IPS Pharma’s 2018 Privacy Policy Meets A 2025 Patient Portal

In September 2025, IPS Pharma’s own solicitor, Alicia Grace Day of the National Pharmacy Association (NPA), thanked me for raising concerns about IPS Pharma’s privacy notice and confirmed she would raise those issues with IPS Pharma. Nearly four months later, IPS Pharma’s published privacy policy is still dated 25 May 2018 and still carries launch era text about the law changing in 2018, even though UK GDPR has been fully in force for years and IPS now runs a patient portal that collects highly sensitive health and payment data.

This article sits alongside the earlier deep dive, IPS Pharma: 7+ year old privacy policy DEEP DIVE , and follow up pieces on misrepresentation, gaslighting and complaint handling:

• IPS, NPA and misrepresentation: September 2025 update
• IPS Pharma, pattern, gaslighting, and consequences
• NPA, Puro and IPS privacy progress
• The law is not a vibe: NPA misrepresentation rebuttal
• NPA traffic spike and monitoring evidence

What Alicia Day actually said

In her reply on 3 September 2025, Ms Day thanked me for raising concerns about the IPS Pharma website privacy policy and confirmed that she would address those issues with IPS Pharma and provide an update once it had been looked into. She then set out a position that can be summed up like this:

• Not updating a privacy policy since May 2018 does not automatically mean it is non compliant.
• The website needs to reflect the current practices of IPS Pharma under UK GDPR.
• If nothing has changed in IPS Pharma’s data processing, then an older notice could still be correct.
• Any changes might simply need to be handled by their web developers or IT specialists.

On paper, that sounds calm and reassuring. In reality, two things have clearly changed.

1. UK GDPR has been fully in force for years.
2. IPS has rolled out a patient portal that significantly expands the range and scale of data it collects.

The 2018 notice still says the law will change in May 2018

As of 11 December 2025, IPS Pharma’s publicly linked privacy policy still contains a section headed “Changes to the Privacy Notice” that explains that data protection law in the UK will change on 25 May 2018, and that IPS may not be able to respond to certain rights requests until June 2018 while systems are made ready.

That sentence made sense for a short transitional window in early 2018. Leaving it in place in late 2025, after multiple prompts and a formal complaint, is not a cosmetic issue. It signals one of two things:

• Either the notice has not been substantively reviewed since the launch of UK GDPR, despite IPS handling sensitive health data and payments.
• Or the notice does not accurately reflect the reality of IPS’s current data processing and internal systems.

Neither option is reassuring for patients, prescribers, or regulators.

Summer 2025: IPS launches a patient portal, the policy stays stuck in 2018

In parallel with this static 2018 notice, IPS has introduced a patient facing portal in 2025. That portal allows patients to submit:

• Medical history and current conditions
• Family history and social history
• Allergies and medication details
• Address and contact information
• Payment details
• Uploaded records and supporting documents

In other words, IPS now invites patients to feed high risk special category data and financial data into an online system at scale. Yet the public facing privacy notice that patients are pointed to is the same 2018 text that still talks about the law about to change. There is no clear Article 9 condition for health data in the portal, no published DPIA reference, no retention timelines for portal records, and no dedicated explanation of payment processors or security measures.

My earlier deep dive, IPS Pharma: 7+ year old privacy policy DEEP DIVE , explains those gaps in more detail and sets out what good would look like for a modern health data controller.

What my email actually asked for

The PDF now published, Final Request: IPS Privacy Policy Update, GDPR Transparency and Portal DPIA , shows the full context of my correspondence with IPS Pharma and NPA. It did not simply complain about a date on a web page. It asked for:

• A copy of the current privacy policy text, the genuine last reviewed date, and CMS or version history.
• A clear controller and processor map for the portal and wider operations, including joint controller arrangements where relevant.
• Confirmation of lawful bases under Article 6 and Article 9 for portal intake, dispensing, logistics, records, payments and analytics.
• Confirmation that a Data Protection Impact Assessment (DPIA) had been completed for the portal and a high level summary of risks and controls.
• Clarification of cookies, analytics, and international transfers, given the use of tools such as Google Analytics.
• Clear retention periods for prescription, portal and payment records rather than “available on request”.

