Online Pharmacy Fined for Selling Customer Information
In a move that sends out a clear message to other companies that the customer data they hold is not theirs to do with as they wish, the Information Commissioner's Office (ICO) recently fined a Leeds-based online pharmacy company £130,000 under the Data Protection Act 1998 for a serious contravention of the first data protection principle, which is that data must be fairly and lawfully processed.
Pharmacy2U Limited offered the names and addresses of its customers for sale through an online marketing list company. Amongst those who purchased the details were a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards.
The ICO investigation found that Pharmacy2U had not informed its customers that it intended to sell their details, nor had the customers given their consent for their personal data to be sold on.
The incident was initially uncovered by a Daily Mail investigation, which found that more than 100,000 customer details had been advertised for sale. The database was listed as including people suffering from ailments such as asthma, Parkinson's disease, high blood pressure, diabetes, heart disease and erectile dysfunction, and as being able to be broken down into groups, such as 'men over 70 years old'. The records were advertised for sale for £130 per 1,000 records.
The ensuing ICO investigation found that the lottery company that bought customer records appeared to have deliberately targeted elderly and vulnerable individuals, and it is thought that some of the customers may have suffered financially as a result of their details having been passed on.
The Information Commissioner was satisfied that Pharmacy2U ought to have known that its customers had a reasonable expectation of confidentiality when using an online pharmacy, especially as its own website described the service as 'discreet and confidential', and that there was a risk that people might object to the sale of their data. The Information Commissioner also found that the company knew or ought to have known that the contravention would be of a kind likely to cause substantial damage or substantial distress and had failed to take reasonable steps to prevent it.
The civil monetary penalty is the first of its type.