The Information Commissioner’s decision to fine Pharmacy2U (P2U) £130,000 for breaching the Data Protection Act by selling patient data has important lessons for all pharmacies, including those without an online business.
P2U sold data to an Australian lottery company which specifically asked for records of males aged over 70. It used the list to mailshot people, saying they had been "specially selected" to "win millions of dollars". Unbeknown to P2U, the lottery company was the subject of an international investigation into fraud and money laundering.
Another list was sold to a business that sells health supplements and which had previously been found to have published misleading advertising and unauthorised health claims.
The purchasers were told the lists included patients suffering from conditions that included high blood pressure, heart disease, epilepsy, erectile dysfunction, haemorrhoids and hair loss. The IC decided that the Act had been breached because personal data had been obtained unfairly because customers had not given informed consent to the sale of their details.
The IC found that substantial damage or distress would be caused, because P2U advertised their service as "discreet and confidential", and some people might be extremely worried that a third party could surmise that he was suffering from an embarrassing health condition. People who received marketing material about health supplements might buy something they read about in a misleading advertisement and use it instead of their prescribed medication.
The lottery company had targeted people it had identified as elderly and vulnerable, and ticket purchasers might have incurred serious financial loss.
The IC ruled that even though the breaches of the Data Protection Act were not deliberate, it should have been obvious to P2U that substantial distress or loss would be caused.
The level of fine indicates the seriousness with which health-related data breaches are viewed. Online businesses should review their privacy policies. All pharmacies should be mindful of how patient data is used. Even if data can lawfully be sold, it makes sense to find out how the data will be used, and consider whether the use would cause patients distress or loss.
This article was originally published in Chemist & Druggist, 11 January 2016