NHS data breach? Claim dismissed

Earlier this year the High Court dismissed a claim by a mother and her new-born son for a data protection breach as well as misuse of private information against both the Hampshire Hospitals NHS Foundation Trust (“Trust”) and Bounty UK Limited (“Bounty”) (Underwood and another v Bounty UK Ltd and another [2022] EWHC 888 (QB)).

Bounty had previously been found to have processed personal data unfairly for which the Information Commissioner imposed a £400,000 penalty. Bounty was found to have shared the personal data of over 14 million individuals to several organisations without informing those individuals that it might do so. As a result, Bounty was found to have processed that personal data unfairly and without satisfying any processing condition under Schedule 2 to the Data Protection Act 1998 (“DPA”).

Bounty went into administration in November 2020 and did not participate in these court proceedings.

The case

Bounty and the Trust had a contractual agreement which allowed Bounty representatives access to expectant mothers on Trust premises. They would attend hospitals to distribute Bounty packs and offer other services. These packs included Pregnancy Information Folder and Newborn Pack, containing samples, information guides, books and literature. The contractual agreement between the parties provided exclusivity to Bounty. Beside other obligations, Bounty representatives were required to always introduce themselves, respect the mums’ personal space and ask the mum if she wished to give permission for her details to be shared with Bounty and other companies. Sharing the contact details was not a condition for receiving the Bounty packs. An earlier investigation by the Information Commissioner made it clear that Bounty’s business model was largely based on collecting the data from mums and mums to be to sell the data to third parties.

The Claimant was pregnant with her first child and had signed up in April 2017, using the Bounty App, to receive Bounty packs. She was not aware of the agreement between Bounty and the Trust. After a long labour and a caesarean section, she gave birth to her son. Shortly after she was returned to the post-natal ward accompanied by her husband. The Claimant described herself as a being “in a zombie-like state” at the time and her husband was cleaning up some blood. Someone, who she assumed was a part of the maternity staff, but was in fact a Bounty representative, came to her bed and started to talk to them and started to look through the paper documentation at the end of the bed. She did not introduce herself until asked by the Claimant’s husband after he became suspicious who she was. According to the husband he then had to ask her to leave several times before she complied with their request.

Following her return home, the Claimant started to receive targeted emails and phone calls from several companies. She and her husband suspected that these had been caused by their interaction with the Bounty representative after she had given birth. It was deemed more likely that these communications were the result of her original signing-up to Bounty in April 2017 . However, whilst some information was provided by the Claimant when she first signed up, other information held by Bounty included information about the child such as name, gender and date of birth which was not provided when she first signed up.

The judgement

The Claimants were seeking a declaration and damages from both the Trust and Bounty for alleged breaches of the DPA and misuse of private information. The claim against the Trust was limited to allowing Bounty to access the ward and medical records and thereby enabling Bounty to collect and ultimately distribute personal data and private information.

Whilst the Trust did not dispute that it had a commercial relationship with Bounty, it disputed that the private information was obtained by the Bounty representative in the hospital, but rather voluntarily through the Claimant when she first signed up to the App.

On balance, the Court agreed that it is likely that the Bounty representative had obtained some information from the documents at the end of the bed. However, while some documents were kept at the end of the bed, such as the feeding chart, the High Court found that the Claimant’s medical records were not included in these documents. It dismissed the claim for misuse of private information on the basis that the data was obtained without the Trust’s consent or knowledge, and also because the data obtained was too trivial to constitute private information.

Also, the Trust was found to have not acted unlawfully by making the documents necessary for the care and treatment of the Claimant available to the Claimant and other members of staff. In no sense could such acts of the Trust be regarded as making those documents available to the Bounty representative.

The Trust “is not liable for the unauthorised (and unlawful) acts of the Bounty representative.” The claim for breach of the DPA was dismissed with the judge noting that “to avoid liability on this ground, all patient data would have to be strictly withheld. Presumably, a new mother would have to ask to be provided with the feeding chart, complete it, and then have it collected back and returned to secure storage.”

Whilst the Court acknowledged that the dismissal of the claim will be a disappointment for the family, it pointed out that the wrongdoer was Bounty and not the Trust.

• Exemplary damages

Additionally, the Court addressed the claim for exemplary damages. These were not pressed during trial, but were included in the claim. Exemplary damages are also known as “retributory” or “vindictive” damages and aim to punish the wrongdoer and to discourage similar conduct in the future. The award of these damages is exceptional. The judge stated that a claim for exemplary damages should have never been included as these are wholly exceptional and that “it is never appropriate to add a claim for exemplary damages simply to mark how upset the claimant is about the defendant’s conduct, or as some sort of negotiating strategy.”

If you have any questions or would like assistance with your data protection compliance or your privacy policy, you can contact our Commercial & Technology team at: [email protected].