Fine for online pharmacy that sold the data of 20,000 customers
ONLINE pharmacy Pharmacy2U has been fined following an investigation into the selling of customers’ information by the Leeds-based firm.
The Information Commissioner’s Office fined the company £130,000 for selling the data of 20,000 customers through an online marketing list company, without informing customers; a breach of the Data Protection Act.
The ICO said that the NHS-approved pharmacy sold the names and addresses of the customers to companies including an Australian lottery company that is under investigation by Trading Standards and a health supplements company that has been cautioned for misleading advertising.
ICO deputy commissioner David Smith said:”Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable.
“Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.
“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”
More than 100,000 customer details were for sale, and the practice was uncovered by a Daily Mail investigation.
Daniel Lee, managing director of Pharmacy2U, said: “This is a regrettable incident for which we sincerely apologise.
“At the time, we believed we had the right processes in place to secure customer consent to receive third party marketing.
“While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter.
We take our responsibilities to the public very seriously and want to reassure our customers that no medical information, email addresses or telephone numbers were sold. Only names and postal addresses were given, for one-time use.
We hope that this substantial remedial action will reassure our customers that we have learned from this incident and will continue to do all we can to ensure that their data is protected to the highest level.”
