An ‘opt-in’ generally refers to a tick box which, if filled in by the user, indicates positively that they would like to be contacted by a particular form of communication. Unless the user ticks the box then the organisation cannot use their details for the form of marketing listed. This is in contrast with an ‘opt-out’, where the default position is that the user will be contacted by that form of marketing, unless they tick the box to indicate that they would prefer not to be. The benefit to the business of opt-out over opt-in is that the default position for opt-out presumes the right to market, and requires no further action by the recipient. Average collection rates are therefore higher for opt-out, meaning more emails can be sent to more people.

So what can other pharmacy businesses learn from this episode?

Pharmacies routinely collect “sensitive personal data”, which is data that relates to the data subject’s health. Therefore, first and foremost you must abide by the DPA’s eight principles – namely, you must:

• Use the data fairly and lawfully
• Use it for limited, specifically stated purposes
• Use it in a way that is adequate, relevant and not excessive
• Ensure that it is accurate
• Keep it for no longer than is absolutely necessary
• Handle it according to people’s data protection rights
• Keep it safe and secure
• Not transfer it outside the European Economic Area without adequate protection.