Layer 1

David Reissner: Pay attention to privacy

“All pharmacies should be mindful of how patient data is used”

Pharmacists should consider the feelings of patients when handling their data, says David Reissner

Pharmacy2U has been making the headlines for all the wrong reasons of late. First came the revelations in October of the sale of its patient data, and then the delay in medicines deliveries over Christmas, which resulted in a special General Pharmaceutical Council inspection.

It is easy to think these examples of bad practice have no relevance to ethical pharmacy businesses. But the Information Commissioner’s Office (ICO) decision to fine Pharmacy2U £130,000 for breaching the Data Protection Act has important lessons for all pharmacies, including those without an online business.

Pharmacy2U is the largest online NHS pharmacy and also provides non-NHS online services. To access Pharmacy2U's services, users have to provide their name, sex, date of birth, postal address, phone number and email address. Buried away in Pharmacy2U’s terms and conditions is a privacy policy. At the time data was sold, this informed users that their details might be passed on to other commercial organisations. This sounds like the opposite of a privacy policy, and Pharmacy2U have subsequently changed it.

Pharmacy2U sold data to an Australian lottery company, which specifically asked for records of males aged over 70. It used the list to mailshot people, saying they had been "specially selected" to "win millions of dollars". Unbeknownst to Pharmacy2U, the lottery company was the subject of an international investigation into fraud and money laundering.

Another list was sold to a business that sells health supplements and which had previously been found to have published misleading advertising and unauthorised health claims.

The purchasers were told the lists included patients suffering from conditions that included high blood pressure, heart disease, epilepsy, erectile dysfunction, haemorrhoids and hair loss. The ICO decided that the Data Protection Act had been breached because personal data had been obtained unfairly – customers had not given informed consent to the sale of their details.

The ICO found that substantial damage or distress would be caused, because Pharmacy2U advertised their service as "discreet and confidential", and some people might be extremely worried that a third party could surmise that he or she was suffering from an embarrassing health condition. People who received marketing material about health supplements might buy something they read about in a misleading advertisement and use it instead of their prescribed medication.

The lottery company had targeted people it had identified as elderly and vulnerable, and ticket purchasers might have incurred serious financial loss.

The IC ruled that even though the breaches of the Data Protection Act were not deliberate, it should have been obvious to Pharmacy2U that substantial distress or loss would be caused.

The level of fine indicates the seriousness with which health-related data breaches are viewed. Online businesses should review their privacy policies, and all pharmacies should be mindful of how patient data is used. Even if data can lawfully be sold, it makes sense to find out how the data will be used, and consider whether the use would cause patients distress or loss.

David Reissner is senior healthcare partner at law firm Charles Russell Speechlys ([email protected])

More from David Reissner


Does your pharmacy have a privacy policy? 

We want to hear your views, but please express them in the spirit of a constructive, professional debate. For more information about what this means, please click here to see our community principles and information


Leon The Apothecary, Student

Selling patient personal is fundamentally immoral in my personal opinion. One could argue that there is an implied level of discretion and professionalism expected of a pharmacy company such as Pharmacy2U. Hiding the rights to have patient's data sold inside the T&C with no ability to opt out was devious.

Job of the week

Pre-registration Pharmacists
West London, Surrey, Hampshire, Ken
On application