Case Summary
A member of the public complained about an email from a market research agency, inviting her to take part in on online survey for Merck Serono about a new walking aid for patients with multiple sclerosis (MS). The complainant stated that the market research agency obtained her details from confidential information that she had given to Merck Serono two years previously when she had joined a patient support website for patients prescribed Merck Serono's MS medicine Rebif (interferon beta-1a).
The complainant noted the website had a specific web privacy promise that Merck Serono would not pass patient details onto a third party unless required to do so by law. In any event Merck Serono would need to ask for express permission as it was her personal medical data. Merck Serono claimed that the permission was not specific but was there and that the wording of the privacy policy just needed 'tightening up'.
The complainant was very concerned the market research agency claimed it was 'partnered' with several other medical market research agencies including one of the largest in the country, so she assumed that her details were now common property.
The complainant alleged that Merck seemed to think it had found a way to do market research on the cheap at the cost to patients of letting the world know that they had MS. This was deceitful and should be stopped as soon as possible.
The complainant had taken Rebif for six months until an adverse event. She was now on another medicine and was surprised and then dismayed to be contacted again.
The complainant had contacted Merck Serono and considered its response did not address the privacy issue or the continuation of the practice of sending patient data out for market research. The complainant noted that Merck Serono now intended to contact patients which seemed even more controversial.
The detailed response from Merck Serono is given below.
The Panel noted that the survey was sent to patients who had registered on a patient support website for Merck Serono's prescription medicine, Rebif. The Panel noted that the complaint was about provision of patients' email addresses by a pharmaceutical company to its market research agency and considered that the matter was potentially covered by the Code. The Code stated that pharmaceutical companies must comply with all applicable codes, laws and regulations to which they were subject. The Panel noted that the Data Protection Act 1998 was potentially relevant to matters within the scope of the Code and so in that regard the matter was covered by the Code.
The Panel noted that, in order to register on the website, the complainant had had to submit, inter alia, her email address and tick a box to declare that she had read and understood the privacy policy and website terms of use and give consent for her personal data to be processed in accordance with the privacy policy.
Point 1 of the privacy policy informed readers that Merck Serono might collect and process their personal data and might also ask the reader to complete surveys that Merck Serono used for research purposes although the reader did not have to respond to them. In the Panel's view it was thus clear that registered users might be contacted to complete a survey. Point 5 noted that information held might be used, inter alia, to carry out market research into medical conditions and the usefulness of the health information that Merck Serono provided. Point 6 stated that in specified circumstances Merck Serono might disclose personal information to third parties and, in addition, to any member of its group of companies. The Panel noted Merck Serono's submission that disclosure to a market research agency was not listed under Point 6 because, according to the Data Protection Act, the provision of personal data to third party data processors was not deemed to be the transfer of information which required the consent of the data subject. In the Panel's view, most readers of the privacy policy would not know the provisions for the Data Protection Act well enough to realize this.
The Panel considered that Merck Serono's privacy policy was not unacceptable. It was also not necessarily unacceptable for Merck Serono to have provided the complainant's email address to the market research agency in these circumstances. The market research agency had acted on behalf of Merck Serono and had been briefed to only use the email addresses for the purpose of the survey and to destroy any copy of the emails on completion of the survey.
Although the privacy policy could have been clearer that Merck Serono might use an agency to conduct market research, the emailed invitation from the agency clearly explained that it had been appointed by Merck Serono to carry out the survey. The email also informed the reader that their personal details would remain confidential and would not be passed on to anyone. Contact details were given for concerns or queries.
The Panel noted Merck Serono's submission that such research was always conducted by a market research agency to preserve the respondents' anonymity to Merck Serono and to ensure that theresearch remained unbiased. The market research agency had confirmed that, subsequent to the dispatch of the email in question, all copies of the patients' email addresses were deleted or destroyed.
The Panel noted its comment above regarding the Data Protection Act and the application of the Code and that no evidence had been submitted to show that an appropriate judicial forum had formally considered this matter to be in breach of the Act. The Panel thus ruled no breach of the Code. The Panel did not consider that in the provision of the patients' email addresses to its agency, Merck Serono had failed to maintain high standards. The privacy policy applicable at the time made the position sufficiently clear. No breaches of the Code were ruled including Clause 2.
CASE AUTH/2522/7/12 MEMBER OF THE PUBLIC v MERCK SERONO
NO BREACH OF THE CODE
Alleged disclosure of patient data
A member of the public complained about an email from a market research agency, inviting her to take part in on online survey for Merck Serono about a new walking aid for patients with multiple sclerosis (MS). The complainant stated that the market research agency obtained her details from confidential information that she had given to Merck Serono two years previously when she had joined a patient support website for patients prescribed Merck Serono’s MS medicine Rebif (interferon beta-1a).
