IPS Pharma Privacy Policy Still Dated “25 May 2018” – NPA Broken Legal Links Undermine Data Protection

IPS Pharma’s Privacy Policy Still Says May 2018 – And the NPA Links Loop to Home

By Kieron JH

In 2025, a specialist pharmacy still displaying a “Last updated: May 2018” privacy policy is not quirky nostalgia – it is a compliance red flag. Pair that with its trade body’s legal-policy links that bounce users back to the homepage, and the message is loud: data protection is treated like a joke. Patients deserve better than a punchline.

What we observed

IPS Pharma: The published Privacy Policy shows a last updated date of May 2018.
National Pharmacy Association (NPA): Legal and policy links intended for Privacy, Cookies, or Terms redirect users back to the NPA homepage instead of the actual documents.

If you are thinking “that cannot be right,” we thought the same. We checked, captured screenshots, and documented the behaviour. The result is not a UX hiccup – it is a transparency failure that makes exercising rights unnecessarily difficult.

Quick reality check: UK GDPR went live in 2018. Since then there have been multiple clarifications, enforcement actions, and post-Brexit UK GDPR divergence. A policy frozen at its launch year says “we have not kept up,” which is not the vibe you want from a healthcare provider.

The Website Designer Angle

IPS Pharma’s website was built by Incorporate Design, a commercial web design agency. If a client is still showing a privacy policy last updated in May 2018, the natural question is: has the design agency ever been asked to update it, or flagged that it was out of date?

Contacting Incorporate Design

To clarify this, we have contacted Incorporate Design directly. Our inquiry asked them to confirm:

Whether IPS Pharma have ever instructed them to update the Privacy Policy page since 2018.
Whether their service includes highlighting when client-facing compliance content is visibly outdated.
What measures they have in place, if any, to proactively verify that legal documents on client websites remain up to date.
Whether responsibility for this sits entirely with the client after handover, or if they provide ongoing checks.

Their response – or silence – will speak volumes. If Incorporate Design were never asked to make changes, that reflects directly on IPS Pharma’s governance priorities. If they were asked and it was not actioned, that raises serious questions about accountability at the development level. Either way, the outcome will be documented here in the public record.

Receipts

We maintain timestamped captures of the IPS Pharma privacy policy date (“May 2018”) and the NPA link behaviour (legal links -> homepage). If any of the organisations involved correct these issues, we will publish that and give credit where it is due. That is the point.

Compliance is not an aesthetic, it is a habit. If you cannot keep the policy page standing up, how steady is the rest of the stack?

Next steps

We have asked IPS Pharma to publish an updated privacy notice reflecting current UK GDPR obligations.
We have asked the NPA to correct policy links so members and the public can access the documents directly.
We will continue monitoring. When they fix it, we will say so – publicly.
We will also document Incorporate Design’s position once they respond to our inquiry.

If you have seen similar behaviour elsewhere, send details to [email protected].