There is always something to learn from other people's success. You can discover why they did well, perhaps find a critical point where you might have formed a different plan. You now know what works. It is the same with the mistakes of others, even where their errors of judgement were clear.

Pharmacy2U Ltd (PtU), the UK's largest NHS-approved online pharmacy, was hit with a £130,000 fine by the Information Commissioner's Office (ICO) under S. 55 of The Data Protection Act (DPA). Their offence involved the sale of the details of 21,500 customers to third party marketing companies.

The maximum possible fine was £500,000 for a serious breach of the DPA. Some feel they got away lightly. I'll list their errors.

On sign up

The procedure included an already ticked box that the customer had to untick if they did not want to receive marketing emails.

Their privacy policy, available via hotlink, stated: “Occasionally we make details available to companies whose products or services we think may interest our customers." Customers had to log into their account and change setting if they did not want to have their details given to third parties.

Care of the data

PtU entered into an agreement with another company to promote their lists for rental. PtU remained the data controller.

This company provided the lists of the 21,500 to three third party companies.

One of these companies was an Australian lottery company which used the dubious tactic of asking for money to qualify for prizes already won.

An executive of PtU stated: ". . . if we get any complaints I would like to stop this immediately." He also indicated that he viewed the marketing email as spam.

The ICO, receiving a complaint from the Daily Mail after an investigation, found:

1/ the data had been obtained unfairly because there was no overt statement that they intended to sell the details to a third party, and would not be in their expectation that they would;

2/ the method of opting out was not simple or straightforward;

3/ that as informed consent had not been given, there was a contravention of the DPA.

S. 55A of the DPA requires that substantial damage or distress must have been likely. The ICO concluded that there was.

The data included an age breakdown and a list of what conditions those in the age groups were likely to suffer from. These included problems which could be seen as distressing if revealed. In giving data to a pharmaceutical company, customers would, the ICO believed, reasonably expect confidentiality.

The lottery company appeared to have deliberately targeted elderly and vulnerable individuals. Another company had been subject to criticism previously by the ASA and their marketing emails might have encouraged recipients to stop taking prescribed medication.

There is more. See: https://ico.org.uk/media/action-weve-taken/mpns/1433030/pharmacy2u-ltd-monetary-penalty-notice.pdf

There are any number of points in this process where a supervisor/data controller should have picked up non-compliance and taken it further. It is difficult to believe that a company like PtU should allow itself to get into such a mess.

There is money in list selling. In this case it was £130 per 1000 addresses. This should be balanced against the fine and possible civil actions.