The complainant noted the website had a specific web privacy promise that Merck Serono would not pass patient details onto a third party unless required to do so by law. In any event Merck Serono would need to ask for express permission as it was her personal medical data. Merck Serono claimed that the permission was not specific but was there and that the wording of the privacy policy just needed ‘tightening up’.
The complainant was very concerned the market research agency claimed it was ‘partnered’ with several other medical market research agencies including one of the largest in the country, so she assumed that her details were now common property.
The complainant alleged that Merck seemed to think it had found a way to do market research on the cheap at the cost to patients of letting the world know that they had MS. This was deceitful and should be stopped as soon as possible.
The complainant had taken Rebif for six months until an adverse event. She was now on another medicine and was surprised and then dismayed to be contacted again.
The complainant had contacted Merck Serono and considered its response did not address the privacy issue or the continuation of the practice of sending patient data out for market research. The complainant noted that Merck Serono now intended to contact patients which seemed even more controversial.
The detailed response from Merck Serono is given below.
The Panel noted that the survey was sent to patients who had registered on a patient support website for Merck Serono’s prescription medicine, Rebif. The Panel noted that the complaint was about provision of patients’ email addresses by a pharmaceutical company to its market research agency and considered that the matter was potentially covered by the Code. The Code stated that pharmaceutical companies must comply with all applicable codes, laws and regulations to which they were subject. The Panel noted that the Data Protection Act 1998 was potentially relevant to matters within the scope of the Code and so in that regard the matter was covered by the Code.
The Panel noted that, in order to register on the website, the complainant had had to submit, inter alia, her email address and tick a box to declare that she had read and understood the privacy policy and website terms of use and give consent for her personal data to be processed in accordance with the privacy policy.
Point 1 of the privacy policy informed readers that Merck Serono might collect and process their personal data and might also ask the reader to complete surveys that Merck Serono used for research purposes although the reader did not have to respond to them. In the Panel’s view it was thus clear that registered users might be contacted to complete a survey. Point 5 noted that information held might be used, inter alia, to carry out market research into medical conditions and the usefulness of the health information that Merck Serono provided. Point 6 stated that in specified circumstances Merck Serono might disclose personal information to third parties and, in addition, to any member of its group of companies. The Panel noted Merck Serono’s submission that disclosure to a market research agency was not listed under Point 6 because, according to the Data Protection Act, the provision of personal data to third party data processors was not deemed to be the transfer of information which required the consent of the data subject. In the Panel’s view, most readers of the privacy policy would not know the provisions for the Data Protection Act well enough to realize this.
The Panel considered that Merck Serono’s privacy policy was not unacceptable. It was also not necessarily unacceptable for Merck Serono to have provided the complainant’s email address to the market research agency in these circumstances. The market research agency had acted on behalf of Merck Serono and had been briefed to only use the email addresses for the purpose of the survey and to destroy any copy of the emails on completion of the survey.
Although the privacy policy could have been clearer that Merck Serono might use an agency to conduct market research, the emailed invitation from the agency clearly explained that it had been appointed by Merck Serono to carry out the survey. The email also informed the reader that their personal details would remain confidential and would not be passed on to anyone. Contact details were given for concerns or queries.
The Panel noted Merck Serono’s submission that such research was always conducted by a market research agency to preserve the respondents’ anonymity to Merck Serono and to ensure that the research remained unbiased. The market research agency had confirmed that, subsequent to the dispatch of the email in question, all copies of the patients’ email addresses were deleted or destroyed.
The Panel noted its comment above regarding the Data Protection Act and the application of the Code and that no evidence had been submitted to show that an appropriate judicial forum had formally considered this matter to be in breach of the Act. The Panel thus ruled no breach of the Code. The Panel did not consider that in the provision of the patients’ email addresses to its agency, Merck Serono had failed to maintain high standards. The privacy policy applicable at the time made the position sufficiently clear. No breaches of the Code were ruled including Clause 2.
A member of the public complained about an unexpected email from a market research agency, inviting her to take part in on online survey for Merck Serono about a new walking aid for patients with multiple sclerosis (MS). The complainant stated that the market research agency had got her details from confidential information that she had given to Merck Serono two years previously when she had joined a patient support website for patients prescribed Merck Serono’s medicine Rebif (interferon beta-1a). Rebif was indicated for the treatment of relapsing MS.
