Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company. Companies that bought the details included a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards. The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act 1998 and the ICO has imposed a monetary penalty of £130,000 as a result.
This civil monetary penalty is the first of its type, with the company found to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.
ICO Deputy Commissioner David Smith said:
‘Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish. Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.’
The incident was initially uncovered by a Daily Mail investigation.
More than 100,000 customer details were advertised for sale. The customer database was advertised as including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of customers, such as men over 70 years old, were available, and records were advertised for sale for £130 per 1,000 records. The ICO investigation found the lottery company that bought customer records appeared to have deliberately targeted elderly and vulnerable individuals, and it is likely that some customers will have suffered financially as a result of their details being passed on.
The full monetary penalty notice can be accessed here.
