Last month the Information Commissioner’s Office issued a penalty against an on online pharmacy which had sold its customers’ details through a marketing list company.
Given the sensitive nature of the information which was held by the pharmacy, it is unsurprising that the regulator was concerned about the sales. It was not convinced that the option to change a setting in the customer account to opt out from having their details sold was sufficient to authorise the pharmacy’s acts.
It is apparent from the decision that the Commissioner took a dim view of the companies to which the pharmacy had sold the information, but this had no material effect on the decision as the Commissioner noted that it was unlikely that the pharmacy was aware of these.
The monetary penalty of £130,000 issued against the pharmacy was the first of its kind to be issued in the UK. The penalty greatly exceeds the amount of money the pharmacy generated though the sales and equates to a fee of around £6.50 per record sold.
The case highlights the increasing focus being placed on the protection of personal data, whether as a result of deliberate actions to profit from the data held (as was the case here) or as a result of publication by way of cyber attack (such as the recent Talk Talk attack).
Businesses, both offline and online, need to ensure that they have systems, controls and protection in place to prevent the unauthorised use of personal information. Where they propose to use information, they need to think carefully about the information they are using and what consent, if any, that has previously been received from their customers
An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000.
Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company. Companies that bought the details included a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards.