The Information Commissioners Office (ICO) has reportedly fined a pharmacy in London for failing to securely store medical documentation. This is the first fine issued to a healthcare practice by the ICO under the General Data Protection Regulation (GDPR) which came into effect on the 25th May 2018.

The fine clearly shows how serious the ICO is taking noncompliance and the importance of implementing a records management policy.

The organisation in question supplies prescriptions and medication to thousands of care home residents across the London area. The documents are extremely confidential in nature, containing personal information such as names, addresses, date of births, NHS numbers and prescription / medical information. Given the nature of the business, it appears that a high percentage of the affected individuals are elderly or vulnerable, making this incident extremely seriously.

WAS THE DATA SECURE?
The ICO has reported that approximately 50,000 documents were stored outside in unlocked containers, disposal bags and cardboard boxes in the rear courtyard of the pharmacy's premises. As every healthcare practice will be aware, securely storing medical records, whether electronic or handwritten, is essential for patients' continuing care. Up to date records are also vital for defending complaints or clinical negligence claims that may arise in the future.

Storing confidential records in unlocked containers which are accessible to members of the public poses significant theft and fraud concerns. Furthermore, without adequate protection, the documents were at risk of accidental loss, destruction and damage. In a penalty notice the ICO confirmed that many of the paper-based documents had in fact been water-damaged.

Another point argued by the ICO was the business's failure to follow standard data handling procedures. For example, personal data dating back to 2016 hadn't been securely 'cross shredded' before its disposal as was detailed as a standard process in company documentation.

The regulator launched its investigation following an alert by Medicines and Healthcare products Regulatory Agency (MHRA) which had been conducting enquiries into the business. According to the ICO's enforcement notice, the documents were not secure and not correctly marked as confidential waste. It is anticipated that the documents were associated with around 78 care homes across London, meaning hundreds, if not thousands of individuals have been affected.

SPECIAL CATEGORY DATA
Another reason the ICO considered this breach to be serious was the sensitivity of the data at risk. The documents were classified as 'special category data' as in this instance, the records included information revealing or concerning an individual's health. Businesses who process such types of data are encouraged to implement appropriate policy documents in line with DPA 2018.

The ICO reported that failing to "process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage" is an infringement of the General Data Protection Regulation (GDPR). In particular, the privacy notice falls short of the requirements of Article 13 and 14 of GDPR.

Failing to comply with GDPR can incur a hefty fine. The standard maximum amount for infringement of provisions such as administrative requirements is 10 million euros or 2% of the total annual worldwide turnover. The higher maximum amount can scale up to 20 million euros or 4% of total annual worldwide turnover.

The ICO has fined the London based pharmacy £275,000; however, it has been alleged this fine could have been significantly more if the period included dates before the enforcement of GDPR in 2018.

HOW TO ENSURE COMPLIANCE?
At Storetec we always advise businesses to consider GDPR and implement a clear and defined records management policy. However, organisations who operate within the healthcare industry should be even more conscientious of this. Processing and storing special category data comes with great responsibility, and businesses should have robust security provisions to ensure documents are secure and protected.

As leading document scanning providers, we frequently receive enquiries from businesses who want to ensure they are complying to GDPR, but don't know where to start. We believe that online access to digitised documentation enables you to take control of your records, allowing for easy search with immediate and controlled access to the documents you need.

However, if document scanning isn't within your scope or budget, we also provide accredited document storage services. Unlike the pharmacy fined for noncompliance to GDPR, Storetec has invested in state of the art storage facilities to give your documents the best security and protection. With internal and external CCTV, restricted building access controls and live box tracking, we can take care of your documents throughout their entire lifetime. We can even catalogue your records on document, file or box level, providing you with a clear inventory of your records in storage.

As for managing your archive of boxes, we have specially designed a cloud-based records management system called i-Trac. Winner of Records Management Product of the Year 2019, on i-Trac businesses can arrange the destruction of boxes which have met their retention date, order flatpacks for storage and request digital retrievals.

If you would like more information on GDPR or advice on how to ensure your company is compliant, please do not hesitate to contact Storetec. Whether you require a quick chat or would prefer to have a face to face meeting, we can help.
More info: www.storetec.net