Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by it or on its behalf.
The fine of £275,000 was issued to Doorstep Dispensaree Limited (“Doorstep”), a pharmaceutical company that supplies medicines to care homes. In July 2018, the Medicines and Healthcare Products Regulatory Agency (“MHRA”) under separate investigation had found some 500,000 documents in unlocked containers at the back of the company’s premises in an open courtyard. It was as a result of the MHRA discovering and subsequently notifying the ICO that the fine was issued to Doorstep for failing to ensure the security of special category data.
The documents, the dates of which spanned over two years from January 2016 to June 2018, contained personal data such as customer’s names, addresses, dates of birth, NHS numbers and special category data such as medical and prescription information.
Doorstep was found to have processed personal data in contravention of a number of provisions of the GDPR, all of which together were serious enough to warrant a fine. However, what is of note is the fact that Doorstep sought to allege that any penalty should be issued against Joogee Pharma Limited (“Joogee”), a licensed waste disposal company operating under contract to Doorstep. Doorstep had explained to the ICO that it employed a company to collect and shred the medical data on its behalf. However, there was no contract between Doorstep and the company and some of the data dated back to 2016 and had remained unshredded.
Ultimately, the ICO determined that Joogee was a data processor acting on the instructions of Doorstep and carrying out data processing on its behalf. The ICO confirmed that it was appropriate to issue the penalty against Doorstep on the basis that it is Doorstep as controller that determines the purpose and means of the processing. The lesson to be learnt by all data controllers is that the presence of a sub-contractor does not absolve them of their responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by them or on their behalf.
This begs the question; do you know whether your third party suppliers adhere to data standards and do you have sufficient contracts, policies, procedures and protections in place to help minimise the increased risks of data breaches through your supply chain? Please take a look at our article on the importance of supply chain security in SC magazine (register for free) if you’d like to know more.
What next for International data transfers? WebinarRead more
Data protection, fraud and cybersecurity update webinarRead more
How will the office of the future work? WebinarRead more
Flexible working: the impact on our towns and cities webinarRead more
New ICO guidance on handling DSARsRead more
The impact of flexible working on our towns and citiesRead more
Brexit: transition & beyondRead more
Court issues helpful guidance in dealing with customers repetitive...Read more
TLT launches Intelligent Drafting solution powered by ClarilisRead more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
Keeping you up to date with the latest guidance on regulatory change and legal impact of the coronavirus pandemic.Read more
While future trading relationship with the EU is negotiated, we will be in a 'status quo' transition period until 31 December 2020. Follow our latest updates.Read more
Our Senior Managers Regime hot topic features news and insight to help banks, building societies, investment firms and UK branches of foreign banks prepare for the new regime.Read more
The clock is ticking for firms to prepare for moving from LIBOR to sterling risk-free rates. Follow our insights and events for strategic advice.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
Our litigation team can deal with cyber or data protection litigation matters including claims by third parties and data subjects.Read more
We can help your organisation build resilience against breaches by coordinating baseline certifications, third party contracts, policies and testing. We offer CPD-accredited bespoke training and rehearsals for responding to incidents, meaning you’ll be equipped and know exactly how to act should a breach arise.Read more