DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To:

Pharmacy2U Ltd

Of:

1, Hawthorn Park, Coal Road, Leeds, LS14 1PQ

1.

The Information Commissioner (“Commissioner”) has decided to issue
Pharmacy2U Ltd (“Pharmacy2U”) with a monetary penalty under
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is
being issued because of a serious contravention of the first data
protection principle by Pharmacy2U.

2.

This notice explains the Commissioner’s decision.
Legal framework

3.

Pharmacy2U is a data controller, as defined in section 1(1) of the DPA
in respect of the processing of personal data. Section 4(4) of the DPA
provides that, subject to section 27(1) of the DPA, it is the duty of a
data controller to comply with the data protection principles in relation
to all personal data in respect of which he is the data controller.

4.

The relevant provision of the DPA is the first data protection principle
which provides, at Part I of Schedule 1 to the DPA, that:

1

 “1. Personal data shall be processed fairly and lawfully and, in
particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the
conditions in Schedule 3 is also met”.
5.

Interpretative provisions in Part II of Schedule 1 to the DPA provide
that:
“1.- (1) In determining for the purposes of the first principle whether
personal data are processed fairly, regard is to be had to the method
by which they are obtained, including in particular whether any person
from whom they are obtained is deceived or misled as to the purpose
or purposes for which they are to be processed.
(2)….
2. – (1) Subject to paragraph 3, for the purposes of the first principle
personal data are not to be treated as processed fairly unless (a) in the case of data obtained from the data subject, the data
controller ensures so far as practicable that the data subject has, is
provided with, or has made readily available to him, the information
specified in sub-paragraph (3), and
(b) in any other case, the data controller ensures so far as practicable
that, before the relevant time or as soon as practicable after that time,
the data subject has, is provided with, or has made readily available to
him, the information specified in sub-paragraph (3).
(2) In sub-paragraph (1)(b) “the relevant time” means 2

 (a) the time when the data controller first process the data, or
(b) in a case where at that time disclosure to a third party within a
reasonable period is envisaged (i) if the data are in fact disclosed to such a person within that period,
the time when the data are first disclosed,
(ii) if within that period the data controller becomes, or ought to
become, aware that the data are unlikely to be disclosed to such a
person within that period, the time when the data controller does
become, or ought to become, so aware, or
(iii) in any other case, the end of that period.
(3) The information referred to in sub-paragraph (1) is as follows,
namely(a) the identity of the data controller,
(b) if he has nominated a representative for the purposes of this Act,
the identity of that representative,
(c) the purpose or purposes for which the data are intended to be
processed, and
(d) any further information which is necessary, having regard to the
specific circumstances in which the data are or are to be processed, to
enable processing in respect of the data subject to be fair.
3. – (1) Paragraph 2(1)(b) does not apply where either of the primary
conditions in sub-paragraph (2), together with such further conditions
as may be prescribed by the Secretary of State by order, are met.
(2) The primary conditions referred to in sub-paragraph (1) are (a) that the provision of that information would involve
disproportionate effort, or
3

 (b) that the recording of the information contained in the data by, or
the disclosure of the data by, the data controller is necessary for
compliance with any legal obligation to which the data controller is
subject, other than an obligation imposed by contract.
4. [….]
6.

Under section 55A(1) of the DPA the Commissioner may serve a data
controller with a monetary penalty notice if the Commissioner is
satisfied that –
(a) there has been a serious contravention of section 4(4) of the
DPA by the data controller,
(b) the contravention was of a kind likely to cause substantial
damage or substantial distress, and
(c) subsection (2) or (3) applies.
(2)

This subsection applies if the contravention was deliberate.

(3)

This subsection applies if the data controller –
(a) knew or ought to have known –
(i)

that there was a risk that the contravention would occur,
and

(ii)

that such a contravention would be of a kind likely to
cause substantial damage or substantial distress, but

4

 (b)

failed to take reasonable steps to prevent the
contravention.

