Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by it or on its behalf.
The fine of £275,000 was issued to Doorstep Dispensaree Limited (“Doorstep”), a pharmaceutical company that supplies medicines to care homes. In July 2018, the Medicines and Healthcare Products Regulatory Agency (“MHRA”) under separate investigation had found some 500,000 documents in unlocked containers at the back of the company’s premises in an open courtyard. It was as a result of the MHRA discovering and subsequently notifying the ICO that the fine was issued to Doorstep for failing to ensure the security of special category data.
The documents, the dates of which spanned over two years from January 2016 to June 2018, contained personal data such as customer’s names, addresses, dates of birth, NHS numbers and special category data such as medical and prescription information.
Doorstep was found to have processed personal data in contravention of a number of provisions of the GDPR, all of which together were serious enough to warrant a fine. However, what is of note is the fact that Doorstep sought to allege that any penalty should be issued against Joogee Pharma Limited (“Joogee”), a licensed waste disposal company operating under contract to Doorstep. Doorstep had explained to the ICO that it employed a company to collect and shred the medical data on its behalf. However, there was no contract between Doorstep and the company and some of the data dated back to 2016 and had remained unshredded.
Ultimately, the ICO determined that Joogee was a data processor acting on the instructions of Doorstep and carrying out data processing on its behalf. The ICO confirmed that it was appropriate to issue the penalty against Doorstep on the basis that it is Doorstep as controller that determines the purpose and means of the processing. The lesson to be learnt by all data controllers is that the presence of a sub-contractor does not absolve them of their responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by them or on their behalf.
This begs the question; do you know whether your third party suppliers adhere to data standards and do you have sufficient contracts, policies, procedures and protections in place to help minimise the increased risks of data breaches through your supply chain? Please take a look at our article on the importance of supply chain security in SC magazine (register for free) if you’d like to know more.
Get in touch
Related insights & events
View all
Hot topics
Beyond Brexit
Helping you navigate your business through the risks and opportunities that Brexit will bring.
Read more
Retail Agility
The way people shop is constantly evolving, from the growth of online and the changing use of stores...
Read more
Business interruption disputes
The widespread disruption and closure of businesses caused by the Covid-19 pandemic and the subsequent national and local lockdowns has brought into sharp focus the question of available insurance cover for losses under...
Read more
Real estate taster videos
Watch our video series for information on the legal issues that are affecting the real estate sector. Each...
Read more
Transforming the leisure sector
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.
Read more
Evolving cities
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.
Read more
The countdown to Brexit and beyond podcast
Our countdown to Brexit and beyond podcast series looks at the impact for businesses on both sides of the pond of any free trade agreement between the UK and Europe and the UK and the US. This
Read more
Purple Pound
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...
Read more
Green finance
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.
Read more
Employment Law Focus podcast
Keep on top of the employment law issues that matter most to you and your business with our new podcast.
Read moreRelated services
Data privacy & cybersecurity
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.
Read moreData litigation
Our litigation team can deal with cyber or data protection litigation matters including claims by third parties and data subjects.
Read moreData breaches
We can help your organisation build resilience against breaches by coordinating baseline certifications, third party contracts, policies and testing. We offer CPD-accredited bespoke training and rehearsals for responding to incidents, meaning you’ll be equipped and know exactly how to act should a breach arise.
Read more