COMPLAINT
The complainant noted that on the website there was a specific web privacy promise that Merck Serono would not pass patient details onto a third party unless required to do so by law. The complainant questioned whether in any event Merck Serono would need to ask for express permission as it was her personal medical data.
The complainant had spoken to a senior director from Merck Serono UK who claimed that the permission was not specific but was there and that the wording of the privacy policy just needed ‘tightening up’. The complainant emailed the German parent company but the enquiry was passed back to the UK. This had been going on since June.
The complainant posed the question of why this mattered as she did not have to take part in the survey.
The complainant submitted that the usual way to get patients’ opinions was to ask for volunteers on patient support groups (most would not allow it), social media, patient forums or via online market research agencies. Getting a patient’s contact details was key to this.
The complainant considered that there must be thousands of people on Rebif in the UK, most of whom would have joined the website to get support for using the medicine.
The complainant submitted that it got worse; the market research agency’s website claimed it was ‘partnered’ with several other medical market research agencies including one of the largest in the country, so she assumed that her details were now common property.
The complainant alleged that Merck seemed to think it had found a way to do market research on the cheap at the cost to patients of letting the world know that they had MS. This was deceitful and should be stopped as soon as possible.
The complainant proposed to contact the main MS forums and warn people, knowing that journalists from national newspapers would pick it up, and had waited three weeks for the Medicines and Healthcare products Regulatory Agency (MHRA) to respond.
Following a request for further information from the case preparation manager, the complainant stated that she was on Rebif for six months until an adverse event which was reported by her consultant. She was now on another medicine and was surprised and then dismayed to be contacted again.
The complainant stated that letters from Merck Serono did not seem to address the privacy issue or the continuation of the practice of sending patient data out for market research (copies of the letters were provided). The complainant noted that Merck Serono now intended to contact patients which seemed even more controversial.
When writing to Merck Serono, the Authority asked it to consider the requirements of Clauses 1.8, 9.1 and 2 of the Code.
RESPONSE
Merck Serono confirmed that the complaint related to registration to its post-prescription patient support website which provided information to patients prescribed Rebif. Details of when the complainant registered to use the website were provided.
Merck Serono noted that the complainant was concerned that the personal details she submitted in order to access the website had been provided to a market research agency which then invited her to take part in an on-line survey. Merck Serono had commissioned the survey to evaluate a device which might help MS patients with mobility issues associated with foot drop, a recognised complication of MS.
Merck Serono stated that users undertook a formal registration process in order to access and use the website. The patient had to enter a code obtained from the patient support pack provided to them after being prescribed Rebif and then create a username (their email address) and a password to access the website. Access was only granted once all the required information had been completed and the patient had ticked a box to confirm that they had read and understood the terms of use and the privacy policy. The acceptance wording stated:
’I have read and understood the privacy policy and website terms of use, and I consent to be enrolled in the post prescription nursing support services, and for my personal data to be processed in accordance with the Privacy Policy.’
A link to the privacy policy and the terms of use was contained below this statement (a copy of the registration pages of the website and the terms of use and the privacy policy (previous and current versions) were provided).
Merck Serono submitted that Point 1c of the privacy policy in its previous format stated:
‘We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.’
Point 5 of the privacy policy stated:
‘We will not use your data for marketing purposes or for any purposes other than the specific purposes listed below.’
The purposes listed included the right:
‘With your consent to carry out market research into medical conditions and the usefulness of the health information that we provide’ (previous Point 5b).
Merck Serono submitted that the Data Protection Act 1998 stated that it must obtain consent of a data subject to use any personal data provided to it. It must also make it clear to the data subject as to how the personal data would be used. The privacy policy made it clear that data provided might be used to invite website users to participate in surveys and market research into medical conditions. Merck Serono was therefore confident that it had complied with the law in relation to the use of the complainant’s personal data and thus did not consider it had breached Clause 1.8 of the Code.
Merck Serono noted that the complainant was also concerned that her data was provided to its market research agency, which then contacted her on behalf of Merck Serono to invite her to participate in the survey. The market research agency was engaged to carry out the survey on behalf of Merck Serono. The market research agency was provided with a list of email addresses of registered users of the website. No other details of registered users of the website were provided. The agency was under strict instructions not to use the data provided (email addresses) for any purpose other than to conduct the survey and it was asked to destroy the data provided upon completion of the survey. A copy of the instructions emailed to the market research agency was provided.