7.

The Commissioner has issued statutory guidance under section 55C (1)
of the DPA about the issuing of monetary penalties that has been
published on the ICO’s website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.

8.

The DPA implements European legislation (Directive 95/46/EC) aimed
at the protection of the individual’s fundamental right to the protection
of personal data. The Commissioner approaches the data protection
principles so as to give effect to the Directive.
Background to the case

9.

Pharmacy2U is the UK's largest NHS approved online pharmacy. It is
registered with the General Pharmaceutical Council and the Care
Quality Commission.

10.

Pharmacy2U has a website (www.pharmacy2u.co.uk) through which it
provides the following services:
(a) an electronic prescription service: NHS patients can register to
have their NHS prescriptions sent to Pharmacy2U electronically and
delivered to their home address;
(b) an online Doctor service, offering confidential online medical
consultations with a UK registered GP; and

5

 (c) online retail of over the counter medicines and health and beauty
products.
11.

In order to access Pharmacy2U’s services, individuals have to complete
a registration form on its website. This requires users to provide their
name, sex, date of birth, postal address, phone number and email
address.

12.

The form contains a pre-ticked box which users can untick if they do
not wish to receive marketing emails from Pharmacy2U. In order to
submit the form, users have to click a button marked “Continue”.
Above the “Continue” button, under the heading “Terms and
conditions”, is the following statement: “By clicking continue you agree
to our terms and conditions.”

13.

Paragraph 15 of the terms and conditions states: “Your privacy is
important to us. Please see our privacy policy [link] for details of what
information we collect and how we will use and protect it.”

14.

The privacy policy included the following wording: “Occasionally we
make details available to companies whose products or services we
think may interest our customers. If you do not wish to receive such
offers please login to your account and change the setting to indicate
"No" for "Selected company data sharing".

15.

On 13 October 2014, Pharmacy2U entered into a list management
agreement with a company called Alchemy Direct Media (UK) Ltd
(“Alchemy”).

16.

Under this agreement, Alchemy agreed to provide various services to
Pharmacy2U including: promotion of the specified Pharmacy2U
6

 database lists for list rental; vetting all database list rental requests
and potential clients and submitting these to Pharmacy2U for approval
and billing and collecting monies from clients and remitting those
monies to Pharmacy2U.
17.

The agreement stated that Pharmacy2U was the data controller for the
data, that Alchemy would seek prior approval from Pharmacy2U in
relation to any promotional materials it wished to use to promote the
data and that all potential clients had to be approved by Pharmacy2U.

18.

The Pharmacy2U database lists were advertised for rental on the
Alchemy website. The data card for Pharmacy2U states that the data
includes 77,621 0-12 month “buyers” and 36,207 13-24 month
“buyers”. It also states that buyers include NHS patients, Pharmacy2U
online patients and Pharmacy2U retail customers. It lists typical
ailments that are treated including asthma, high blood pressure,
diabetes, heart disease, high cholesterol, Parkinson's disease, epilepsy,
erectile dysfunction, hair loss, weight loss, travel health, skin
conditions, pain, migraine, cold and flu and nicotine replacement for
smoking cessation. It also includes an age breakdown which shows that
82% of the buyers are over the age of 40. The cost is listed as £130
per 1000 records.

19.

In November and December 2014, Alchemy supplied a total of 21,500
Pharmacy2U customers’ names and addresses to three organisations:
Griffin Media Solutions, an Australian lottery company (“the lottery
company”) and Camphill Village Trust Ltd.

20.

On 20 November 2014, Griffin Media Solutions ordered 13,000 records
on behalf of its client Woods Supplements (10,000 records plus a 30%
oversupply to allow for duplicates). The data related to customers who
7

 had used Pharmacy2U within the previous 12 months. The order was
approved by a senior executive of Pharmacy2U.
21.

