An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000.

Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company. Companies that bought the details included a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards.

The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.

ICO Deputy Commissioner David Smith said:

“Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

The incident was initially uncovered by a Daily Mail investigation.

More than 100,000 customer details were advertised for sale. The customer database was advertised as including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of customers, such as men over 70 years old, were available, and records were advertised for sale for £130 per 1000 records.

The civil monetary penalty is the first of its type, with the company found to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.

The ICO investigation found the lottery company that bought customer records appeared to have deliberately targeted elderly and vulnerable individuals, and it is likely that some customers will have suffered financially as a result of their details being passed on.

 

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  1. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  1. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
  1. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection
  1. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
  2. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).