ICO takes action against online pharmacy and the crown prosecution service for privacy breaches

November 10, 2015 |

In the United Kingdom the Information Commissioner has been busy of late fining Pharmacy 2U £130,000  for selling details of its customers and the Crown Prosecution Service for serious breaches of data security.  While the Information Commissioner has had his critics over time he is quite strong on dealing with data security breaches and has imposed swingeing penalties in the past, and on these occasions.  The comparison with the Australian Privacy Commissioner’s tentative, anemic and weak approach to data breaches is stark.

Pharmacy 2U

The facts giving rise to ICO issued a Monetary Penalty Notice is set out in paragraphs 18 – 20 of the Notice which provides:

The Pharmacy2U database lists were advertised for rental on the Alchemy website. The data card for Pharmacy2U states that the data includes 77,621 0-12 month  “buyers” and 36,207 13-24 month “buyers”. It also states that buyers include NHS patients, Pharmacy2U online patients and Pharmacy2U retail customers. It lists typical ailments that are treated including asthma, high blood pressure, diabetes, heart disease, high cholesterol, Parkinson’s disease, epilepsy, erectile dysfunction, hair loss, weight loss, travel health, skin conditions, pain, migraine, cold and flu and nicotine replacement for smoking cessation. It also includes an age breakdown which shows that 82% of the buyers are over the age of 40. The cost is listed as £130 per 1000 records.
In November and December 2014, Alchemy supplied a total of 21,500 Pharmacy2U customers’ names and addresses to three organisations: Griffin Media Solutions, an Australian lottery company (“ the lottery company”) and Camphill Village Trust Ltd
On 20 November 2014, Griffin Media Solutions ordered 13,000 records on behalf of its client Woods Supplements (10,000 records plus a 30% oversupply to allow for duplicates). The data related to customers who had used Pharmacy2U within the previous 12 months. The order was approved by a senior executive of Pharmacy2U.

The contravention was described as:

Pharmacy2U has obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material. It would not be within a customer’s reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from Pharmacy2U itself. If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they also had to go to the trouble of logging into their account and changing the setting.
In addition, Pharmacy2U did not provide the further information that was necessary to enable the processing in respect of its customers to be fair

The Notice found that the distress suffered by Pharmacy 2U customers extends beyond mere irritation [50] and that some customers were likely to suffer financially as a result of their data being disclosed to the lottery company [51]. The lottery company deliberately targeted elderly and vulnerable individuals [52].

The ICO media release,  Online pharmacy fined for selling customer details, provides:

An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000.

Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company. Companies that bought the details included a health supplements company that has been cautioned for misleading advertising and an Australian lottery company subject to investigation by Trading Standards.

The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.

ICO Deputy Commissioner David Smith said:

“Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. Put simply, a reputable company has made a serious error of judgement, and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish.

“Once people’s personal information has been sold on once in this way, we often see it then gets sold on again and again. People are left wondering why so many companies are contacting them and how they come to be in receipt of their details.”

The incident was initially uncovered by a Daily Mail investigation.

More than 100,000 customer details were advertised for sale. The customer database was advertised as including people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of customers, such as men over 70 years old, were available, and records were advertised for sale for £130 per 1000 records.

The civil monetary penalty is the first of its type, with the company found to have breached the first principle of the Data Protection Act regarding fair and lawful processing of data.

The ICO investigation found the lottery company that bought customer records appeared to have deliberately targeted elderly and vulnerable individuals, and it is likely that some customers will have suffered financially as a result of their details being passed on.

CPS

The ICO has fined the Crown Prosecution Service £200,000 in a Monetary Penalty Notice for a significant breach of the Data Protection Act. The facts are depressingly familiar, unencrypted sensitive personal information in a lap top which has been left in an insecure location only to be picked up by a villain.

The key facts are set out at paragraphs 11 – 17:

In September 2002, the CPS agreed to a six month trial with the sole proprietor of in Manchester to edit videos of police interviews so that they could be used in criminal proceedings. This informal arrangement continued after the trial period.

 To this end, the CPS delivered unencrypted DVDs containing the videos to  xxxx  using a national courier firm. If a case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to premises using public transport.

 In 2006, xxxx relocated to premises in a multi-occupied residential block which the sole proprietor used as a studio to edit the videos. He did not live there. The block had a simplex lock on the main communal entry door, the CCTV cameras installed in the stairwells did not work and the studio was not alarmed.

 On 11 September 2014, three laptops were stolen from xxxx when an opportunistic burglar gained entry to the studio. The sole proprietor had used two of the laptop computers for editing the videos and then left them out on a desk.

 The laptops held videos of police interviews with 43 victims and witnesses involved in 31 cases, nearly all of which were ongoing and of a violent or sexua l nature. However, some of the interviews related to historica l allegations against a high profile individual.

