Pharmacy2U fined £130,000 for selling customer data

The UK’s biggest NHS-approved online pharmacy, Pharmacy2U, has been fined £130,000 by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act 1998 (DPA) by selling the details of more than 20,000 customers via an online marketing company. According to the ICO, companies that bought the information included “a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards.”

Pharmacy2U didn’t inform its customers that it would sell their details, and customers didn’t give their consent for their personal data to be sold on. More than 10,000 customer records were offered for sale by Phramacy2U, including “people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of customers, such as men over 70 years old, were available, and records were advertised for sale for £130 per 1000 records.”

ICO Deputy Commissioner David Smith said, “It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.”

Information security best practice

Protecting the customer data your organisations collects, processes and stores is essential to maintaining customer trust and avoiding financial penalties: the ICO can issue fines of up to £500,000 for breaches of the DPA.

Principle 7 of the DPA states that “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data,” but as the ICO itself notes, ‘There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.’

An information security management system (ISMS), as set out in the international standard ISO 27001, provides such a risk-based approach to information security. Implementing an ISMS enables organisations of all sizes, sectors and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organisation actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures and out-of-date software solutions.

Priced from only £380, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organisations, whatever their size, budget or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organisations to implement an ISMS with the minimum of disruption and difficulty.

27k consultancy packages banner