Significant judgment impacting misuse of private information claims under the Data Protection Act

In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), the High Court of England and Wales dismissed claims for misuse of private information (MPI) and breach of the Data Protection Act 1998 of England and Wales (DPA). It held, inter alia, that unlawful access to personal data by a third party were actions of that third party and that responsibility for such unlawful processing was that of such third party.

The claimants were a mother (M) and child (C). The defendants were Bounty UK Ltd (Bounty) and Hampshire Hospitals NHS Foundation Trust (Trust).

Bounty and the Trust had a contractual relationship whereby Bounty was given access to new mothers on Trust premises. The contract provided that Bounty agreed to use information provided “in strict accordance with the Data Protection Act” but as observed by the judge, “Bounty’s business model was largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. One such expectant mother was M who claimed that a Bounty representative had obtained information about her and her new-born from the patient information sheets found at the bottom of her hospital bed.

In the hours after the birth, a Bounty employee visited C at her hospital bedside. During that visit, and without the permission of C and unknown to the First Claimant at that time, the Bounty employee read certain paperwork at the end of C’s bed, and obtained personal data of the new-born M.

Shortly after leaving hospital, C began receiving marketing communications and suspected that the cause of these was as a result of Bounty obtaining her personal data and selling it to third parties. Data subject access requests subsequently confirmed her suspicions.

M sought damages against Bounty and the Trust for breaches of the DPA and for the tort of MPI. Bounty subsequently entered administration and judgment in default was entered against it and alleged that the Trust had:

• breached its duties by failing to take appropriate technical and organisational measures to prevent the unauthorised processing of and access to her personal data; and

• committed acts rendering it liable to M in the tort of MPI.

Dismissing the claims against the Trust, the High Court held that:

• the Trust had not breached its duty to establish and maintain appropriate technical and organisational measures to prevent unauthorised processing of M’s personal data in making available limited paperwork at M’s bedside as its presence was necessary for the Trust and its staff to discharge its duties.

• Whilst the Trust had commercial arrangements with Bounty which included a Code of Conduct which emphasised the need to respect the privacy of each patient and adhere to DPA requirements. The Trust was not liable for the unauthorised (and unlawful) access by the Bounty employee to the limited documentation at the bedside.

• the claim for MPI failed as the Trust had not “misused” the Claimant's personal data. The Judge held that it was insufficient to sustain a cause of action in MPI that the Trust permitted the Bounty representative to have access to M’s personal data. To the extent that there has been an unauthorised obtaining of private information relating to the M by the Bounty representative, the “the real wrongdoer here was Bounty and not [the trust]". 

• Exemplary damages represent situations which are "wholly exceptional" and should never be used as a "negotiating strategy" or as a way of signalling the Claimant's level of upset.

The judgment will undoubtedly be welcomed by data controllers who have had limited guidance or examples in respect of what their obligations are since the introduction of the GDPR. Similarly governing and regulatory bodies will also welcome a decision in the hope that it may deter data subjects from making claims or complaints of a more vexatious nature in respect of their rights.

Although I would describe the judgment as a triumph for pragmatism, it should not be at all perceived as a means of alleviating a controller’s responsibility to protect the personal data that it processes and ensure that any processors engaged to process personal data on their behalf be subject to certain conditions regarding the processing of that data.