Contact a Lawyer

Significant judgment impacting misuse of private information claims under the Data Protection Act

26.05.2022 Publications

By Daniel Herbert

In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), the High Court of England and Wales dismissed claims for misuse of private information (MPI) and breach of the Data Protection Act 1998 of England and Wales (DPA). It held, inter alia, that unlawful access to personal data by a third party were actions of that third party and that responsibility for such unlawful processing was that of such third party.

The claimants were a mother (M) and child (C). The defendants were Bounty UK Ltd (Bounty) and Hampshire Hospitals NHS Foundation Trust (Trust).

Bounty and the Trust had a contractual relationship whereby Bounty was given access to new mothers on Trust premises. The contract provided that Bounty agreed to use information provided “in strict accordance with the Data Protection Act” but as observed by the judge, “Bounty’s business model was largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. One such expectant mother was M who claimed that a Bounty representative had obtained information about her and her new-born from the patient information sheets found at the bottom of her hospital bed.

In the hours after the birth, a Bounty employee visited C at her hospital bedside. During that visit, and without the permission of C and unknown to the First Claimant at that time, the Bounty employee read certain paperwork at the end of C’s bed, and obtained personal data of the new-born M.

Shortly after leaving hospital, C began receiving marketing communications and suspected that the cause of these was as a result of Bounty obtaining her personal data and selling it to third parties. Data subject access requests subsequently confirmed her suspicions.

M sought damages against Bounty and the Trust for breaches of the DPA and for the tort of MPI. Bounty subsequently entered administration and judgment in default was entered against it and alleged that the Trust had:

  • breached its duties by failing to take appropriate technical and organisational measures to prevent the unauthorised processing of and access to her personal data; and

 

  • committed acts rendering it liable to M in the tort of MPI.

 

Dismissing the claims against the Trust, the High Court held that:

  • the Trust had not breached its duty to establish and maintain appropriate technical and organisational measures to prevent unauthorised processing of M’s personal data in making available limited paperwork at M’s bedside as its presence was necessary for the Trust and its staff to discharge its duties.

 

  • Whilst the Trust had commercial arrangements with Bounty which included a Code of Conduct which emphasised the need to respect the privacy of each patient and adhere to DPA requirements. The Trust was not liable for the unauthorised (and unlawful) access by the Bounty employee to the limited documentation at the bedside.

 

  • the claim for MPI failed as the Trust had not “misused” the Claimant's personal data. The Judge held that it was insufficient to sustain a cause of action in MPI that the Trust permitted the Bounty representative to have access to M’s personal data. To the extent that there has been an unauthorised obtaining of private information relating to the M by the Bounty representative, the “the real wrongdoer here was Bounty and not [the trust]". 

 

  • Exemplary damages represent situations which are "wholly exceptional" and should never be used as a "negotiating strategy" or as a way of signalling the Claimant's level of upset.

 

The judgment will undoubtedly be welcomed by data controllers who have had limited guidance or examples in respect of what their obligations are since the introduction of the GDPR. Similarly governing and regulatory bodies will also welcome a decision in the hope that it may deter data subjects from making claims or complaints of a more vexatious nature in respect of their rights.

Although I would describe the judgment as a triumph for pragmatism, it should not be at all perceived as a means of alleviating a controller’s responsibility to protect the personal data that it processes and ensure that any processors engaged to process personal data on their behalf be subject to certain conditions regarding the processing of that data.

Disclaimer:
This document has been issued on the 26th May 2022 by Triay Lawyers Limited, trading as Triay Lawyers, a Gibraltar private company limited by shares with registered office at 28 Irish Town, Gibraltar, GX11 1AA and with incorporation number 112599. The information in this document is for general information purposes only and does not constitute professional advice, legal or otherwise and does not intend to be comprehensive. Triay Lawyers does not accept responsibility for any loss that may arise from accessing or relying upon the information contained in this document.

Recent Posts

Triay Welcome Three Trainee Lawyers

Triay are delighted to announce that , Kayleigh-Anne Revagliatte-CĂ©line Bolanos and Johnluis Pitto have joined Triay Lawyers Ltd as part of our latest cohort of Trainee Lawyers.

Triay Lawyers Ltd becomes the latest Strategic Partner to join CWEIC

The role of CWEIC is to use the convening power and trusted network of the Commonwealth, which is led by Her Majesty The Queen, to drive trade and investment.

Independent Audits

By Helen Murphy

When was the last time the compliance function of your financial business was independently audited? Did you know that there is an expectation by the GFSC for an audit to take place at le

Triay Lawyers secures arrest and sale of M/Y AXIOMA

Triay Lawyers secures arrest and sale of M/Y AXIOMA

Fintech Laws and Regulations Gibraltar

ICLG Fintech Laws and Regulations Gibraltar Chapter covers a broad overview of common issues in fintech law and regulation.

Why Take up Residence in Gibraltar?

By Helen Murphy

Gibraltar offers compelling tax advantages for High Net Worth Individuals via the opportunity to take-up Category 2 or High Executive Possessing Specialist Skills (HEPSS) status. Category 2 &

Categories

Similar Articles

Independent Audits

By Helen Murphy

When was the last time the compliance function of your financial business was independently audited? Did you know that there is an expectation by the GFSC for an audit to take place at le

Fintech Laws and Regulations Gibraltar

ICLG Fintech Laws and Regulations Gibraltar Chapter covers a broad overview of common issues in fintech law and regulation.

A LEADING INDEPENDENT GIBRALTAR
LAW FIRM WITH A REPUTATION FOR
LEGAL EXCELLENCE SINCE 1905

Tria & Triay Logo