In Underwood & Another v Bounty UK Ltd & Another  EWHC 888 (QB), the High Court of England and Wales dismissed claims for misuse of private information (MPI) and breach of the Data Protection Act 1998 of England and Wales (DPA). It held, inter alia, that unlawful access to personal data by a third party were actions of that third party and that responsibility for such unlawful processing was that of such third party.
The claimants were a mother (M) and child (C). The defendants were Bounty UK Ltd (Bounty) and Hampshire Hospitals NHS Foundation Trust (Trust).
Bounty and the Trust had a contractual relationship whereby Bounty was given access to new mothers on Trust premises. The contract provided that Bounty agreed to use information provided “in strict accordance with the Data Protection Act” but as observed by the judge, “Bounty’s business model was largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. One such expectant mother was M who claimed that a Bounty representative had obtained information about her and her new-born from the patient information sheets found at the bottom of her hospital bed.
In the hours after the birth, a Bounty employee visited C at her hospital bedside. During that visit, and without the permission of C and unknown to the First Claimant at that time, the Bounty employee read certain paperwork at the end of C’s bed, and obtained personal data of the new-born M.
Shortly after leaving hospital, C began receiving marketing communications and suspected that the cause of these was as a result of Bounty obtaining her personal data and selling it to third parties. Data subject access requests subsequently confirmed her suspicions.
M sought damages against Bounty and the Trust for breaches of the DPA and for the tort of MPI. Bounty subsequently entered administration and judgment in default was entered against it and alleged that the Trust had:
Dismissing the claims against the Trust, the High Court held that:
The judgment will undoubtedly be welcomed by data controllers who have had limited guidance or examples in respect of what their obligations are since the introduction of the GDPR. Similarly governing and regulatory bodies will also welcome a decision in the hope that it may deter data subjects from making claims or complaints of a more vexatious nature in respect of their rights.
Although I would describe the judgment as a triumph for pragmatism, it should not be at all perceived as a means of alleviating a controller’s responsibility to protect the personal data that it processes and ensure that any processors engaged to process personal data on their behalf be subject to certain conditions regarding the processing of that data.
This document has been issued on the 26th May 2022 by Triay Lawyers Limited, trading as Triay Lawyers, a Gibraltar private company limited by shares with registered office at 28 Irish Town, Gibraltar, GX11 1AA and with incorporation number 112599. The information in this document is for general information purposes only and does not constitute professional advice, legal or otherwise and does not intend to be comprehensive. Triay Lawyers does not accept responsibility for any loss that may arise from accessing or relying upon the information contained in this document.
When was the last time the compliance function of your financial business was independently audited? Did you know that there is an expectation by the GFSC for an audit to take place at le