Court of Appeal rejects appeal against ICO fine

December 2024

The very first fine the ICO issued under the GDPR was back in 2019. It was to pharmacy, for storing unlocked boxes containing sensitive medical information in the yard behind its offices. More than five years later, the fine has yet to be paid.

The initial penalty notice was for £275,000 against Doorstep Dispensaree, a pharmacy in Edgware, North London. The company appealed, arguing the ICO’s actions were disproportionate and failed to take into consideration the firm’s financial hardship. It also argued less personal information was affected than originally thought. 67,000 documents were involved, rather than the 500,000 the original enforcement notice cited. Furthermore, the pharmacy claimed their backyard storage area was largely secure from public access.

The fine was subsequently reduced to £92,000.

As an aside, I’d suggest this is still a huge number of records stored in unlocked boxes. The data concerned involved customer’s names, addresses, dates of birth, NHS numbers, medical information and prescriptions.

This wasn’t the end of it. Doorstep Dispensaree raised a subsequent appeal, arguing the judge in the previous appeal failed to recognise the burden of proof lay with the ICO, and that undue weight had been given to the ICO’s reasons for opposing and setting a penalty.

In a decision welcomed by the ICO, the Court of Appeal has now dismissed this appeal. It ruled the burden of proof should lie with the appellant, Doorstep Dispensaree, and subsequent tribunals and appeals aren’t required to ignore original monetary penalty notices when making decisions.

Responding to the news, Information Commissioner John Edwards said, “I welcome the Court of Appeal’s judgment in this case as it provides clarity for future appeals. We defended our position robustly and are pleased that the court has agreed with our findings.”

The ICO has been much criticised for its lack of enforcement action under GDPR. It’s issued multiple fines under the Privacy and Electronic Communications Regulations (PECR), but fewer under GPDR (now UK GDPR). This may be due to the fact violating the PECR rules can be more clearcut. While much of the criticism may be fair, I believe this case demonstrates the legal hurdles the Regulator can face when taking enforcement action. However, the more cases we get, the more case law we’ll have for UK GDPR.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.