The Information Commissioner’s Office (ICO) has issued Pharmacy2U Ltd with a monetary penalty for breach of the first data protection principle (the requirement to process data fairly and lawfully). The penalty was imposed as a result of Pharmacy2U’s selling of personal data held to third party organisations, without obtaining the informed consent of customers to do so. The contravention necessitated a monetary penalty as the data included information about customers’ health conditions, would have included customers with chronic health conditions and was therefore likely to cause distress to those customers who had a reasonable expectation of confidentiality. It was also likely that some customers would have suffered financially as a result of the sale of data to one of the third parties. The ICO therefore imposed a penalty of £130,000.