Press "Enter" to skip to content

National Pharmacy Association, GDPR Requests and Email Handling

By Kieron JH on November 27, 2025 3:01 am
Gold envelope icon with a small Santa hat on the corner, symbolising a GDPR data request deadline falling on Christmas.
Santa’s data request arrives on time. Article 12 does not pause for Christmas.

When people use their data rights, they do not always see what happens behind the scenes. Emails move through filters, rules and shared inboxes before anyone reads the content. Most of the time this is invisible and harmless.

Occasionally, the pattern becomes visible. When it does, it can reveal a great deal about how an organisation actually handles requests about legal rights. The National Pharmacy Association (NPA) has appeared on The Reasonable Adjustment several times already, including pieces on misrepresentation and legal threats, refusal to process a previous Subject Access Request and patterns of silence in response to legitimate concerns.

This case study focuses on one specific question, how were emails about a renewed Subject Access Request in November 2025 handled by NPA systems.

The legal starting point, a renewed Subject Access Request

On 25 November 2025, a renewed Subject Access Request was sent to the NPA under Article 15 of the UK GDPR and the Data Protection Act 2018. It came from a dedicated advocacy address used for legal and rights based correspondence and was sent to the named NPA contact and generic addresses, including [email protected].

The request was:

  • limited to one identifiable data subject,
  • scoped by time period and subject matter,
  • directly linked to an ongoing dispute and previous correspondence, including the earlier SAR refusal described in NPA SAR refusal, noreply threats and network logs,
  • framed clearly within the Subject Access Request provisions of UK GDPR.

Under Article 12, the controller must facilitate the exercise of the right of access. Under Article 15, they must respond within one calendar month. In this case, the statutory deadline falls on 25 December 2025.

No acknowledgement was received.

A simple test, same content, different address

To understand whether this was an ordinary delay or something more structural, a simple test was carried out.

Shortly before this article was written, a short follow up email was sent to the same NPA contacts from a different address, [email protected]. The purpose was limited and precise, to see whether automated systems at NPA would respond.

They did.

Within seconds, two automated acknowledgements arrived:

The contrast is important.

  • The original renewed Subject Access Request, from the advocacy address, generated no visible acknowledgement at all.
  • The later follow up, from a different address, triggered immediate automated responses from the same systems.

The wording, recipient list and organisation were effectively the same. The only material change was the sending address.

What the pattern suggests

There are several possible explanations. Servers can fail. Rules can be misconfigured. Spam filters can be overactive.

Even allowing for those possibilities, the most plausible reading of the evidence is that the advocacy address may have been blocked, filtered or treated differently within NPA systems at some point. That conclusion does not require speculation about individuals, it follows from comparing how NPA systems treated messages from one address and how they treated messages from another, minutes apart.

From a GDPR perspective, the key concern is not the label attached to the action. It is the effect. If the address used to exercise data rights is treated in a way that prevents or delays acknowledgements, this has real consequences for compliance.

Why this matters for Articles 12 and 15

Article 12 requires controllers to make it easy for individuals to exercise their rights. Article 15 gives a clear right of access and a clear timeframe.

If an organisation’s systems:

  • fail to acknowledge requests from a known rights based address, while
  • responding promptly to similar messages from another address,

then several questions arise.

These include:

  • whether any filtering rules, blocks or restrictions were applied to the original address,
  • who authorised them and under what policy or risk assessment,
  • whether these actions affected logging, triage and internal circulation of the renewed Subject Access Request,
  • whether the controller still recognises that the statutory deadline runs from 25 November 2025, regardless of weekends, holidays or office closures.

These are not niche technical questions. They go to the heart of how a controller demonstrates that it is facilitating the exercise of rights rather than making the process more difficult.

Governance, logging and fingerprints

From a governance perspective, this scenario touches several areas that The Reasonable Adjustment has been tracking for some time. Previous articles have examined traffic spikes and monitoring patterns linked to NPA visits and fingerprint level evidence of NPA related access. Taken together with the earlier misrepresentation and silence logs, a consistent picture starts to emerge.

In this context, the current email handling issue raises familiar governance questions:

  • Data protection policy: whether the organisation has clear rules about blocking or filtering individuals who are exercising their legal rights.
  • Risk management: whether the risks of restricting communication with rights holders have been documented, and who signs off such decisions.
  • Record keeping: whether the organisation can show that requests were logged and processed regardless of any email level filtering.
  • Regulatory engagement: if challenged by the ICO, whether the organisation can explain the discrepancy in handling between different addresses.

Good governance does not require perfection. It does, however, require traceability, proportionate decision making and a clear audit trail.

Why The Reasonable Adjustment is documenting this

The Reasonable Adjustment exists to document and analyse real world examples of systems not behaving as expected, especially around people who are already at a disadvantage when dealing with institutions.

In this case, the facts are straightforward:

  • a renewed Subject Access Request was submitted,
  • no acknowledgement was received,
  • a near identical message from a different address triggered instant acknowledgements,
  • and the statutory deadline coincides with a major public holiday.

This combination creates a live compliance risk for the controller. It is exactly the kind of scenario that many individuals would simply accept as unfortunate or just how things are. In practice, it reflects choices about internal configuration, oversight and attitude to scrutiny.

By making these patterns visible, the aim is to encourage better practice, not to generate drama. If the NPA provides a clear explanation, that will be published. If they do not, that silence will also form part of the public record and any regulatory referral.

Controllers cannot control which day a deadline falls on. They can control how seriously they treat requests that start the clock.

Written by Kieron JH
Founder, The Reasonable Adjustment

Further reading on the National Pharmacy Association

Published in Accountability, Articles, Data, Disability, IPS Pharma, Kieron, Law and Medical Cannabis

More from AccountabilityMore posts in Accountability »
More from ArticlesMore posts in Articles »
More from DataMore posts in Data »
More from DisabilityMore posts in Disability »
More from IPS PharmaMore posts in IPS Pharma »
More from KieronMore posts in Kieron »
More from LawMore posts in Law »
More from Medical CannabisMore posts in Medical Cannabis »

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *