In April 2019, the ICO fined Bounty UK Ltd £400,000 for a breach of the first data protection principle under the DPA 1998, in circumstances where it operated a data broking service alongside pregnancy and parenting support services, but failed transparently and fairly to make clear to data subjects that it would share their data. One of the ways in which Bounty got access to data subjects, was under contracts with NHS Trusts, giving them access to new mothers.
One such contract was with Hampshire Hospitals NHS Foundation Trust. Under it, Bounty agreed to process data in accordance with the DPA and that consent would be sought for data sharing, and would be given access to new mothers to distribute information packs and offer a photography service under which they would collect name and address information. Nicklin J described the Bounty business model as being “largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. One such expectant mother was Mrs Underwood, who had signed up with Bounty in April 2017. After she gave birth in October 2017, a representative of Bounty appeared by her bedside, apparently looking at the patient information sheets located in the holder at the foot of the bed, and taking some time to leave at the insistence of Mr Underwood. Subject access requests made to Bounty by the Underwoods included the Underwoods’ new child’s name, gender and date of birth.
In Underwood v Bounty UK Ltd & Hampshire Hospitals NHS Foundation Trust  EWHC 888 (QB), the Underwoods sued for breach of the DPA and for misuse of private information. Bounty went in administration and judgment in default was obtained. The claim proceeded to trial as against the Trust, heard by Nicklin J. The Trust’s position was that it was not responsible for any wrongdoing of Bounty. Nicklin J essentially accepted the Trust’s position and some of the commentary is of wider interest.
It was found that the Bounty representative was most likely to have found and recorded the child’s details from the hospital paperwork held at the foot of Mrs Underwood’s bed. That paperwork being there did not, the Court held, constitute the making available of the data within it: Bounty’s representative had inappropriately (and unlawfully) looked at paperwork which was there for good medical reasons. It was unauthorised processing for which Bounty, not the Trust, was the relevant controller. There was no breach of the seventh principle. The limited data available by the bedside was necessary for hospital staff to discharge their duties, and a functioning hospital has to be able to do this to some extent, so as to prevent lengthy medical histories having to be taken every time a new nurse or doctor attends on the patient. The alternative would not have been practical. There were contractual obligations placed on Bounty.
Also of interest was the dismissal of the privacy claim. Nicklin J applied, with apparent approval, the Warren v DSG judgment of Saini J (on which see here), to find that there had been no relevant ‘misuse’ of the information in this context. It was not sufficient that the Trust had permitted Bounty to have access to the Claimants. Moreover, Nicklin J commented that a person’s name, gender and date of birth (even of a newborn child) was not information of a level of seriousness to engage the tort at all. Given the regular appearance of such information in data breaches, this is commentary of wider interest.
The Court also, briefly, deprecated the pleading of an exemplary damages claim (which had not been pursued at trial), emphasising that these would be available only in “wholly exceptional” cases, and that it was never appropriate to plead such a claim “simply to mark how upset the claimant is about the defendant’s conduct, or as some sort of negotiating strategy”. In fairness to the Underwoods, one can see on the Court’s own findings how such a claim might have been justified as against Bounty, even if it were not as against the Trust.