It's a bit of a struggle
To work out how it couldn't be deliberate as it was being sold, not ineptly exposed...
Invoices are particularly fine indicators of 'pretty bloody deliberate' IMHO. I've never 'accidentally' issued one, for sure.
Online pharmacy Pharmacy 2U has been slapped with a £130,000 fine by the Information Commissioner's Office for flogging customers to a marketing company without their consent. The ICO said Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company. The ICO investigation found that …
This post has been deleted by its author
“This is a regrettable incident for which we sincerely apologise," said Daniel Lee, managing director, Pharmacy2U, in a statement. "While we are grateful that the ICO recognise that our breach was not deliberate, we appreciate this was a serious matter.
"As soon as the issue was brought to our attention, we stopped the trial selling of customer data and made sure that the information that had been passed on was securely destroyed," he added. "We have also confirmed that we will no longer sell customer data."
A regrettable incident ? Oh, getting caught you mean, of course. Yes, quite unfortunate.
The ICO recognise that the breach was not deliberate ? How nice of your pal over there. So, golf still on next Sunday ?
You stopped the trial selling of customer data ? You mean, there was a trial ? That had specifically been set up to sell customer data ? And you can say with a straight face that it wasn't deliberate ?
Somebody call the press, we've found the next PM.
ben goldacre @bengoldacre
"So: the bloke who makes the GP software that stores your NHS patient records also just flogged NHS data to scammers."
" EMIS (GP computer system) CEO is director of t'dodgy pharmacy that sold thousands of NHS patients data to fraudsters http://flnx.co/Iovnx "
I highly recommend the book Bad Pharma by Ben Goldacre:
http://www.badscience.net/books/bad-pharma/ which links to:
https://www.waterstones.com/book/bad-pharma/ben-goldacre/9780007498086
I have not connection to him other than to have read a couple of his books.
And don't forget Bad Science.
Should be on the mandatory reading list in all schools, and proof of having read it a requisite for all local and national government jobs, including councillors, MPs and MEPs
Might get a small bit of sense into the world if it was.
"..as recommended by the NHS."
A £130,000 fine? No. I don't think so.
Removal from NHS England pharmaceutical lists for a few months (so that they can't legally dispense NHS prescription drugs) till they have demonstrated that they have the procedures in place to ensure that this never, ever happens again?
Yes. Oh very much yes.
And they wonder why we worry about Care.data...
Removal from NHS England pharmaceutical lists for a few months
Sadly not within the remit of the ICO. However, it would be within the remit of the General Pharmceutical Council who routinely suspend pharmscists registration for misconduct, and a quick gander at the GPC's standards of conduct suggest that this shower could be held to be in breach of clauses 2.2, 3.5, 3.7, 6.5 and 6.6.
It seems a bit much to hope that the GPC will see this and be proactive, but any affected customers might care to report them.
He didnt get consent, he deliberately sold data without the consent, the ICO has fined him but it was an "oversight" on his part and when he got caught he had to stop?
This is why the ICO needs to be given powers to imprison people like this cockwomble.
As for any NHS contracts they should go immediately, selling sensitive personal information of people with medical conditions is the worst kind of breach.
To be fair there was bugger all they could do about Phorm as they didn't have the powers to act then in the way they can now.
I'm all for kicking my former employer when necessary but it's a bit harsh to criticise them for something they couldnt do.
Oh and as for jail sentances the possibility is there in the revised legislation, it just needs 'Call me Dave' and his bunch of cronies to sign it off. Something they and their predecessors have been consciensciously avoiding for the last few yrs.
"As soon as the issue was brought to our attention, we stopped the trial selling of customer data "
can be translated as:
a) Once we realised the game was up....
b) Once someone told us something we ought to already have known was wrong....
c) Back pedal! Back pedal!
d) all of the above
... it's all very disturbing. The "not deliberate" is as in the company did not deliberately set out with the express purpose of breaching the DPA. The ICO found that they were negligent in that particular sense but the sale was deliberate and they knew they were selling to spammers.
So... not idiots, just scum.
The "not deliberate" is as in the company did not deliberately set out with the express purpose of breaching the DPA.
Well, that is just about the weakest excuse ever. I didn't actually set out to kill this man by shooting him, I was just making a hole in his head, m'lurd. That he died was nothing but an unfortunate side effect..
"If the Commissioner receives full payment of the monetary penalty by 13 November 2015 the Commissioner will reduce the monetary penalty by 20% to £104,000
However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal."
https://ico.org.uk/media/action-weve-taken/mpns/1433030/pharmacy2u-ltd-monetary-penalty-notice.pdf
Why do they need to give an early payment discount? Doesn't the ICO have enough for Christmas shopping?
I work in the sector .. P2U has had ALOT of money sunk into it waiting for the advent of electronic prescriptions which they were the original prime mover on - pitching to the blair gov in the early noughties. They are still bleeding money 15yrs on and am sure there is pressure from EMIS and EMIS shareholders who are also P2U shareholders to make some damn money finally. The ICO needs to look the relationship with P2U and EMIS I would be more worried about the fact the EMIS own over 1/5th of the stock, have board seat and that one of the big shareholders in EMIS is also a P2U investor. EMIS provide the patient record software to 54% of all english GPs.
For the last year they have been leafleting patients of every GP in England after the surgery converts to electronic prescriptions. Magically, patients registered to EMIS surgeries get these leaflets weeks before patients registered to non EMIS surgeries do .. both EMIS and P2U have denied anything improper ... hmm, cough, splutter, bulls**t.
Are this lot anything to do with Chemist Direct?
They clearly have a data leakage problem. I'm one of those boring people that uses specific email addresses for different organisations. The one I used with ChemistDirect has apparently been made available outside ChemistDirect and now gets spammed. None of my others appear to have leaked. Emails to them on this subject are not acknowledged and the phone sales team say "send an email".
Avoid. And spread the word.
It seems that the fines for privacy violations or financial wrongdoing are usally so small relative to the amount earnt for the crime that they are just a cost of business, and not an effective deterent.
According to ICO "records were advertised for sale for £130 per 1000 records.", so unless there were a million sales (say, each of the 100,000 customers advertised 10 times each), the fine is big enough that the crime wasn't financially worth it. That's refreshing.