Showing posts with label personal data marketplace. Show all posts
Showing posts with label personal data marketplace. Show all posts

Tuesday, October 20, 2015

UK’s largest online pharmacy fined £130,000 for selling patients’ data to scammers

MedConfidential, here.

ICO's "Monetary Penalty Notice" here.

"35. Pharmacy2U has obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material. It would not be within a customer’s reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from Pharmacy2U itself. If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they also had to go to the trouble of logging into their account and changing the setting.
36. In addition, Pharmacy2U did not provide the further information that was necessary to enable the processing in respect of its customers to be fair.
37. In the circumstances, Pharmacy2U’s customers did not give their informed consent to the sale of their personal data to third party organisations. Therefore Pharmacy2U did not have a lawful basis for processing the data under Part I of Schedule 2 to the DPA.
73. The Commissioner has decided that it is appropriate to issue a monetary penalty in this case, in light of the nature and seriousness of the contravention, Pharmacy2U’s shortcomings in terms of its DPA duties and the risks posed to a number of individuals. He has also considered the importance of monetary penalties in dissuading future contraventions of the DPA and encouraging compliance, in accordance with his policy."