NHS-approved online pharmacy fined £130,000 for selling customer data

Pharmacy2U fined £130,000 by ICO

The UK’s largest NHS-approved online pharmacy has been fined £130,000 for selling details on over 20,000 customers to overseas organisations without customers’ permission.

Pharmacy2U was found to have advertised details on over 100,000 customers as being for sale, and sold 20,000. These details were often sold on the basis of why the customer had used the website, such as for conditions including asthma and Parkinson’s disease. The records were sold for as little as £130 per 1,000.

One particularly notable sale of customer data involved an organisation in Australia called The Lottery Company which used the information to contact people saying they had been “specially selected” to “win millions of dollars”.

Pharmacy2U was shown this wording and a company executive signed off the sale of the data despite being aware of its “spammy” nature.

“OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop this immediately,” the executive is reported as saying.

ICO deputy commissioner David Smith said it was “inconceivable that a business in this sector could believe these actions were acceptable”.

“Put simply, a reputable company has made a serious error of judgement, and today faces the consequences. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish,” he said.

Smith urged other organisations to heed the case as an example of the perils of agreeing to sell customer data to other organisations.

“Once people’s personal information has been sold on in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details,” he said.

Responding to the fine, Daniel Lee, managing director of Pharmacy2U, said that the company regretted what had taken place and had now agreed to no longer sell customer information.

“This is a regrettable incident for which we sincerely apologise,” he added.

Lee also looked to reassure customers that no medical information, email addresses or telephone numbers were sold, and that only names and postal addresses were sold for one-time use.

“Following this incident, we have changed our privacy policy to highlight that we will no longer sell customer data and have implemented a prior consent model for our own marketing,” he said.

The fine could fall to £104,000 if the company pays up by 13 November.

If the article suppose to have a video or a photo gallery and it does not appear on your screen, please Click Here

20 October 2015 | 1:43 pm – Source: v3.co.uk


Leave a Reply

Your email address will not be published.