Woods Supplements is a trading name of Healthy Marketing Ltd, a
Jersey-based mail order company. It sells health supplements to the
general public via its website (www.woodshealth.com) and through
mail order catalogues. Users of the website can search for an ailment
(e.g. high blood pressure, high cholesterol, erectile dysfunction) and
receive a list of recommended products. Some of the product
descriptions highlight the side effects of the commonly prescribed
drugs whilst stating that their products have fewer or no side effects.

22.

In February 2015, the Advertising Standards Authority (“ASA”) issued
an adjudication on Healthy Marketing Ltd in relation to breaches of the
CAP Code, although this wouldn’t have been known to Pharmacy2U at
the time the order was approved.

23.

The breaches related to a press advert which was found to contain
misleading advertising and unauthorised health claims.

24.

On 9 December 2014, the lottery company ordered 3,000 records
relating to males aged 70 or over who had used Pharmacy2U within the
previous 6 months. The lottery company provided a copy of the
proposed mailer and a corporate profile pack to Pharmacy2U which
included a copy of their mail order lottery licence and a letter from the
Northern Territory Government.

25.

The mailer was headed “Declaration of Executive Order” and went on
to say that the recipient had been “specially selected” to “win millions
of dollars”. The mailer contained a form which recipients were asked to
complete and return within seven days along with payment of an
unspecified sum of money by cash, postal order, cheque or credit card.
8

 The form also requested date of birth, email address, telephone
number and mobile number.
26.

A senior executive of Pharmacy2U approved the order with the words
“OK but let’s use the less spammy creative please, and if we get any
complaints I would like to stop this immediately”. The data was sent to
Australia.

27.

The mailer has been examined by the UK’s National Trading Standards
Scams Team, which has confirmed that if it was sent by a UK business
it would be likely to breach the UK Consumer Protection from Unfair
Trading Regulations.

28.

The National Trading Standards Scams Team has also informed the
Commissioner’s office that the lottery company is the subject of an
ongoing international criminal investigation into fraud and money
laundering, although this wouldn’t have been known to Pharmacy2U.

29.

On 12 December 2014, Black Kite Media ordered 5,500 records on
behalf of Camphill Village Trust Ltd, a UK registered charity that
manages communities for people with disabilities. The data related to
customers defined as “active donors” who had used Pharmacy2U within
the previous 12 months. The data was used to send the customers a
letter requesting donations. The order was approved by a senior
executive of Pharmacy2U.

30.

The Commissioner has made the above findings of fact on the
balance of probabilities.

31.

The Commissioner has considered whether those facts constitute
a contravention of the DPA by Pharmacy2U and, if so, whether the
conditions of section 55A DPA are satisfied.

9

 The contravention
32.

The Commissioner finds that Pharmacy2U contravened the following
provisions of the DPA:

33.

Pharmacy2U processed personal data unfairly and without having met
a Schedule 2 condition for processing in contravention of the first data
protection principle at Part I of Schedule 1 to the DPA.

34.

The Commissioner finds that the contravention was as follows:

35.

Pharmacy2U has obtained personal data unfairly because its online
registration form and privacy policy did not inform its customers that it
intended to sell their details to third party organisations, in addition to
sending out its own marketing material. It would not be within a
customer’s reasonable expectation that this form of disclosure would
occur, even if they were willing to agree to the receipt of marketing
material from Pharmacy2U itself. If a customer wished to take up
Pharmacy2U’s offer to opt out of “Selected company data sharing”,
they also had to go to the trouble of logging into their account and
changing the setting.

36.

In addition, Pharmacy2U did not provide the further information that
was necessary to enable the processing in respect of its customers to
be fair.

37.

In the circumstances, Pharmacy2U’s customers did not give their
informed consent to the sale of their personal data to third party
organisations. Therefore Pharmacy2U did not have a lawful basis for
processing the data under Part I of Schedule 2 to the DPA.

10

 38.