 The victims and witnesses could be seen talking openly in the videos and referring to the names of the offenders, including the high profile individual. Fortunately, the names and addresses of the victims a nd witnesses had been edited by the sole proprietor on the instruction of the CPS.

 The laptops belonged to the sole proprietor and were password protected but not encrypted. The police recovered the laptops eight days after the burglary and apprehended the burglar. The laptops have not been accessed by unauthorised third parties as far as the Commissioner is aware.

The ICO found that the CPS failed to comply with its data security obligations, stating at [21]:

The CPS failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data in contravention of the Seventh Data Protection Principle at Part I of Schedule 1to the DPA

and set out the specific contraventions as being:

  • The unencrypted DVDs containing the videos were delivered to xxxx using a national courier firm. The sole proprietor used public transport to take the DVDs to premises if a case was urgent;
  • The CPS was not aware of any security risks posed by editing videos of police interviews at xxxx premises either in 2002 or 2006;
  • The CPS had no guarantee that the sole proprietor would store the unencrypted DVDs in a lockable cabinet and return or securely destroy the DVDs at the end of the case;
  • The CPS failed to monitor the sole proprietor in relation to any security measures taken by him; and
  • The CPS did not have a DPA compliant contract with the sole proprietor in relation to the processing

The above measures are quite standard processes for complying with proper data security standards. The responsibility was CPS’s alone.  It is a common first step to blame the contractor for lax standards which led to the data breach.  It is the principal’s, in this case the CPS, to ensure the contractor has adequate security before providing it with the personal information.  Or use another contractor.

The ICO highlighted the failure to encrypt the laptops which had the videos of police interviews with victims and witnesses [30] which caused distress given the data contained confidential and highly confidential personal information.  The ICO found that the CPS failed to take reasonable steps to prevent the contravention [45].

There were a number of mitigating factors which meant the breach was just bad, rather than disastrous being, at [54]:

  • Voluntarily reported to the ICO
  • The laptops were password protected
  • The laptops were recovered after eight days
  • The data on the laptops has been not accessed by an unauthorised third party as far as the Commissioner is aware
  • The CPS notified the affected individuals
  • The CPS has been fully co-operative with the ICO
  • The CPS has now taken substantial remedial action
  • As far as the Commissioner is aware there have been no other similar security breaches
  • There will be a significant impact on the CPS’s reputation as a result of this security breach.

The ICO media release, CPS fined £200,000 for failing to keep recorded police interviews with victims and witnesses secure, states:

The Crown Prosecution Service has been fined £200,000 by the ICO after laptops containing videos of police interviews were stolen from a private film studio.

The interviews were with 43 victims and witnesses. They involved 31 investigations, nearly all of which were ongoing and of a violent or sexual nature.

Some of the interviews related to historical allegations against a high-profile individual.

The videos were being edited by a Manchester-based film company so that they could be used in criminal proceedings.

But an ICO investigation found the videos were not being kept secure.

The film company used a residential flat as a studio. The studio was burgled on 11 September 2014 and two laptops containing the videos were stolen. The laptops, which were left on a desk, were password protected but not encrypted and the studio had no alarm and insufficient security.

The police recovered the laptops eight days later and apprehended the burglar. As far as the Commissioner is aware, the laptops had not been accessed by anyone else.

The ICO ruled that the CPS was negligent when it failed to ensure the videos were kept safe and did not take into account the substantial distress that would be caused if the videos were lost.

Head of Enforcement Stephen Eckersley, said:

“Handling videos of police interviews containing highly sensitive personal data is central to what the CPS does. The CPS was aware of the graphic and distressing nature of the personal data contained in the videos, but was complacent in protecting that information.

“The consequences of failing to keep that data safe should have been obvious to them.”

Many of the victims were vulnerable and had already endured distressing interviews with police. In the videos, they talked openly and referred to the names of the offenders.

Mr Eckersley said:

“If this information had been misused or disclosed to others then the consequences could have resulted in acts of reprisal.”

The CPS reported the incident to the ICO and informed the victims and witnesses involved. The ICO received complaints from three affected people.

As part its investigation, the ICO learned that the CPS had been using the same film company since 2002.

The CPS delivered unencrypted DVDs to the studios using a national courier firm. If the case was urgent, the sole proprietor would collect the unencrypted DVD from the CPS personally and take it to the studio using public transport.

The ICO found that this constituted an ongoing contravention of the Data Protection Act until the CPS took remedial action following the security breach on 11 September 2014.

One Response to “ICO takes action against online pharmacy and the crown prosecution service for privacy breaches”

  1. ICO takes action against online pharmacy and the crown prosecution service for privacy breaches | Australian Law Blogs

    […] ICO takes action against online pharmacy and the crown prosecution service for privacy breaches […]

Leave a Reply