£130,000 fine for being unfair

Pharmacy2U provides a number of online medical services (electronic prescriptions; online confidential medical advice and retail for medical products). To access these services, individuals have to provide personal information including their contact details, sex and date of birth.

Pharmacy2U is registered with the General Pharmaceutical Council, the CQC and had a current score of 83% on the NHS Information Governance Toolkit…where one requirement is that “consent is appropriately sought before personal information is used in ways that do not directly contribute to the delivery of care services.

But despite their good intentions, they somehow lost sight of a simple word: “fair” i.e. they did not stop to consider whether the way they collected personal information; and what they told their customers, was fair.

The ICO found that the Pharmacy2U online order form had a pre-ticked box permitting it to make customers’ details “available to companies whose products or services we think may be of interest.” The customer had to log into their account and change his/her settings to opt-out.

The ICO concluded that this amounted to obtaining the personal information unfairly – in breach of the First Principle, i.e. they found that the Pharmacy2U customers had not given their informed consent to the sale of their personal information to third parties.

The ICO noted that Pharmacy2U failed to take the reasonable step of displaying, in a prominent position on its website, a simple way for individuals to consent to the sale of their personal information.

Interestingly the ICO notes senior executives at Pharmacy2U signed off the sale of the personal information (a total of 21,500 records, to three organisations). In one case, where the sale was to an Australian Lottery company – who made clear that their marketing would be of the kind where the recipient has been “specifically selected” to “win millions of dollors” – the senior executive said “OK but let’s use the less spammy creative please, and if we get any complaints I would like to stop the immediately.”


The First Principle is just the start: the Etherington Report into fundraising practice encourages “all fundraising organisations to make a public commitment, promising that they will review their use of donors’ personal data and take steps towards adopting a system of ‘opt in’ only in their communications.

And the long awaited EU General Data Protection Regulation (GDPR) will define consent in terms of UK data protection law for first time, as follows:

“…any freely given specific, informed and explicit indication of his or her wishes by which the data subject…either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”

One charity – the RNLI – has made a bold first move – committing to only contact donors who have expressly given their permission for the RNLI to contact them.

With the cyber hack of TalkTalk still in the news, now is the time for all organisations – big and small – to assess how much personal information is currently held (i) without any consent (ii) on the basis of implied consent (such as opt-outs or soft opt-ins) and (iii) on the basis of explicit consent.