We all get advertising calls. Our phone numbers are constantly being sold off to marketing agencies, leading to those persistent calls asking about our accidents and PPI claims which don’t seem to stop, even when we follow the prompt to “press 9 to opt out”. They tend to remain in the part of our lives marked annoyance, rather than being seen as anything more malign- most of these companies don’t even know the names of the people they are calling, only their numbers. However, recent developments suggest that the line may be getting blurred.

On the 20th October, the Information Commissioner’s Office concluded an investigation into Pharmacy2U, an NHS-approved prescription-delivery service that has now been fined £130,000 after it was found that they had been selling patient details to advertising agencies. The incident was originally uncovered by a Daily Mail investigation. Pharmacy2U is registered with both the General Pharmaceutical Council and the Care Quality Commission. The company delivers repeat prescriptions to patients who might be unable to collect the drugs in person.

On their databases, by necessity, they have a lot of private information about the patients they supply, including names, ages, genders, home addresses, contact details and (and here’s the part where you should feel a chill crawling up your spine) their prescriptions, from which one could reasonably infer what maladies they are suffering from. I should make it clear, that I have found no reason to believe that specific medical details were given out as a part of these information packages to the marketing agencies, however according to the ICO report, likely conditions were advertised, and ‘selections were available based on age, sex and how recently the customer had used the service.’

In the United Kingdom, there are laws against the marketing of the public’s private information without their consent. The Data Protection Act of 1998, along with the Privacy and Electronic Communications Regulations, 2003, make it so that for a company to sell information about one of their users/customers/clients/etc., they must first have their consent. The 2003 regulations made it so that positive consent was required online, which translates to an oft-overlooked tick box in which you are signing over to the company the ability to do share your details with their “carefully selected marketing agencies”.

Bear in mind that one of Pharmacy2U’s carefully selected marketing agencies (Health Marketing Ltd.) was under investigation by the Advertising Standards Agency for printing misleading information about Glucosamine supplements. The ICO have noted that, due to there being no publicly available information about this investigation at the time, Pharmacy2U were most likely unaware of this particular agency’s disrepute.

This does not excuse them, not by an absolute mile- despite their protests otherwise, the act of a trusted and reputable company selling patient information to any kind of marketing company, especially when many of the patients due to their age may not have been internet-literate enough to notice those infernal tick boxes, is abhorrent and highly cynical.

An apology and a £130,000 fine seem like water balloons against a well-armoured tank. Patient details were sold in lots of 1,000 for £130 apiece (13p per data set). Around 21,500 patient’s details were sold, although 100,000 data sets were advertised. The fine seems to be in direct relation to the total amount of revenue that could have been made from the sales of this data. Surely then, this is not a fair sentence?

If a thief were to steal a locket of immense emotional importance to its rightful owner, then the public would be outraged if when the thief was caught he was asked only to return the item and have done with it. The details released were as valuable to Pharmacy2U’s clients as to the hypothetical victim’s jewellery above: they constituted a significant part of their identities, leaving them open to specific appeals made using potentially very sensitive information.

The BMA have made a statement much to this effect. They note that the report raises ‘serious concerns’ about Pharmacy2U’s ability to handle data in a proper and secure manner. They go on to say:

 Although the BMA welcomes the information from the ICO investigation, we are pushing for custodial penalties for those who wilfully or recklessly abuse personal data. In our view, the current financial penalties do not offer enough of a deterrent.

Source: BMA

The EMIS Group, a minority shareholder in Pharmacy2U, have made it clear that they were unaware of the company’s activities. They also confirm that Pharmacy2U is ‘no longer [selling] customer data and moving to a proactive consent model for its own marketing’ and that they did not contravene the DPA deliberately, nor were they properly informed at the time of their decision that some of the marketing companies may have been ‘involved in fraudulent activity’.

Corrections: I have been informed by Pharmacy2U’s PR representatives that the number quoted for data leaks was wrong; it is in fact 21,500 data sets that were released, not 100,000. I originally misread this figure from the BBC News website, although did not check closer as it referred to the total amount of data advertised.

I would also like to make it clear that EMIS Group is a minority shareholder in Pharmacy2U, Pharmacy2U is not a subsidiary of EMIS.

Additions: In reviewing the ICO’s report after receiving this information, I have also found that the data card used to advertise the data ‘included an age breakdown and a list of health conditions that customers were likely to suffer from’, which while not specifying which customer had which condition, but they were advertised with such information as ‘age, sex and how recently the customer had used the service’. This is an important point, as I had previously been unaware that any medical information at all was presented during the sales.