Those are not exotic demands. They are basic questions any health data controller should be able to answer in 2025, especially one that supplies unlicensed medicines and medical cannabis products.

“If nothing has changed” versus reality

Ms Day’s email leans heavily on a conditional idea: if IPS Pharma’s data processing has not changed since 2018, then an old policy may still be accurate. The problem is that IPS’s own operations tell a different story.

By summer 2025, IPS had rolled out a portal that collects far more direct patient data online than is described anywhere in the 2018 notice. The notice also openly admits that IPS was still “working towards” getting systems ready for the GDPR changes in 2018 and might not be able to respond to some rights until June 2018. That admission cannot be squared with an argument that the same text is fine for a 2025 patient portal environment.

So either:

• The portal launched without the underlying governance, DPIA work and privacy updates that UK GDPR expects, or
• The work was done but IPS has left its public facing transparency documents years out of date.

Patients and prescribers have no way of knowing which is true by reading the website. That is exactly why transparency, accuracy and regular review are not optional niceties in Article 5, Article 12 and Article 13.

Why this matters for patients, pharmacies and regulators

This is not a “gotcha” about web content. IPS works in a space where patients are often vulnerable, dealing with serious conditions, and reliant on unlicensed medicines and medical cannabis. They deserve privacy information that reflects reality, not launch day filler about laws that might change in the future.

For pharmacies and prescribers, an outdated notice raises another question: if the public documentation is this stale, what confidence can you have in the unseen parts of the governance system that you are relying on as a partner or joint controller.

For regulators, the combination of:

• A 2018 era privacy policy kept live into late 2025,
• A live portal collecting high risk health and payment data, and
• A pattern of slow, partial or non existent responses to detailed GDPR correspondence,

should be a bright red flag.

Next steps and right of reply

IPS Pharma and the National Pharmacy Association are invited, again, to provide a clear written explanation covering:

• When IPS Pharma’s privacy notice was last substantively reviewed.
• How the patient portal is documented in their privacy framework and DPIAs.
• Which lawful bases and Article 9 conditions they rely on for health data in the portal.
• How cookies, analytics and international transfers are handled in practice.
• What action has been taken on the issues raised since September 2025.

Any statement received will be published in full, with corrections and updates timestamped. Evidence, including the full email thread and snapshots of the IPS privacy notice, is retained and will be included in any regulatory complaint pack.

Further reading on IPS Pharma, NPA and GDPR

If you want the full picture behind IPS Pharma’s 2018 privacy policy, the patient portal rollout and the National Pharmacy Association’s response, these articles provide additional context and evidence.

• IPS Pharma: 7+ year old privacy policy DEEP DIVE – line by line breakdown of the 2018 privacy notice that is still being relied on in 2025.
• IPS Pharma complaints, patterns, gaslighting and consequences – how portal issues, complaints and communication have played out for real patients.
• NPA, Puro and IPS privacy progress compared – which organisations addressed their GDPR problems and which chose not to.
• IPS and NPA privacy misrepresentation September 2025 update – how the public messaging from IPS Pharma and the NPA diverges from the evidence.
• The law is not a vibe: NPA misrepresentation rebuttal – detailed response to NPA commentary on IPS Pharma, misrepresentation and GDPR duties.
• NPA traffic spikes and monitoring evidence – network logs and analytics that show who is really watching these case files.
• NPA defamation threat and the silence that followed – how defamation language was used, then quietly vanished when evidence was requested.
• NPA visits and fingerprinting timeline – redacted log evidence of NPA related visits to The Reasonable Adjustment.

For more investigations and evidence backed case files on healthcare privacy, equality rights and data governance, visit The Reasonable Adjustment home page.