Merck Serono noted Point 6 of its privacy policy stated:
‘We may disclose your personal information to third parties only in the following circumstances.’
The circumstances where it might disclose such information to a third party included a third party involved in any merger, acquisition or corporate restructuring of Merck Serono, adverse event reporting, enforcement of its terms of use, or to protect its rights or property or those of others.
Merck Serono submitted that the right to use a third party to assist with market research was not listed here because the Data Protection Act did not deem the provision of personal data to a third party data processor as a transfer of information which required the consent of the data subject. The Act stated that a data processor engaged to carry out services on another’s behalf was not seen as a third party. A data processor (ie the market research agency) was defined by the Data Protection Act as ‘any person (other than an employee of the data controller [ie Merck Serono]) who processes the data on behalf of the data controller’.
Merck Serono stated that for the purpose of processing of personal data, the Data Protection Act defined a third party as ‘any person other than (a) the data subject [ie the website user], (b) the data controller, or (c) any data processor or other person authorised to process data for the data controller or processor [ie the market research company]’.
Merck Serono stated that in its view it had not contravened the Data Protection Act which governed the processing of personal data and thus had not breached Clauses 1.8, 9.1 or 2.
Merck Serono submitted that the invitation at issue was sent to registered users of the website on 11 June 2012. The email made it clear that the survey was commissioned by Merck Serono which had appointed the market research agency to carry out the survey on its behalf. Further, the email did not put any pressure or obligation on the recipient to respond to the survey and it indicated that the respondents’ details would remain confidential and not be passed on to anyone. A copy of the email was provided.
Merck Serono noted that it obtained a very positive response to the survey; from 760 invitations it received 166 replies, 150 of which were received in the first week. The company did not receive any other negative feedback about the invitation to take part in the survey. Such research was always conducted by a market research agency in order to preserve the respondents’ anonymity to Merck Serono and to ensure that the research remained unbiased and thus ensured high standards were kept.
Merck Serono submitted that it had not breached the terms of the Data Protection Act by engaging the market research agency to contact registered users to invite them to participate in the survey. The communication was consistent with the terms of the website privacy policy, and was certified in accordance with the requirements of the Code and Merck Serono thus denied any breach of Clauses 1.8, 9.1 and 2.
Whilst Merck Serono considered that it had acted entirely within the requirements of the law and the Code, it was, however, concerned to receive the complaint and had accordingly endeavoured to address the complainant’s concerns. It had thus changed the website privacy policy to provide greater clarity as to its terms; in particular it had grouped Points 1c and 5b (as cited above). The new Point 5b read:
‘We may use your data [...] to contact you, in the manner detailed below, to ask you to complete surveys or to carry out market research into medical conditions and the usefulness of the health information that we provide, although you do not have to respond to them.’
The following provision had also been inserted:
‘Market research/surveys – where we wish to conduct surveys or market research which we use for our own internal research purpose, we may engage an independent professional service provider for the sole purpose of conducting such survey or market research on our behalf. This is to preserve the anonymity of respondents and to ensure that the research is unbiased. In this event, we will contact you to obtain your consent prior to passing your details.’
Merck Serono submitted that if it undertook future market research/surveys with the website users, it would make the first contact rather than an independent professional service provider. This would include asking if the registered user would like to participate in the survey/market research and if so to ask him/her to confirm that he/she was happy for his/her details to be provided to an independent professional adviser who will contact him/her with regard to the survey/market research. A copy of the updated privacy policy was provided. Merck Serono submitted that the changes had been uploaded onto the website.
Merck Serono submitted that it had also reassured the complainant that the market research agency no longer held her details (or those of any other users) and that she would not be contacted again by Merck Serono or any third party data processing agent engaged by it to ask if she would like to participate in any survey or market research.
In Merck Serono’s view it had endeavoured to address the complainant’s concerns. It had responded swiftly to her, fully investigated her complaint and implemented actions to address her concerns. Copies of correspondence exchanged with the complainant were provided.
Merck Serono confirmed that only the complainant’s email address was provided to the market research agency by Merck Serono as detailed above. Seven hundred and sixty (760) email addresses of registered users were provided to market research agency and the company instructed not to use them for any purpose other than to email the approved invitation; in particular the company must not pass the data to third parties and the data must be destroyed when the survey was complete. The market research agency had confirmed in writing that it had complied with Merck Serono’s requirements (a copy was provided)
Merck Serono only used the market research agency to assist it with the survey. It used another agency to obtain feedback from registered users of the website in relation to the support information provided in February 2012.
