Published by: The Reasonable Adjustment
This started with a Discord ticket.
When The Reasonable Adjustment was new, I asked the staff of r/ukmedicalcannabis, one of the largest UK patient communities around prescribed cannabis, if it was ok to share a link to the site. The response was heavy scrutiny of my privacy policy. I tightened it up. Scrutiny is fine.
The hard part to digest was what came next. Months passed, there were vague “next steps”, and no visible movement. At the same time, serious public-facing privacy issues around major providers were already known and discussed, yet there were no patient-facing PSAs, on the basis that it would be “unfair” to single out one pharmacy without checking everyone.
That logic sounds principled until you realise it guarantees inaction, and it quietly gives the biggest names special treatment. So I stopped debating and pulled the data.
They were aware of IPS Pharma concerns since summer 2025
To be crystal clear, I’m not talking about rumours. I documented issues around IPS Pharma, one of the most popular pharmacies in the UK medical cannabis space, across multiple posts:
- IPS Pharma privacy breach
- IPS Pharma privacy policy 2018, broken links
- IPS Pharma privacy policy 2018 vs 2025 patient portal
The stated reason for not doing PSAs was: it would be unfair to single out IPS Pharma without checking them all. The problem with that is simple. If you refuse to warn patients about known, documented issues unless you have completed a full sector-wide audit, you have created a perfect excuse to never warn patients about anything.
Context matters, this was after a major clinic breach
This all happened in a sector that had already seen major patient data concerns discussed publicly, including the CB1 Medical breach. So the posture of “we can’t say anything unless we check everyone” felt even more backwards. After a breach, patient communities should get sharper, not quieter.
What I actually did
I built and ran an automated scan against publicly available privacy pages for UK clinics and pharmacies, then tidied the output into a structured export so it could be analysed properly.
This isn’t inside access and it isn’t guesswork. It’s based on what providers publish for patients and the public, or fail to publish. If you can’t disclose the basics clearly, patients can’t judge what’s happening to their data.
What the scan checks
- Is there a privacy policy page at all?
- Is it dated or versioned?
- Is the controller identified?
- Is a lawful basis stated?
- Is special category medical data explicitly addressed?
- Are retention periods stated?
- Are international transfers mentioned?
- Is cookie compliance acknowledged in a meaningful way?
These are not exotic requirements. They’re basic public-facing disclosures, and they matter more in healthcare than almost anywhere else.
What the data shows
In the tidy export used for this article, there are 56 organisations in total, 36 clinics and 20 pharmacies.
- Policy date missing: 42 out of 56.
- Special category handling missing: 20 out of 56 had no explicit special category extract captured.
- Retention disclosures are weak: 39 out of 56 are “Vague” (29) or “Not stated” (10). Only 17 are “Specific”.
- International transfers: 32 out of 56 do not mention transfers at all. 21 mention them with detail. 3 are vague.
- Cookies: 45 show a banner that looks broadly decent, 8 are unknown, and 3 are “No banner or unclear”.
- Risk scores: average around 35.6, maximum 74, and 7 providers land in the 60 to 79 band.
The important bit is the pattern, not any single line item. If you can’t date your policy, can’t clearly explain retention, and don’t explicitly handle special category medical data, the transparency is objectively poor for a healthcare provider.
Highest risk examples, and best practice examples
I’m not presenting these as legal conclusions. This is the scan output. The highest risk scores in this export include:
- Petal & Bud (74)
- Verday (72)
- Chelsea Cannabis Clinic (70)
- Smartway Pharmacy (70)
- Monivea Road (68)
- Medecan (64)
- Borders Pain Clinic (62)
There are also examples that score well and show what good disclosure looks like in practice, including:
- Hippocratic Horizons (0)
- Releaf+ Subscription (0)
- Medicann UK (12)
- Medicann (via IPS) (12)
- Peak Pharmacy (16)
This is the point people keep trying to dodge. If a small grassroots project can be held to a high standard quickly, then providers processing medical data should clear the same bar easily. The data suggests many do not.
What this is, and what it isn’t
This is not a legal ruling, and it’s not a claim that any specific provider has definitely breached GDPR. It’s an audit of what is publicly disclosed. Patients can only judge what is actually written down and made available.
If a provider believes an entry misrepresents them, the fix is simple. Publish clearer policies, date them, version them, and make key points like retention and special category handling easy to find.
Why this is on The Reasonable Adjustment
Because selective scrutiny is pointless. If privacy matters, it has to matter where the risk actually lives. If patient communities won’t warn patients, at least patients can see the data.
If you’re new to CBPM and want patient-facing guides as well:
- Dry herb vaporizers for CBPM beginners
- Medical cannabis smell control in the UK
- GMP, medical cannabis seized and disposed, FOI
- Debunking The Sun “stoner nation” narrative
Dataset
Full CSV Export: cbpm_privacy_scan_results_v2.csv
Tidy XLSX Export: CBPM-PrivacyPolicy-ExportTidy
Important: this dataset is not guaranteed to be 100% accurate. It’s an automated scan of publicly available pages. Some sites block automated requests, serve content dynamically, or change structure without notice. Where a page couldn’t be reached or parsed reliably, results may be incomplete or marked as unknown.
Treat it as a triage tool and a starting point, not a final verdict.
Credit: Kieron JH, Founder, The Reasonable Adjustment






Be First to Comment