The Information Commissioner’s decision to fine Pharmacy2U (P2U) £130,000 for breaching the Data Protection Act by selling patient data has important lessons for all pharmacies, including those without an online business.

P2U is the largest online NHS pharmacy and also provides non-NHS online services. To access P2U's services, users have to provide their name, sex, date of birth, postal address, phone number and email address. Buried away in P2U’s terms and conditions is a privacy policy. At the time data was sold, this informed users that their details might be passed on to other commercial organisations. This sounds like the opposite of a privacy policy, and P2U have subsequently changed it.

P2U sold data to an Australian lottery company which specifically asked for records of males aged over 70. It used the list to mailshot people, saying they had been "specially selected" to "win millions of dollars". Unbeknown to P2U, the lottery company was the subject of an international investigation into fraud and money laundering.

Another list was sold to a business that sells health supplements and which had previously been found to have published misleading advertising and unauthorised health claims.

The purchasers were told the lists included patients suffering from conditions that included high blood pressure, heart disease, epilepsy, erectile dysfunction, haemorrhoids and hair loss. The IC decided that the Act had been breached because personal data had been obtained unfairly because customers had not given informed consent to the sale of their details.

The IC found that substantial damage or distress would be caused, because P2U advertised their service as "discreet and confidential", and some people might be extremely worried that a third party could surmise that he was suffering from an embarrassing health condition. People who received marketing material about health supplements might buy something they read about in a misleading advertisement and use it instead of their prescribed medication.

The lottery company had targeted people it had identified as elderly and vulnerable, and ticket purchasers might have incurred serious financial loss.

The IC ruled that even though the breaches of the Data Protection Act were not deliberate, it should have been obvious to P2U that substantial distress or loss would be caused.

The level of fine indicates the seriousness with which health-related data breaches are viewed. Online businesses should review their privacy policies. All pharmacies should be mindful of how patient data is used. Even if data can lawfully be sold, it makes sense to find out how the data will be used, and consider whether the use would cause patients distress or loss.

This article was originally published in Chemist & Druggist, 11 January 2016