The Commissioner is satisfied that Pharmacy2U was responsible for this
contravention of the first data protection principle.

39.

The Commissioner has gone on to consider whether the
conditions under section 55A DPA were met.

Seriousness of the contravention
40.

The Commissioner is satisfied that the contravention identified
above was serious due to the context in which the personal data was
unfairly processed, the number of individuals affected (21,500) and the
purposes for which the data was used.

41.

The Commissioner is therefore satisfied that condition (a) from
section 55A (1) DPA is met.

Contraventions of a kind likely to cause substantial damage or
substantial distress
42.

The relevant features of the kind of contravention are:

43.

The data sold via Alchemy consisted of names and addresses of NHS
patients who had used the electronic prescription service, Pharmacy2U
online patients and Pharmacy2U retail customers.

44.

It was advertised via a data card which included an age breakdown and
a list of health conditions that customers were likely to suffer from such
as asthma, high blood pressure, diabetes, heart disease, high
cholesterol, Parkinson's disease, epilepsy, erectile dysfunction and hair
loss. The data provided to Alchemy did not specify which customer

11

 suffered from which condition, but selections were available based on
age, sex and how recently the customer had used the service.
45.

The data purchased by the three clients related to males aged 70 or
over who had used Pharmacy2U within the previous 6 months and
customers, some of whom were described as “active donors”, who had
used Pharmacy2U within the previous 12 months. As some of the data
related to customers who had used the repeat prescriptions service,
the data would have included people with chronic health conditions
such as those listed on the data card. This would have been more likely
due to the selection of customers aged 70 or over and the targeting of
recent customers.

46.

The Commissioner considers that the contravention identified
above had the following potential consequences:

47.

The disclosure of personal data relating to customers of an online
pharmacy is likely to cause distress to individuals who have a
reasonable expectation of confidentiality.

48.

Pharmacy2U advertise their service as “discreet and confidential”. Their
website includes a section headed “embarrassing” which includes
ailments such as erectile dysfunction, haemorrhoids and incontinence.
They also sell contraceptives, pregnancy tests and tests for sexually
transmitted diseases.

49.

It is possible that some customers, who received marketing material
from Woods Supplements, after being prescribed medication by a
doctor, may have stopped taking their prescribed medication and spent
money on products that were subject to the ASA adjudication in
relation to misleading advertising and unauthorised health claims.
12

 50.

In the circumstances, the distress suffered by Pharmacy2U’s customers
is considered to extend beyond mere irritation.

51.

It is likely that some customers will also have suffered financially as a
result of their data being disclosed to the lottery company. Some
customers would have spent money on lottery tickets as a result of
data being disclosed to an organisation that is under investigation into
fraud and money laundering. It is known that at least one individual,
although not necessarily a Pharmacy2U customer, spent as much as
£16,000 on this lottery.

52.

The lottery company appears to have deliberately targeted elderly and
vulnerable individuals who would be more likely to fall victim to lottery
scams.

53.

The Commissioner considers that the damage and/or distress
described above were likely to arise as a consequence of this kind
of contravention. In other words, the Commissioner’s view is that
there was a significant and weighty chance that a contravention
of the kind described would have such consequences.

54.

The Commissioner also considers that such damage and/or
distress was likely to be substantial having regard to the context in
which the personal data was unfairly obtained, the number of affected
individuals and the purpose for which the data was used.

55.

In the circumstances, the likely damage or distress was certainly more
than trivial.

13

 56.

The Commissioner has also given weight to the number of affected
individuals. The Commissioner considers that even if the damage or
distress likely to have been suffered by each affected individual was
less than substantial, the cumulative impact would clearly pass the
threshold of “substantial”. In addition, given the number of affected
individuals, it was inherently likely that at least a small proportion of
those individuals would have been likely to suffer substantial damage
or substantial distress on account of their particular circumstances. For
example, an individual might be extremely worried that a third party
organisation could surmise that he was suffering from an embarrassing
health condition.

