Quick update, straight to the point. Since my last post, there has been movement. Some of it good, some of it overdue, none of it surprising.

NPA: links fixed, credit where it is due

The National Pharmacy Association corrected the broken policy links by 10:30am on Monday 1 September 2025. Good. That is how this should work, someone raises a clear issue, it gets resolved quickly, everyone moves on a little better informed.

Puro: prompt contact and a draft on the table

Puro’s chairman contacted me personally. I appreciate that. A draft privacy policy followed soon after. It is rough, it needs polish, but it shows intent and a willingness to engage. That is progress.

CB1 breach context, and why this matters

In the same month, patients at CB1 Medical were told about a significant data breach that included personal and prescription information. Incidents like this are a reminder that privacy is not a nice-to-have, it is the minimum safe standard. If you need a reference, see the public reporting here: Cannabis Health News coverage.

IPS Pharma: still showing a 2018 privacy notice

As of today, IPS Pharma’s published privacy policy still shows a 25 May 2018 date. That would be a problem for a basic brochure site, it is far more serious for a business that captures and processes special category health data. You can read the page yourself: IPS Pharma privacy policy.

IPS has expanded into a pharmacy system that handles sensitive medical information at scale. That raises the bar. You need a current, specific privacy notice that matches reality, including lawful bases, retention, processor listings, cookie detail, user rights, DPO contact, and incident handling.

SAR handling has not inspired confidence

On my own Subject Access Request, IPS asked basic questions about scope only days before the deadline. That is not what good compliance looks like. If you are unclear about data classes or systems, you clarify at the start, not at the finish line.

What good looks like, in plain English

• Publish an updated, dated privacy notice that actually reflects systems in use, not a template from years ago.
• List processors and transfers, include retention schedules, and explain cookies with real detail.
• Name a contact route for privacy concerns, and make it responsive.
• Treat SARs as a priority from day one, log scope early, and deliver on time.

Where we go next

I will keep this factual and fair. When organisations fix issues, I will say so. When they stall or fall short, I will say that too. If IPS publishes a current notice and gets SAR handling back on track, readers here will be the first to know. If not, we will escalate using the proper channels.

Related reading, my earlier breakdown of IPS’s notice: IPS Pharma’s Privacy Policy Is Stuck in 2018.

Standard note: This article is for transparency and public interest reporting, it is not legal advice.