AML: HMRC flexes enforcement muscle to the tune of £7.8 million
The Information Commissioner has issued a monetary penalty notice (MPN) of £130,000 to Pharmacy2U, the UK's largest NHS approved online pharmacy, after it sold the details of 21,500 customers to third-parties through an online marketing company. The Commissioner’s enforcement activity to date has focussed predominantly upon data security breaches. This is the first MPN for a breach of the first data protection principle under the Data Protection Act 1998 (DPA) which concerns the fair and lawful processing of data. It provides both a reminder of the importance of the first principle and a lesson to all organisations about clear customer communication and consent.
Initially uncovered by a Daily Mail investigation, the Commissioner found that Pharmacy2U had advertised more than 100,000 customers' details – at £130 per 1000 customers – for rental through a marketing company, Alchemy Direct Media (UK) Ltd. In late 2014, Alchemy supplied a total of 21,500 Pharmacy2U customer names and addresses for use by a health supplement company, an Australian lottery company and a charity.
The first data protection principle, as outlined in paragraph 1, Schedule 1 of the DPA, requires personal data to be processed fairly and lawfully and in accordance with at least one of the conditions set out in Schedule 2 of the DPA, one of which is the provision of informed consent by the customer. The Commissioner found that Pharmacy2u had breached this principle, and given the severity and negligent nature of the breach, as well as the distress caused, issued a substantial fine. The decision notice can be read in full here.
Lessons to be learnt?
Whilst Pharmacy2U’s breaches were serious, there are important lessons to be learnt from the Commissioner’s decision for all organisations which process customer data:
Alongside the significant MPN, this issue will have taken a considerable toll upon Pharmacy2U’s reputation following the publication of the MPN and associated press attention. In this case, it is clear that the cost of not treating personal data of customers with proper care far outweighs the benefits of the sales. This is perhaps the most important lesson of all.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility