Data is becoming an increasingly sensitive and important issue for businesses and if you get it wrong there can be serious financial and reputation costs. The hacking of Talk Talk’s website shows the importance of treating your customers’ personal information with respect and giving consideration as to how best it can be protected.
Another recent case in this area is that of Pharmacy2U which was fined £130,000 by the Information Commissioner for selling customers’ details to third parties without their consent in breach of the Data Protection Act. Pharmacy2U is the largest NHS approved online pharmacy and like many businesses collects personal data through its customer registration process. It engaged a marketing company to advertise more than 100,000 customers’ details for sale and the details of more than 20,000 customers were subsequently passed to third parties in return for payment.
The case was decided on the basis that Pharmacy2U had not processed data fairly because its online registration form and privacy policy did not highlight to customers that they would be selling their details. There was an opt-out procedure but it was hidden away in the settings and not readily accessible. The Information Commissioner also gave weight to the nature of the website and the expectation that confidential data relating to patient health would not be shared as disclosure of this sensitive information was likely to cause distress. In certain sectors where client confidentiality is fundamental to the relationship (i.e. health services, legal services, accountancy services etc) then businesses should probably not sell on customers’ details at all.
It is important that businesses review their terms and conditions in light of this case where they routinely pass customer details to third parties for the purposes of direct marketing. Businesses must ensure they provide clear information, in a prominent place, to customers as to how their data will be used and who it will be shared with; it is not enough to simply rely on small print which is hidden away. It is also worth noting that where a breach of the Data Protection Act occurs then anyone who is affected has a right of compensation for any distress caused (without the need to show any actual financial loss). As such, the combination of a hefty fine from the Information Commissioner and individual compensation cases brought by thousands of customers could be very expensive and time consuming for any business.
If you have any queries in respect of data protection and commercial contracts then please contact Angus McGuire or Alan Stalker on 01383 721 621.
