An online pharmacy, which sold details of 21,500 customers to marketing companies, has recently been fined £130,000 by the Information Commissioner’s Office (ICO). Pharmacy2U Ltd offered customer names and addresses for sale through an online marketing list company. The company advertised more than 100,000 customer details for sale at a price of £130 per 1,000 records. Some of the companies that bought the information were of questionable repute.

At the outcome of its investigation into Pharmacy2U’s activities, the ICO found that Pharmacy2U had not informed its customers that it intended to sell their details, and that its customers had not given their consent for their personal data to be sold, both of which constituted a breach of the Data Protection Act 1998 (DPA). The company was found to have breached the first principle of the DPA regarding fair and lawful processing of data.