IPS Pharma’s Privacy Policy Is Stuck in 2018 — Here’s the Evidence
IPS Pharma’s published privacy notice still reads like a GDPR launch-day template. In 2025, that’s not quaint — it’s a liability. Below we break the notice down section by section and show why it fails modern standards, especially given the sensitive health and payment data IPS now handles through its pharmacy portal.
Snapshot of the problems
- Frozen in time: still says “law will change on 25 May 2018” and admits systems were not yet ready.
- Cookies: relies on implied consent, no valid opt-in, outdated cookie lists.
- Health data: no Article 9 lawful basis, no DPIA reference, no safeguard detail.
- International transfers: claims no transfers outside the EEA while using Google Analytics.
- Retention: vague “available on request” policy, not published timeframes.
- Accountability: unclear controller vs processor roles across NHS, pharmacies, partners.
- Patient rights: soft language (“we try to respond”) instead of firm commitments.
Section-by-section teardown
5. “Law will change on 25 May 2018”
What IPS says: warns GDPR was coming in 2018 and systems may not be ready until June that year.
Why it’s a problem: It’s 2025. Keeping launch-day filler live for seven years signals zero substantive review. GDPR has been settled law for years. This undermines confidence in every section that follows.
Fix: Refresh policy, add a 2025 “last reviewed” date and change log.
Cookies and tracking (Section 23)
What IPS says: “By using our website, you consent…” and lists AddThis/Google cookies.
Why it’s a problem: ICO guidance requires prior opt-in for non-essential cookies. “By using” disclaimers are unlawful. The cookie list itself is dated and references legacy trackers.
Fix: Implement a real consent banner, update the cookie inventory, stop dropping trackers before choice.
Special category data (health) (6.4–6.7)
What IPS says: processes health data from pharmacies/NHS and promises not to use prescriptions for marketing, while hinting at “services we provide.”
Why it’s a problem: No explicit Article 9 lawful basis (e.g. health care provision). Suggesting “services” could mean indirect marketing from prescription data — a serious red flag. No safeguards, DPIAs, or staff access controls are explained.
Fix: State Article 6 and Article 9 bases clearly, ban any marketing use of health data, publish DPIA references and security safeguards.
International transfers
What IPS says: “We do not transfer outside the EEA.”
Why it’s a problem: UK GDPR applies post-Brexit. Google Analytics sends data to the US. If they use overseas processors, they must cite SCCs/IDTA and risk assessments. The current policy contradicts itself.
Fix: Name transfer tools, list vendors, and summarise transfer impact assessments.
Retention
What IPS says: retention periods available “on request.”
Why it’s a problem: Patients deserve clear retention schedules, especially for prescription data. Hiding them behind ad-hoc requests undermines transparency.
Fix: Publish schedules directly in the policy.
Data subject rights
What IPS says: lists rights but only “tries” to respond in one month.
Why it’s a problem: The law requires one month, not “try.” No clarity on identity checks, access scope, or complaints escalation.
Fix: Commit to one-month responses, explain process plainly, and provide dedicated contact details.
Controller and partners
What IPS says: mentions IPS Group companies, NHS bodies, and partners vaguely.
Why it’s a problem: Patients can’t tell when IPS acts as controller vs processor. This matters in regulated medicine supply chains.
Fix: Publish a role map: who is controller, who is processor, who is accountable at each stage.
Patient portal: even bigger gaps
IPS has since launched a patient portal allowing users to enter medical history, family history, social history, allergies, address details, payment details, and upload records. None of these processing activities are transparently covered in the 2018 policy.
This portal collects high-risk health and financial data. Yet IPS’s notice gives no Article 9 basis, no retention timelines, no details of payment processors, and no safeguards against profiling. ICO would expect a Data Protection Impact Assessment. The published policy makes no reference to one.
Real-world conduct: a misdirected payment link
Beyond policy gaps, conduct matters. Our founder received a payment link for several hundred pounds worth of cannabis intended for another patient. IPS were notified. Their response did not reflect the seriousness of a misdirected prescription-linked payment. The original communication is retained securely and will be provided to regulators if required.
Note: No patient identifiers are disclosed here. Evidence is retained for regulatory review.
What good looks like
Modern notice
- Dated and reviewed in 2025.
- Plain-English summary.
- Named DPO/contact route.
Lawful bases
- Article 6 for all processing.
- Article 9(2) for health data.
- DPIAs referenced.
Cookies
- True opt-in banner.
- Live cookie inventory.
- No tracking pre-consent.
Transfers & retention
- SCCs/IDTA listed.
- Retention periods published.
- Clear deletion policy.
Right of reply
IPS Pharma is invited to provide a public statement of 150–250 words covering:
- When the privacy notice was last substantively reviewed;
- Your lawful bases for health and payment data in the portal;
- Your cookie consent mechanism;
- Your international transfer tools and retention schedules;
- Your account of the misdirected payment link incident and remedial steps.
Any statement will be published in full. If corrections are made, updates will be timestamped accordingly.
Independence note: The Reasonable Adjustment is an independent, public-interest platform. We document systemic gaps and invite accountable fixes. Evidence is retained for disclosure to regulators and courts.
Be First to Comment