Merck Serono stated that it had not been paid for the complainant’s details. Merck Serono appointed the market research company to provide a service and paid it for the service provided.
Merck Serono concluded that by contacting the complainant to invite her to participate in the survey and passing her email address to a market research agency appointed by it for this sole purpose, it had not contravened the Data Protection Act or any other laws or regulations, and had therefore not breached Clause 1.8. The initial communication sent to respondents was consistent with the terms of the website privacy policy, complied with the Data Protection Act and was reviewed for compliance with the Code and certified accordingly. Furthermore Merck Serono had taken the complainant’s concerns seriously and has acted to address them. Merck Serono considered that it had complied with the Code and in particular Clauses 1.8, 9.1 and 2.
PANEL RULING
The Panel noted that the Code applied to the promotion of medicines to members of the UK health professions and to appropriate administrative staff. It also applied to a number of areas which were non promotional, including information made available to the public about prescription only medicines. The Panel noted that the survey in question concerned a device. Whilst material or activities relating to devices generally fell outside the scope of the Code, the Panel noted that the survey was only sent to patients who had registered on a patient support website for Merck Serono’s prescription medicine, Rebif. The Panel noted that the complaint before it was about provision of patients’ email addresses by a pharmaceutical company to its market research agency and in that regard it considered that the matter was potentially covered by the Code. Clause 1.8 of the Code stated that pharmaceutical companies must comply with all applicable codes, laws and regulations to which they were subject. The Panel noted that in this case the provisions of the Data Protection Act 1998 were potentially relevant to matters within the scope of the Code and so in that regard the matter was covered by Clause 1.8. The Panel noted, however, that its ruling would be made according to the provisions of the Code; it could not make any decision with regard to adherence to the Data Protection Act.
The Panel noted that, in order to register on the website, the complainant had had to submit, inter alia, her email address and tick a box to declare that she had read and understood the privacy policy and website terms of use and give her consent for her personal data to be processed in accordance with the privacy policy.
Point 1 of the privacy policy informed readers that Merck Serono might collect and process their personal data and might also ask the reader to complete surveys that Merck Serono used for research purposes although the reader did not have to respond to them. In the Panel’s view it was thus clear that registered users might be contacted to complete a survey. Point 5 noted that information held might be used, inter alia, to carry out market research into medical conditions and the usefulness of the health information that Merck Serono provided. Point 6 of the privacy policy stated that in specified circumstances Merck Serono might disclose personal information to third parties and, in addition, to any member of its group of companies. The Panel noted Merck Serono’s submission that disclosure to a market research agency was not listed under Point 6 because, according to the Data Protection Act, the provision of personal data to third party data processors was not deemed to be the transfer of information which required the consent of the data subject. In the Panel’s view, most readers of the privacy policy would not know the provisions for the Data Protection Act well enough to realize this. The Panel noted that Merck Serono had since changed its privacy policy to include more explanation about the use of data for market research/surveys and its processes had also changed such that the first contact about market research/surveys would come from Merck Serono, not a third party agency.
The Panel considered that although Merck Serono had recently changed its privacy policy as a result of this complaint, its original privacy policy was not unacceptable. It was also not necessarily unacceptable for Merck Serono to have provided the complainant’s email address to the market research agency in these circumstances. The market research agency had acted on behalf of Merck Serono and had been briefed to only use the email addresses for the purpose of the survey and to destroy any copy of the emails on completion of the survey.
Although the privacy policy could have been clearer that Merck Serono might use an agency to conduct market research, the emailed invitation from the agency clearly explained that it had been appointed by Merck Serono to carry out the survey. The email also informed the reader that their personal details would remain confidential and would not be passed on to anyone. Telephone and email contact details were given for readers with concerns or queries.
The Panel noted Merck Serono’s submission that such research was always conducted by a market research agency to preserve the respondents’ anonymity to Merck Serono and to ensure that the research remained unbiased. The market research agency had confirmed that, subsequent to the dispatch of the email in question, all copies of the patients’ email addresses were deleted or destroyed.
The Panel noted its comment above regarding the Data Protection Act and the application of the Code and that no evidence had been submitted to show that an appropriate judicial forum had formally considered this matter to be in breach of the Act. The Panel thus ruled no breach of Clause 1.8. The Panel did not consider that in the provision of the patients’ email addresses to its agency, Merck Serono had failed to maintain high standards. The privacy policy applicable at the time made the position sufficiently clear. No breach of Clause 9.1 was ruled.
The Panel noted its rulings above and ruled no breach of Clause 2.
Complaint received 4 July 2012
Case completed 4 August 2012
