On 20 October 2015 the Information Commissioner’s Office, (ICO), announced that Pharmacy2U, an online pharmacy, had been fined £130,000 because it had been offering its customers names and addresses for sale
The ICO investigation found that, in breach of the Data Protection Act, Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on.
BACKGROUND TO THE CASE
Pharmacy2U is the UK’s largest NHS approved online pharmacy. It is registered with the General Pharmaceutical Council and the Care Quality Commission.
In order to access Pharmacy2U’s services, individuals have to complete a registration form on its website. This requires users to provide their name, sex, date of birth, postal address, phone number and email address.
The form contains a pre-ticked box that users can untick if they do not wish to receive marketing emails from Pharmacy2U. In order to submit the form, users have to click a button marked “Continue”. Above the “Continue” button, under the heading “Terms and conditions”, is the following statement: “By clicking continue you agree to our terms and conditions.”
The Pharmacy2U database lists were advertised for rental on the website of a 3rd party that Pharmacy2U had entered into an agreement with. That website stated, amongst other things, that customers of Pharmacy2U included NHS patients and listed their typical ailments, including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson’s disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation.
In just 2 months in 2014 a total of 21,500 Pharmacy2U customers’ names and addresses were sold to three organisations: Griffin Media Solutions, (‘Griffin’) an Australian lottery company (‘the lottery company’) and Camphill Village Trust Ltd (‘Camphill’).
BREACHING THE DATA PROTECTION ACT
The ICO said that it would not be within a customer’s reasonable expectation that this form of disclosure would occur and that if a customer wanted to opt out of “selected company data sharing” they had to go to the trouble of logging into their account and changing the setting.
In the circumstances, Pharmacy2U’s customers did not give their informed consent to the sale of their personal data to third party organisations. This meant that Pharmacy2U did not have a lawful basis for processing the data under the DPA.
The ICO was satisfied that the contravention was serious due to the context in which the personal data was unfairly processed, the number of individuals affected (21,500) and the purposes for which the data was used.
This case shows the importance of respecting people’s privacy, the need to comply with data protection law and the risks of failing to do so.
Pharmacy2U had obtained their customer’s personal data legitimately and had indicted to them that such data would “occasionally” be shared with other organisations. However, Pharmacy2U made it difficult for customers to opt out of this and gave no true indication about the nature of the other organisations that their personal data would be shared with. This was all the more troubling given that many of those customers were elderly and that much of the personal data being shared was about the state of their health.
Organisations must appreciate that passing on personal data without the informed consent of the people that such personal data belongs to will mean that the use of that data will be deemed unfair and thus in breach of the DPA.