What does this cover?

On 14 October 2015, Pharmacy2U Ltd (Pharmacy2U) was issued with a £130,000 monetary penalty notice for breaches of the 1st Principle of the Data Protection Act 1998. This is the first fine ever issued for breach of the 1st Principle, which addresses the requirement for fair and lawful processing of personal data.

Pharmacy2U's breach involved the sale of customer details online. The company is one of the UK's largest NHS approved online pharmacy providers offering consumers such services as electronic prescriptions and online medical consultations. In order to make use of the service, customers are required to register online with the provider by filling in a form which requests details such as name, email, home address and date of birth.

In 2014 Pharmacy2U entered into a contract with Alchemy Direct Media (UK) Ltd (Alchemy) for services which included the promotion of the Pharmacy2U database for list rental on Alchemy's website.

According to the ICO's report in November and December last year, "Alchemy supplied a total of 21,500 Pharmacy2U customers’ names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (“the lottery company”) and Camphill Village Trust Ltd... On 9 December 2014, the lottery company ordered 3,000 records relating to males aged 70 or over who had used Pharmacy2U within the previous 6 months...."

The ICO determined that Pharmacy2U had "obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material" nor did Pharmacy2U seek "informed consent to the sale of their personal data to third party Organisations".

To view the Pharmacy2U ICO Monetary Penalty Notice, please click here. 

What action could be taken to manage risks that may arise from this development?

Companies should ensure that their privacy policy details intended marketing activities and consent is obtained where necessary.