Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

The Information Commissioner’s Office Issues a Monetary Penalty Notice for Breach of the First Data Protection Principle

24 Nov 2015 United Kingdom 6 min read

Introduction

In October 2015, the Information Commissioner’s Office (the “ICO”) issued a monetary penalty notice to an online pharmacy called Pharmacy 2U in respect of the sale of customer details through a marketing company. The penalty of £130,000 was the first to be issued for the breach of the first data protection principle relating to the fair and lawful processing of personal data. The monetary penalty notice provides good guidance on the circumstances in which data processing will be deemed fair, and the circumstances in which monetary penalties will be imposed.

Background

The Data Protection Act 1998 (the “Act”), Schedule 1, Part 1, sets out eight data protection principles which provide the framework under which personal data is processed. The first data protection principle requires that personal data to be processed fairly and lawfully. Schedule 2 of the Act provides conditions where data can be processed, relevant for the first data protection principle, including the provision of consent by the data subject to the processing.

The Act does not define what is “fair” processing for the purpose of the first data protection principle. However, Schedule 1, Part 2 of the Act includes helpful interpretation guidance. In the context of determining whether personal data are processed fairly, Part 2 of Schedule 1 states that the data controller should consider the method the personal data was obtained and whether any data subject was deceived or misled as to the purpose for which the personal data will be processed. In addition, the legislation states for the processing to be fair, the data subject must be provided with certain information, including who controls the data, if they have any representatives and the purposes for which the data is to be processed.

The ICO acts as regulator for the purposes of the Act. In this capacity, the ICO has a range of powers at its disposal which can be used to ensure compliance. This includes the power to impose monetary penalties under section 55(1) of the Act. Monetary penalty notices can be issues where the ICO is satisfied that there has been a “serious contravention” of the data protection principles, and that the contravention is of a kind “likely to cause substantial damage or substantial distress.”

Facts

In order to access Pharmacy 2U’s services, prospective customers were required to complete an online registration form. The form requested the customer’s name, sex, date of birth, telephone number, postal address and email address. The form included a pre-ticked box and allowed the customer to untick the box if they did not wish to receive Pharmacy 2U marketing emails. By clicking “continue” on the form, customers agreed to Pharmacy 2U’s terms and conditions.

The terms and conditions contained a link to Pharmacy 2U’s privacy policy which contained the following wording:
“Occasionally we make details available to companies whose products or services we think may interest our customers. If you do not wish to receive such offers please login to your account and change the setting to indicate ‘No’ for “Selected company data sharing”.

In 2014, Pharmacy 2U sold details of 21,500 customers’ personal data to a health supplement company, a lottery company and a charity through an online marketing company. The data included customer health issues and an age breakdown.

Decision

Fairness

The ICO found that Pharmacy 2U had breached the first data protection principle. It found that Pharmacy 2U had obtained the data unfairly. This was because the online registration form did not inform customers that Pharmacy 2U intended to sell their details. It would not be within a customer’s reasonable expectation that their data would be used in this way, even though they were willing to receive marketing information from Pharmacy 2U.

In particular, the ICO pointed to the fact that in order to opt out of the marketing, a customer would have to sign into their account to opt out and Pharmacy 2U did not provide customers with further information to enable the processing to be fair. Therefore, the customers did not give informed consent to the sale of their data and Pharmacy 2U had no legal basis for processing the data.

Monetary Penalty Notice

The ICO was satisfied that a monetary penalty notice should be issued to Pharmacy2U. The breach was deemed sufficiently serious owing to the number of customers who were affected (21,500).

The ICO was also satisfied that the breach was of a kind likely to cause substantial damage or substantial distress. This was due to the nature of the data which had been sold. Pharmacy 2U operated as a pharmacy and offered a “discreet and confidential” service and they dealt with sensitive and chronic illnesses. In addition, the nature of the companies to which the data was supplied increased the likelihood of distress. This distress would be beyond mere irritation as they would be targeted due to their health status and age group, which could have adverse health and financial effects.

In the opinion of the ICO, Pharmacy 2U did not deliberately breach the Act but its actions in selling the data were deliberate. The ICO went on to find that Pharmacy 2U had been negligent, holding that it ought to have known customers would expect confidentiality, particularly from a pharmacy. Similarly, Pharmacy 2U ought to have known a breach would cause substantial damage or distress. Finally, since Pharmacy 2U had not taken steps to provide a notice about data selling to their customers, it was held that reasonable steps were not taken to prevent the breach.

Considering the cumulative effect of the breach and the surrounding circumstances a monetary penalty notice of £130,000 was issued to Pharmacy2U.

Comment

This decision by the ICO illustrates the importance of clear notices being used in online registration forms. The notice should outline what the data will be used for and by whom. There should also be a straightforward mechanism for data subjects to give and withdraw their consent.

The decision demonstrates that organisations should carefully consider where they share personal data and what the likely effects of sharing the data will have for their data subjects. In the Pharmacy 2U decision, it appears that the potential risks were ignored.

It is notable that recent case law suggests that a breach of the Act which causes distress need not be accompanied by financial loss in order to allow a claim for damages and therefore organisations face an increased risk of monetary penalty notices and damages claims. It is therefore best practice to review policies in line with ICO guidance and take expert advice before processing personal data.

Co-authored by Kevin McDade.

More insights
Public Procurement Technology Scotland

Explore more

Publication United Kingdom

Procurement Cube

09 Feb 2026 5 min read
Event United Kingdom

IP Insights webinar series 2026

28 Apr 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.