Pharmacist: Collection of customer data at pharmacies a gray area
The collection and transmission of data through pharmacies is a murky area, and the extensive leak of data belonging to Apotheka loyalty card holders should prompt Estonian data protection authorities to take the matter more seriously, Kaidi Sarv, chief pharmacist of the Estonian Pharmacists Association, told ERR.
"Looking at Apotheka's principles for the collection and processing of customer data, it makes for murky reading. For example, three types of information is collected: data on customers, goods and services, which is so vague as to cover all data," Sarv said.
"Let's say you had your blood pressure measured and a vaccine shot – will this data also be sent somewhere and based on which grounds? The collection and transmission of data at pharmacies and healthcare service providers is a gray area. If a person visits a pharmacy, according to international principles, it automatically constitutes special information," Sarv noted.
She described the personal data of 700,000 people leaking as extremely unfortunate.
"This includes information on medicines, even though it is said that prescriptions-related data was not included. But what's the difference? Medicines information, even if they're over-the-counter drugs, is very serious business."
Sarv noted that despite the extensive nature of the data breach, there is currently no perception in pharmacies that customers are disturbed by it. However, Estonian data protection authorities should take the matter very seriously.
"The collection, transmission, storage and leakage of people's special categories of data – from the authorities' point of view, this is a very serious issue because the legal basis [for data protection] does exist, but it's all very murky," Sarv explained.
"The Data Protection Inspectorate has announced that it does not deal with individual cases but with systemic issues. I would expect that, against the background of the current Apotheka case, this situation would start to be assessed more effectively, but it seems to me that nobody is interested in this matter. The situation is quite rotten," Sarv said.
Legal backdoor to data
According to Sarv, a question arises about where in the data leak equation Apotheka comes in.
"The data was released by a specific pharmacy, a private limited company, to Allium UPI. But did that pharmacy even know what data it was transmitting? Theoretically, all its activities on the computer, everything that happens with a customer, was transmitted to Allium UPI. This is something that the Data Protection Inspectorate (AKI) should investigate: on what legal basis can a third party, which calls itself a customer data manager, start asking pharmacies for data," Sarv explained.
Sarv also highlighted hypocrisy in the collection of data from pharmacies: if a pharmacist wanted to research what medications are used in certain cases or what medications are used for pain, such research would require the permission of a bioethics committee.
"Here, the pharmacist must prove what the data is used for, which data, on what legal basis – it's a real obstacle course even when you want to research something very simple. But now, some company is just collecting essentially all Estonians' data and processing it, transmitting it to who knows whom, and storing it not anonymized but personalized for ten years after the event. For what purpose?" Sarv said.
According to Sarv, this situation represents a legal loophole.
"If I call myself a loyalty program operator, then I have the right to collect people's health data and process it based on a very murky consent that was obtained unclearly. For special categories of data, the consent for their provision must be explicit, about what data and to whom and for what purpose it is given," Sarv stated.
Sarv also finds the cross-use of pharmacy and retail loyalty cards in Estonia problematic.
According to Kaja Kilg, the spokesperson for Benu Pharmacies, while customers at Benu Pharmacies can receive discounts with a Rimi card, this is based on a technical solution that does not involve the transfer of customer data either from Benu Pharmacies to Rimi or from Rimi to Benu pharmacies.
Inspectorate: Sales data belongs to companies
The Data Protection Inspectorate commented on the Allium UPI data leak situation, stating that it is serious and the agency is working on it every day.
According to the watchdog, the company's organization implies that customer data from pharmacies under the Apotheka brand is processed by the company Allium UPI. "The Allium UPI OÜ company stands behind the Apotheka franchise. Apotheka does not collect data – Apotheka is a brand. Even in the data protection principles on the Apotheka website, it is stated that Allium UPI OÜ is the responsible processor," said AKI public relations advisor Grete Lehemaa.
In response to the question of whether sales data from prescription medications bought by customers at Apotheka pharmacies is also shared with any company, Lehemaa said that sales data is company information. "Sales data and financial reports may not mean that they also include data on prescription medications. Companies definitely have breakdowns of what and how much is purchased, but in such cases, these should not be in a personalized form and it would not play a significant role in fulfilling the purpose," Lehemaa explained.
When asked why cross-use loyalty cards are allowed in Estonia, even when one type of retail establishment – pharmacies – possesses sensitive information, Lehemaa replied that this is not regulated because it should not affect data protection.
"The data must be protected and kept in accordance with the General Data Protection Regulation," Lehemaa stated.
As the matter involves procedural information, the AKI could not comment on why Allium UPI still retained customer data collected ten years ago, in 2014.
Martin Aadamsoo, the information manager of Allium UPI parent AS Magnum, owned by businessman Margus Linnamäe, justified the long-term retention of data by stating that the company's internal rules set the data retention period at ten years.
Describing the connection between Allium UPI and pharmacies, Aadamsoo said that Allium UPI OÜ is the manager of the Apotheka customer program, which stores data related to the loyalty program.
"Pharmacies collect data within the framework of the customer program, allowing customers to register as clients and, if desired, to terminate their client status at the pharmacy," Aadamsoo explained.
Aadamsoo assured that data on prescription medications is neither collected nor stored within the loyalty program framework. "Consequently, they cannot be shared with anyone," he said.
On April 4, it became public knowledge that the personal identification codes, purchase information and contact details of every second Estonian had leaked from the system of Allium UPI, a company dealing in pharmacy and hospital goods. The company managed the data of Apotheka, Apotheka Beauty, and Pet City loyalty card holders. A criminal investigation was initiated under a statute that deals with illegally obtaining access to a computer system. The investigation is being conducted by the Central Criminal Police's cybercrime bureau and is led by the Office of the Prosecutor General. According to AKI Director General Pille Lehise, the Allium UPI data leak case showed that data protection is a secondary issue for businesses.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Marcus Turovski