The ICO announced on 20th December 2019 that it had fined Doorstep Dispensaree Ltd, a London-based pharmacy, £275,000 for failure to ensure the security of special category data as required by the General Data Protection Regulation (Regulation (EU) 2016/679). In particular, the ICO highlighted that the company had left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. These documents included names, addresses, dates of birth, NHS numbers, medical information and prescription details belonging to an unknown number of people. Additionally, the ICO pointed out that some of the documents had not been appropriately protected against the elements and were subsequently water damaged, and therefore, Doorstep Dispensaree had failed to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss, destruction or damage, which is an infringement of the GDPR.
I know this is not an education organisation but I have personally seen records stored in old shipping containers in the grounds of schools. Although locked, they were relatively easy to break into and, in more than one case, the top of the container had corroded to such an extent water and vermin had got in and rendered the contents unsafe and needing to be destroyed. Whilst this was some years ago we need to take heed of this warning and ensure all records are appropriately safeguarded!