57.

The Commissioner is therefore satisfied that condition (b) from section
55A (1) DPA is met.

Deliberate or negligent contraventions
58.

The Commissioner has considered whether the contravention identified
above was deliberate. In the Commissioner’s view, this means that
Pharmacy2U’s actions which constituted the contravention were
deliberate actions (even if Pharmacy2U did not actually intend thereby
to contravene the DPA).

59.

The Commissioner considers that in this case Pharmacy2U did not
deliberately contravene the DPA in that sense.

60.

The Commissioner has gone on to consider whether the contravention
identified above was negligent. First, he has considered whether
Pharmacy2U knew or ought reasonably to have known that there was a
risk that this contravention would occur. He is satisfied that this
condition is met, given that Pharmacy2U ought to have known that its
customers had a reasonable expectation of confidentiality when using
14

 an online pharmacy, especially as their own website describes the
service as “discreet and confidential”.
61.

Pharmacy2U is also registered with both the General Pharmaceutical
Council and the Care Quality Commission. Pharmacy2U is run by
qualified pharmacists and holds an NHS pharmacy contract.

62.

Pharmacy2U submitted IG Toolkit self-assessments in 2009/10,
2010/11, 2011/12, 2013/14 and 2014/15. In the 2013/14 assessment,
prior to entering into the contract with Alchemy, they achieved a score
of 83%. One of the requirements of the IG Toolkit is that “Consent is
appropriately sought before personal information is used in ways that
do not directly contribute to the delivery of care services and objections
to the disclosure of confidential personal information are appropriately
respected”.

63.

The senior executive of Pharmacy2U must have known that there was
a risk that people may object to the sale of data to the lottery company
because, when he was asked to approve the order, he replied “OK but
let’s use the less spammy creative please, and if we get any complaints
I would like to stop this immediately”. However, he still approved the
order.

64.

In the circumstances, Pharmacy2U ought reasonably to have known
that there was a risk that this contravention would occur.

65.

Second, the Commissioner has considered whether Pharmacy2U knew

or ought reasonably to have known that the contravention would be of
a kind likely to cause substantial damage or substantial distress. He is
satisfied that this condition is met, given the nature of Pharmacy2U’s
business and the fact that they were used to holding a large amount of
customer data. Therefore, it should have been obvious to Pharmacy2U

15

 that such a contravention would be of a kind likely to cause substantial
damage or substantial distress to the affected individuals.
66.

Third, the Commissioner has considered whether Pharmacy2U failed to
take reasonable steps to prevent the contravention. Again, he is
satisfied that this condition is met. Reasonable steps in these
circumstances would have included displaying a fair processing notice
in a prominent position on its website which provided its customers
with a simple way to opt out of the sale of their personal data to third
party organisations. Pharmacy2U failed to take any of those steps.

67.

The Commissioner is therefore satisfied that condition (c) from section
55A (1) DPA is met.

The Commissioner’s decision to issue a monetary penalty
68.

For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A(1) DPA have been met in this case. He is
also satisfied that section 55A(3A) and the procedural rights under
section 55B have been complied with.

69.

The latter has included the issuing of a Notice of Intent dated 4 August
2015, in which the Commissioner set out his preliminary thinking. In
reaching his final view, the Commissioner has taken into account the
representations made in response to that Notice of Intent, as well as
those made in other correspondence from Pharmacy2U.

70.

The Commissioner is accordingly entitled to issue a monetary penalty
in this case.

71.

The Commissioner has considered whether, in the circumstances, he
should exercise his discretion so as to issue a monetary penalty. He
16

 has taken into account Pharmacy2U’s representations made in
response to the Notice of Intent and in other correspondence on this
matter.
72.

The Commissioner has also considered whether the contraventions
identified above could be characterised as one-off events or
attributable to mere human error. He does not consider that the
contraventions could be characterised in those ways.

