Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by it or on its behalf.
The fine of £275,000 was issued to Doorstep Dispensaree Limited (“Doorstep”), a pharmaceutical company that supplies medicines to care homes. In July 2018, the Medicines and Healthcare Products Regulatory Agency (“MHRA”) under separate investigation had found some 500,000 documents in unlocked containers at the back of the company’s premises in an open courtyard. It was as a result of the MHRA discovering and subsequently notifying the ICO that the fine was issued to Doorstep for failing to ensure the security of special category data.
The documents, the dates of which spanned over two years from January 2016 to June 2018, contained personal data such as customer’s names, addresses, dates of birth, NHS numbers and special category data such as medical and prescription information.
Doorstep was found to have processed personal data in contravention of a number of provisions of the GDPR, all of which together were serious enough to warrant a fine. However, what is of note is the fact that Doorstep sought to allege that any penalty should be issued against Joogee Pharma Limited (“Joogee”), a licensed waste disposal company operating under contract to Doorstep. Doorstep had explained to the ICO that it employed a company to collect and shred the medical data on its behalf. However, there was no contract between Doorstep and the company and some of the data dated back to 2016 and had remained unshredded.
Ultimately, the ICO determined that Joogee was a data processor acting on the instructions of Doorstep and carrying out data processing on its behalf. The ICO confirmed that it was appropriate to issue the penalty against Doorstep on the basis that it is Doorstep as controller that determines the purpose and means of the processing. The lesson to be learnt by all data controllers is that the presence of a sub-contractor does not absolve them of their responsibilities and obligations under the GDPR to ensure the security of any processing undertaken by them or on their behalf.
This begs the question; do you know whether your third party suppliers adhere to data standards and do you have sufficient contracts, policies, procedures and protections in place to help minimise the increased risks of data breaches through your supply chain? Please take a look at our article on the importance of supply chain security in SC magazine (register for free) if you’d like to know more.
Schrems II: Answering your questionsRead more
Privacy Shield declared invalid in long-awaited CJEU judgmentRead more
Employees and the use of mobile phones at workRead more
Pubs, bars and restaurants: How to collect customer details upon...Read more
2020 data protection planner - dates for your diaryRead more
Adtech: Assessing the lawful basisRead more
Social Housing monthly law update - April 2020Read more
Supreme Court hands down judgment in Morrisons data breach claimRead more
Confronting the challenges of vendor management in biometricsRead more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Keeping you up to date with the latest guidance on regulatory change and legal impact of the coronavirus pandemic.Read more
While future trading relationship with the EU is negotiated, we will be in a 'status quo' transition period until 31 December 2020. Follow our latest updates.Read more
Our Senior Managers Regime hot topic features news and insight to help banks, building societies, investment firms and UK branches of foreign banks prepare for the new regime.Read more
The clock is ticking for firms to prepare for moving from LIBOR to sterling risk-free rates. Follow our insights and events for strategic advice.Read more
We approach a brave new world of Gigabit full-fibre fixed communications, 5G mobile technologies, data driven markets enabled by true AI, with the potential for huge commercial and social growth and benefits. Follow our...Read more
Open Banking is driving innovation in banking and customer experience but also presents new challenges around security and data protection.Read more
As the UK moves towards a carbon neutral future, electric vehicles are the new watchword. We explore what this means for the energy market and investors through a series of legal insights.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
Our litigation team can deal with cyber or data protection litigation matters including claims by third parties and data subjects.Read more
We can help your organisation build resilience against breaches by coordinating baseline certifications, third party contracts, policies and testing. We offer CPD-accredited bespoke training and rehearsals for responding to incidents, meaning you’ll be equipped and know exactly how to act should a breach arise.Read more