For years, we’ve had credible reports of highly accurate marketing that could only be based on health records. Now reports in the media have revealed “a nice little trade” in your health records – and that’s the Information Commissioner’s description, not ours.
These latest reports reveal two ways in which information about your health may be collected and sold on: from insurance forms you fill in and, in particular instances, from information provided to “the UK’s largest online pharmacy”, Pharmacy2U.
Given the number of people who have contacted us over the past two years about this, it is clear that these are not isolated occurrences. Pharmacy2U may have admitted to selling details to a direct marketing agency on a number of occasions, but it is not the only one.
This trade in people’s personal health information is insidious, and makes it all the more essential that the Government legislates clearly and consistently on the ongoing “commercial re-use” of our medical records.
Senior politicians may say something must be done about these latest incidents, but promises to crack down on dodgy data brokers and those who supply them with data ring hollow while the official trade in NHS patients’ information persists. (We note the promised Regulations under the Care Act 2014 – which should clarify the overly-broad definition,“the promotion of health”, that continues to legitimise commercial re-use of your medical information – were not laid before Parliament was Dissolved for the election.)
medConfidential has submitted a formal complaint to the Information Commissioner on behalf of patients who have contacted us after having been sent direct marketing materials in relation to their specific medical condition, treatment or diagnosis. The Information Commissioner’s Office has already begun an investigation, as has the General Pharmaceutical Council. And, given what the chair of the Health Select Committee has said, we hope Parliament will look into this promptly when it returns.
Your rights; take action
Section 11 of the Data Protection Act provides you with the “right to prevent processing for purposes of direct marketing”. You can issue a notice in writing to a data controller at any time, requiring them to cease – or not begin – using your personal information for marketing.
UPDATE 27/4/15: Given their objection to the way we previously expressed things, we asked Pharmacy2U shareholder EMIS – which has been offering a joint service with Pharmacy2U since trials in 2001 – how a patient might determine, without wasting GP time, if their practice is amongst one of the hundreds that have been using Pharmacy2U to provide postal prescriptions for years. EMIS has replied saying that Pharmacy2U is now an option in all practices that use Electronic Prescription Service Release 2 (EPSR2), and that patients with concerns “should contact Pharmacy2U directly”.
Our advice remains as we state below. If you are unsure whether you’re affected, we hope to have more information in our newsletter due out this Friday.
You may not recall nominating Pharmacy2U at your GP at any point over the last 14 years, but if you do not receive a paper prescription and you have ever received your medicines from a warehouse in Leeds rather than your local pharmacy, then it is likely that you did – and you may wish to take action.
If you are a customer of Pharmacy2U, or if you are concerned that your details may have been sold or passed to third parties by them or any other online pharmacy – or by any company to which you have provided information relating your health – we have created a template Section 11 Notice for you to download, fill in, print and post to the relevant organisation.
For Pharmacy2U only, please add your details where indicated:
- Pharmacy2U Section 11 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate
For other companies, including insurance companies, please fill in the relevant details where indicated:
- Generic Section 11 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate
You will note that our Section 11 Notice letter ends with a request for information about disclosures of your information for purposes other than marketing. This is because you have a further right, under Section 10 of the Data Protection Act – the “right to prevent processing”, if such processing would cause you “unwarranted and substantial damage or distress”.
At this point it is not absolutely clear whether Pharmacy2U or other companies have disclosed your information for purposes other than marketing; the wording of various Terms and Conditions suggests that they might. Our template letter therefore requests that the company tells you with whom it has already shared your information, and for what reason.
By sending our Section 11 Notice letter first, you should be told exactly what the company has done with your information. You can then follow up with a Section 10 Notice [1] on the basis of what you find out. Were you to send a Section 10 Notice straight away, the company should comply with your wishes – but you might not find out what has already been done with your information.
We would hope that companies will come clean, and take the opportunity to reassure those whose details they haven’t sold that their information has been kept confidential. If for any reason a company refuses to provide this information, please let us know.
medConfidential believes people should always know who has had access to their health-related information, and what it has been used for. As we have said to the Information Commissioner, you simply cannot trust an organisation that buries your consent options and which isn’t completely up front about what it has done or will do with your most sensitive personal information.
—
1) For your convenience, here is a template Section 10 Notice for you to download, fill in, print and post to the relevant organisation. If you are concerned to know what has been done with your information, we recommend you send this only after receiving a response to your Section 11 Notice.
For Pharmacy2U, please add your details where indicated:
- Pharmacy2U Section 10 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate
For other companies, including insurance companies, please fill in the relevant details where indicated:
- Generic Section 10 Notice – MS Word (.doc) version / Rich Text (.rtf) alternate
—
UPDATE 20/4/15: We were contacted late on Friday by Pharmacy2U’s PR representative, who stated Pharmacy2U “has not sold information relating to patients’ medical conditions. Names and postal addresses only were provided.”
The PR firm provided the following statement, which we publish in full:
“We want to reassure our customers that Pharmacy2U does not and has never sold information relating to patients’ medical conditions to anyone.
Between November 2014 and December 2014, we trialled a small-scale project with Alchemy Direct Media (UK) Ltd, a data handling company registered with the Information Commissioner’s Office (ICO).
This project involved us selling limited information – some customers’ names and postal addresses only – for use in selected marketing activity. No medical information, emails or telephone numbers were sold. In conducting this trial project, we acted in line with current data protection and ICO guidelines.
The sale of customer data for marketing purposes is a widespread practice within business and also government. However, in light of public concern about this issue we have decided not to continue with this trial and we can reassure our customers that Pharmacy2U will no longer share customer data for use in third party marketing. All data that was held by Alchemy Direct Media (UK) Ltd has been destroyed by them and is no longer available for use.
We have asked the Information Commissioner’s Office to work with us to review our privacy policy and have also contacted the General Pharmaceutical Council, our industry regulator, and the NHS, to discuss this matter. We await their follow-up report.”