Contact a Lawyer

Significant judgment impacting misuse of private information claims under the Data Protection Act

26.05.2022 Publications

By Daniel Herbert

In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), the High Court of England and Wales dismissed claims for misuse of private information (MPI) and breach of the Data Protection Act 1998 of England and Wales (DPA). It held, inter alia, that unlawful access to personal data by a third party were actions of that third party and that responsibility for such unlawful processing was that of such third party.

The claimants were a mother (M) and child (C). The defendants were Bounty UK Ltd (Bounty) and Hampshire Hospitals NHS Foundation Trust (Trust).

Bounty and the Trust had a contractual relationship whereby Bounty was given access to new mothers on Trust premises. The contract provided that Bounty agreed to use information provided “in strict accordance with the Data Protection Act” but as observed by the judge, “Bounty’s business model was largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. One such expectant mother was M who claimed that a Bounty representative had obtained information about her and her new-born from the patient information sheets found at the bottom of her hospital bed.

In the hours after the birth, a Bounty employee visited C at her hospital bedside. During that visit, and without the permission of C and unknown to the First Claimant at that time, the Bounty employee read certain paperwork at the end of C’s bed, and obtained personal data of the new-born M.

Shortly after leaving hospital, C began receiving marketing communications and suspected that the cause of these was as a result of Bounty obtaining her personal data and selling it to third parties. Data subject access requests subsequently confirmed her suspicions.

M sought damages against Bounty and the Trust for breaches of the DPA and for the tort of MPI. Bounty subsequently entered administration and judgment in default was entered against it and alleged that the Trust had:

  • breached its duties by failing to take appropriate technical and organisational measures to prevent the unauthorised processing of and access to her personal data; and

 

  • committed acts rendering it liable to M in the tort of MPI.

 

Dismissing the claims against the Trust, the High Court held that:

  • the Trust had not breached its duty to establish and maintain appropriate technical and organisational measures to prevent unauthorised processing of M’s personal data in making available limited paperwork at M’s bedside as its presence was necessary for the Trust and its staff to discharge its duties.

 

  • Whilst the Trust had commercial arrangements with Bounty which included a Code of Conduct which emphasised the need to respect the privacy of each patient and adhere to DPA requirements. The Trust was not liable for the unauthorised (and unlawful) access by the Bounty employee to the limited documentation at the bedside.

 

  • the claim for MPI failed as the Trust had not “misused” the Claimant's personal data. The Judge held that it was insufficient to sustain a cause of action in MPI that the Trust permitted the Bounty representative to have access to M’s personal data. To the extent that there has been an unauthorised obtaining of private information relating to the M by the Bounty representative, the “the real wrongdoer here was Bounty and not [the trust]". 

 

  • Exemplary damages represent situations which are "wholly exceptional" and should never be used as a "negotiating strategy" or as a way of signalling the Claimant's level of upset.

 

The judgment will undoubtedly be welcomed by data controllers who have had limited guidance or examples in respect of what their obligations are since the introduction of the GDPR. Similarly governing and regulatory bodies will also welcome a decision in the hope that it may deter data subjects from making claims or complaints of a more vexatious nature in respect of their rights.

Although I would describe the judgment as a triumph for pragmatism, it should not be at all perceived as a means of alleviating a controller’s responsibility to protect the personal data that it processes and ensure that any processors engaged to process personal data on their behalf be subject to certain conditions regarding the processing of that data.

Disclaimer:
This document has been issued on the 26th May 2022 by Triay Lawyers Limited, trading as Triay Lawyers, a Gibraltar private company limited by shares with registered office at 28 Irish Town, Gibraltar, GX11 1AA and with incorporation number 112599. The information in this document is for general information purposes only and does not constitute professional advice, legal or otherwise and does not intend to be comprehensive. Triay Lawyers does not accept responsibility for any loss that may arise from accessing or relying upon the information contained in this document.

Recent Posts

Triay Lawyers announce the appointment of a new Director

Triay Lawyers is delighted to announce the appointment of Javi Triay as a Director of the law firm (previously known as a Partner appointment).

The draft Bill for a new Gambling Act

HMGoG has issued the Command Paper on the draft Bill to replace the Gambling Act 2005.

Significant judgment impacting misuse of private information claims under the Data Protection Act

By Daniel Herbert

In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), the High Court of England and Wales dismissed claims for misuse of private information

Update in Parliament in respect of the Co-Ownership Housing Estates

By Daniel Herbert

On Monday 16th May 2022, the Honourable Steven Linares MP provided an succinct update in Parliament on the construction of the Co-Ownership Housing Estates.

Director Jay Gomez appointed to form part of a Working Policy Group for the Government

Director Jay Gomez has been appointed to participate on a working policy group by Minister Albert Isola Minister for Digital and Financial Services, the working group has been asked to advise

New AIFMD dual regime for funds puts Gibraltar on a level playing field with non-EU jurisdictions

Her Majesty’s Government of Gibraltar (“HMGoG”) has today published legislation that creates Gibraltar’s dual regime for experienced investor funds (“EIFs”).

Categories

Similar Articles

Significant judgment impacting misuse of private information claims under the Data Protection Act

By Daniel Herbert

In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), the High Court of England and Wales dismissed claims for misuse of private information

Hedgeweek’s Gibraltar in Focus 2022

Triay Lawyers Director Jay Gomez and Associate Javi Triay have been featured in Hedgeweek’s Gibraltar in Focus 2022. Hedgeweek is one of the largest publications providing news to funds and

A LEADING INDEPENDENT GIBRALTAR
LAW FIRM WITH A REPUTATION FOR
LEGAL EXCELLENCE SINCE 1905

Tria & Triay Logo