73.

The Commissioner has decided that it is appropriate to issue a
monetary penalty in this case, in light of the nature and seriousness of
the contravention, Pharmacy2U’s shortcomings in terms of its DPA
duties and the risks posed to a number of individuals. He has also
considered the importance of monetary penalties in dissuading future
contraventions of the DPA and encouraging compliance, in accordance
with his policy.

74.

For these reasons, the Commissioner has decided to issue a monetary
penalty in this case.

The amount of the penalty
75.

The Commissioner has taken into account the following mitigating
features of this case:



Pharmacy2U has now taken substantial remedial action.



Pharmacy2U has co-operated with the Commissioner’s office.



There will be a significant impact on Pharmacy2U’s reputation as a
result of this contravention.



This contravention was publicised in the media.

17

 76.

The Commissioner has also taken into account the following
aggravating features of this case:



Pharmacy2U is a limited company so liability to pay a monetary penalty
will not fall on any individual.

77.

Taking into account all of the above, the Commissioner has decided
that the appropriate amount of the penalty is £130,000 (One
hundred and thirty thousand pounds).

Conclusion
78.

The monetary penalty must be paid to the Commissioner’s office by
BACS transfer or cheque by 16 November 2015 at the latest. The
monetary penalty is not kept by the Commissioner but will be paid into
the Consolidated Fund which is the Government’s general bank account
at the Bank of England.

79.

If the Commissioner receives full payment of the monetary penalty by
13 November 2015 the Commissioner will reduce the monetary penalty
by 20% to £104,000 (One hundred and four thousand pounds).
However, you should be aware that the early payment discount is not
available if you decide to exercise your right of appeal.

80.

There is a right of appeal to the First-tier Tribunal (Information Rights)
against:

a)

the imposition of the monetary penalty
and/or;

18

 b)

the amount of the penalty specified in the monetary penalty
notice.

81.

Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.

82.

Information about appeals is set out in Annex 1.

83.

The Commissioner will not take action to enforce a monetary penalty
unless:

 the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the monetary
penalty has not been paid;

 all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and

 the period for appealing against the monetary penalty and any
variation of it has expired.

84.

In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner as
an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.

19

 Dated the 14th day of October 2015
Signed ………………………………………………..
David Smith
Deputy Information Commissioner
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

20

 ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1.

Section 48 of the Data Protection Act 1998 gives any data controller
upon whom a monetary penalty notice or variation notice has been
served a right of appeal to the (First-tier Tribunal) General Regulatory
Chamber (the ‘Tribunal’) against the notice.

2.

If you decide to appeal and if the Tribunal considers:a)

that the notice against which the appeal is brought is not in
accordance with the law; or

b)

to the extent that the notice involved an exercise of discretion by
the Commissioner, that he ought to have exercised his discretion
differently,

the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3.

You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
GRC & GRP Tribunals
PO Box 9300
Arnhem House
31 Waterloo Way
21

 Leicester
LE1 8DJ
a)

The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.

b)

If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.

4.

The notice of appeal should state:a)

your name and address/name and address of your representative
(if any);

b)

an address where documents may be sent or delivered to you;

c)

the name and address of the Information Commissioner;

d)

details of the decision to which the proceedings relate;

e)

the result that you are seeking;

f)

the grounds on which you rely;

d)

you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;

e)

if you have exceeded the time limit mentioned above the notice
of appeal must include a request for an extension of time and the
reason why the notice of appeal was not provided in time.
22

 5.

Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may
conduct his case himself or may be represented by any person whom
he may appoint for that purpose.

6.

The statutory provisions concerning appeals to the First-tier Tribunal
(General Regulatory Chamber) are contained in sections 48 and 49 of,
and Schedule 6 to, the Data Protection Act 1998, and Tribunal
Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules
2009 (Statutory Instrument 2009 No. 1976 (L.20)).

23