On August 9, 2021, the UK First-Tier Tribunal (General Regulatory Chamber) (“FTT”) reduced a fine imposed by the UK Information Commissioner’s Office (“ICO”) against Doorstep Dispensaree Ltd (“DDL”) from £275,000 to £92,000, a reduction of approximately two thirds. DDL, which supplies medicines to customers and care homes, was fined in December 2019 for failure to comply with the EU General Data Protection Regulation (“GDPR”). The ICO also issued an Enforcement Notice, requiring DDL to take certain actions to bring its processing into compliance.

The fine was the first issued by the ICO under the GDPR, and was imposed after the ICO found that DDL had left approximately 500,000 documents, which contained names, addresses, dates of birth, NHS numbers, medical information and prescriptions, in unlocked containers at the back of its premises. This constituted a failure to secure personal data in accordance with Articles 5(1)(f) and 32 of the GDPR. In addition, the internal policies and consumer-facing privacy notices of DDL had not been updated to comply with the GDPR. The ICO’s Enforcement Notice required DDL to (1) update its internal policies, appoint an “Information Governance Lead” or Data Protection Officer; (2) provide mandatory training to employees; and (3) update its privacy notice to include all of the information required under the GDPR. DDL was required to take these actions within three months of the ICO’s issuance of the Enforcement Notice.

DDL appealed against both the fine and the Enforcement Notice to the FTT, arguing that the ICO’s actions were disproportionate and did not take into consideration the financial hardship faced by DDL. One of DDL’s key submissions was that, in reality, fewer than 67,000 documents containing personal data had been left exposed, rather than 500,000, and in addition, the yard in which they were stored was largely secure from public access. DDL also criticized the ICO for accepting the assertions made by the Medicines and Healthcare Products Regulatory Agency, which had carried out its own investigation of DDL’s practices prior to the ICO’s involvement, in particular with respect to the number of documents left exposed. The FTT agreed with DDL on this point, stating that the ICO had relied on evidence that was produced during an investigation that was carried out for a different purpose, and therefore lacked important details about the documents and personal data concerned. The FTT disagreed that the yard was secure, as it could be accessed via fire escapes by those in three nearby residential flats, as well as business visitors to the property.

The FTT agreed with the ICO with respect to the gravity of the GDPR breach, the potential for it to cause significant emotional distress to a vulnerable group of data subjects and the fact that DDL had been negligent with respect to its responsibilities as a controller. However, as the ICO’s fine was predicated on the presence of 500,000 documents containing personal data, and the true number was fewer than 76,000, the FTT determined that the fine should be reduced. The FTT noted that given the gravity of the contraventions and the aggravating factors considered, the reduction would not be by a percentage based solely on the smaller number of documents. The FTT ultimately reduced the fine by approximately two thirds, to £92,000, noting that where there is a serious contravention of the GDPR, a fine should not be avoided solely on the basis of the infringing organization’s financial position, and that DDL’s financial hardship had already been taken into account in an appropriate manner by the ICO.

DDL further objected to the ICO’s imposition of an Enforcement Notice, stating that it was inappropriate and unnecessary to issue a coercive notice given that the identified breaches of the GDPR had already, in DDL’s view, largely been remedied. The FTT considered the Enforcement Notice to be proportionate and reasonable, as DDL’s data protection policies were still not fully compliant more than a year after DDL had been made aware by the ICO of its concerns regarding these documents.

As part of its deliberations, the FTT considered whether the burden of proof with respect to non-compliance fell on the ICO or on the controller accused of non-compliance. The FTT determined that the initial evidentiary burden falls on the ICO to prove that an infringement has taken place. In addition, it was determined that the appropriate standard of proof with respect to imposition of an administrative fine was the civil standard (i.e., on the balance of probabilities).