Blog
The end of free movement: what SMEs need to know
Kim Vowden
The Information Commissioner has issued a monetary penalty notice (MPN) of £130,000 to Pharmacy2U, the UK's largest NHS approved online pharmacy, after it sold the details of 21,500 customers to third-parties through an online marketing company. The Commissioner’s enforcement activity to date has focussed predominantly upon data security breaches. This is the first MPN for a breach of the first data protection principle under the Data Protection Act 1998 (DPA) which concerns the fair and lawful processing of data. It provides both a reminder of the importance of the first principle and a lesson to all organisations about clear customer communication and consent.
Initially uncovered by a Daily Mail investigation, the Commissioner found that Pharmacy2U had advertised more than 100,000 customers' details – at £130 per 1000 customers – for rental through a marketing company, Alchemy Direct Media (UK) Ltd. In late 2014, Alchemy supplied a total of 21,500 Pharmacy2U customer names and addresses for use by a health supplement company, an Australian lottery company and a charity.
The first data protection principle, as outlined in paragraph 1, Schedule 1 of the DPA, requires personal data to be processed fairly and lawfully and in accordance with at least one of the conditions set out in Schedule 2 of the DPA, one of which is the provision of informed consent by the customer. The Commissioner found that Pharmacy2u had breached this principle, and given the severity and negligent nature of the breach, as well as the distress caused, issued a substantial fine.
Lessons to be learnt?
Whilst Pharmacy2U’s breaches were serious, there are important lessons to be learnt from the Commissioner’s decision for all organisations which process customer data:
Alongside the significant MPN, this issue will have taken a considerable toll upon Pharmacy2U’s reputation following the publication of the MPN and associated press attention. In this case, it is clear that the cost of not treating personal data of customers with proper care far outweighs the benefits of the sales. This is perhaps the most important lesson of all.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
Kim Vowden
Charlotte Stringer
Ilda de Sousa
Skip to content Home About Us Insights Services Contact Accessibility
Share insightLinkedIn Twitter Facebook Email to a friend Print