By David Reissner
In August 2021, Deliveroo announced a partnership with Boots to deliver orders from Boots customers for a range of goods including medicines for minor ailments and “children’s medicines like Calpol”. One year later, the two companies have just announced extending their arrangement to 125 Boots stores.
In June this year, The Mirror reported that a Deliveroo driver filmed himself delivering on behalf of Boots a bag containing Canesten antifungal cream to a female student. The driver implied that the cream was for the treatment of a vaginal infection.
Before the student came outside to collect the bag, the driver filmed himself saying on camera “Someone’s got some problems downstairs, man”. He then filmed the student coming outside to collect the bag. When she reached the driver, he mockingly asking her what was inside the bag. The driver then posted the footage on Twitter (where it is still available on The Mirror’s website but with the student’s face concealed). This case raises a number of legal issues.
Employment law
The Mirror reported that the Deliveroo driver (whom it called a “scumbag”) had been sacked. No other details are known but, although employees usually have a right to a notice period and a right not to be unfairly dismissed, employees can be summarily dismissed for gross misconduct. The delivery driver’s behaviour in this case seems a good example of gross misconduct.
Confidentiality and privacy
When information is provided or received in confidence, that information is protected by the law. This is why healthcare professionals are not free to disclose information about patients. Additionally, Article 8 of the European Convention on Human Rights gives people a right to privacy which is now recognised in English law.
David Reissner
Subject to certain conditions that would not apply in a case like this, if someone has a reasonable expectation that relevant information will be kept private, then they have the right to claim damages if the right is infringed.
The laws dealing with confidentiality and privacy were clarified by the House of Lords – then the highest court in the UK – in a case involving the supermodel, Naomi Campbell.
On 1 February 2001, The Mirror (ironically, the same newspaper that reported the Deliveroo case) carried as its first story on the front page a prominent article headed “Naomi: I am a drug addict”. The article, supported by photographs, showed the legendary supermodel leaving a Narcotics Anonymous meeting.
Nearly 20 years ago, Campbell was awarded damages of £3,500 against The Mirror. The student who received the Canesten is not famous, but when the Deliveroo driver’s film appeared on Twitter, she would have been capable of being identified by family, friends, teachers, fellow-students and the public, all of whom could see what was delivered to her whilst being informed (if they did not already know) what Canesten is used to treat.
It is easy to imagine the distress that may have been caused and a court might well award her several thousands of pounds if she brought a claim.
Data protection
The processing of personal data is protected by the Data Protection Act which gives legal force to GDPR. In the Deliveroo case, the data were personal because the information about Canesten being supplied related to an identifiable natural person. Data concerning health are classified by the Act as “sensitive personal data”.
The filming and uploading onto Twitter come within the definition of “processing”. In this case, it looks like the law was breached both because the Boots customer did not consent to the processing and because the processing – the filming and uploading – were not necessary for the provision of health or treatment.
If the Boots customer could prove that she suffered distress because of the filming and/or uploading, then the Data Protection Act would also give her a right to damages. In addition, it is a criminal offence for a person knowingly or recklessly to disclose personal data without the consent of the data controller (either Deliveroo or Boots).
Who is liable?
If the Boots customer wanted to claim damages for breaches of her rights, she would have to decide whom to sue. The Deliveroo driver may not be easy to trace and he may not have enough money to meet a claim, so she would want to consider whether she could bring a claim against Deliveroo or Boots. In general, employers are liable for loss or damage caused by an employee in the course of their employment. This is known as vicarious liability.
The delivery driver was not an employee of Boots and, although the law sometimes extends vicarious liability to businesses that are not employers, it seems doubtful that Boots would be vicariously liable in this case.
In 2020, the Supreme Court took a close look at vicarious liability when an IT auditor named Skelton had a grudge against his employer, the supermarket chain Morrisons, because he had been the subject of disciplinary proceedings.
Skelton copied the personal data, including payroll data, of a large number of Morrisons employees onto a USB stick. He took the stick home and uploaded a file containing the data to a publicly-accessible file-sharing website.
Skelton received a lengthy prison sentence for his actions. Nine thousand employees whose data was released sued Morrisons. The Supreme Court looked at whether Skelton was acting in the course of his employment or whether what he did was closely connected to his employment. It concluded that it was “abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question.
On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings”. Morrisons were not liable.
Following this reasoning, it seems likely that Deliveroo would not be liable for the actions of the driver who delivered Canesten.
Fitness to practise
The GPhC has published guidance for providing pharmacy services at a distance. It has investigated the Boots/Deliveroo case and decided not to take any further action. There are, however, important lessons for pharmacy businesses that arrange for a third party to deliver medicines.
Medicines must be packaged suitably and delivery drivers should receive training so that they are made aware of the importance of confidentiality, in the same way as if medicines were being delivered by employees of the pharmacy itself.
(David Reissner is honorary professor of Pharmacy and Medicines Law at the University of Nottingham and chair of the Pharmacy Law & Ethics Association.)
By positioning as self-care champions, pharmacies can increase footfall, enhance customer trust, and boost revenues.Getty Images 
