data in accordance with Articles 5(1)(f) and 32 of the GDPR. In addition, the internal policies and consumer-facing privacy notices of DDL had not been updated to comply with the GDPR. The ICO’s Enforcement Notice required DDL to (1) update its internal policies, appoint an “Information Governance Lead” or Data Protection Officer; (2) provide mandatory training to employees; and (3) update its privacy notice to include all of the information required under the GDPR. DDL was required to take these actions within three months of the ICO’s issuance of the Enforcement Notice.
DDL appealed against both the fine and the Enforcement Notice to the FTT, arguing that the ICO’s actions were disproportionate and did not take into consideration the financial hardship faced by DDL. One of DDL’s key submissions was that, in reality, fewer than 67,000 documents containing personal data had been left exposed, rather than 500,000, and in addition, the yard in which they were stored was largely secure from public access. DDL also criticized the ICO for accepting the assertions made by the Medicines and Healthcare Products Regulatory Agency, which had carried out its own investigation of DDL’s practices prior to the ICO’s involvement, in particular with respect to the number of documents left exposed. The FTT agreed with DDL on this point, stating that the ICO had relied on evidence that was produced during an investigation that was carried out for a different purpose, and therefore lacked important details about the documents and personal data concerned. The FTT disagreed that the yard was secure, as it could be accessed via fire escapes by those in three nearby residential flats, as well as business visitors to the property.
The FTT agreed with the ICO with respect to the gravity of the GDPR breach, the potential for it to cause significant emotional distress to a vulnerable group of data subjects and the fact that DDL had been negligent with respect to its responsibilities as a controller. However, as the ICO’s fine was predicated on the presence of 500,000 documents containing personal data, and the true number was fewer than 76,000, the FTT determined that the fine should be reduced. The FTT noted that given the gravity of the contraventions and the aggravating factors considered, the reduction would not be by a percentage based solely on the smaller number of documents. The FTT ultimately reduced the fine by approximately two thirds, to £92,000, noting that where there is a serious contravention of the GDPR, a fine should not be avoided solely on the basis of the infringing organization’s financial position, and that DDL’s financial hardship had already been taken into account in an appropriate manner by the ICO.
DDL further objected to the ICO’s imposition of an Enforcement Notice, stating that it was inappropriate and unnecessary to issue a coercive notice given that the identified breaches of the GDPR had already, in DDL’s view, largely been remedied. The FTT considered the Enforcement Notice to be proportionate and reasonable, as DDL’s data protection policies were still not fully compliant more than a year after DDL had been made aware by the ICO of its concerns regarding these documents.
As part of its deliberations, the FTT considered whether the burden of proof with respect to non-compliance fell on the ICO or on the controller accused of non-compliance. The FTT determined that the initial evidentiary burden falls on the ICO to prove that an infringement has taken place. In addition, it was determined that the appropriate standard of proof with respect to imposition of an administrative fine was the civil standard (i.e., on the balance of probabilities).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code