Hospital Trust not liable for third party’s unauthorised use of patient data (Underwood v Bounty UK Ltd)

Information Law analysis: The High Court has rejected a claim that a Hospital Trust could be held responsible for a third party’s misuse of a new mother’s private information where there was no evidence the Trust was aware of, or otherwise contributed, to the commission of the third party’s breaches. The High Court was only concerned with a claim against the Trust as the first defendant who was principally response for the breach of the claimants’ data rights was insolvent. The case highlights the limits on claims for personal data breaches or misuse of private information where the responsibility alleged by reason of omission or the breach is inadvertent and trifling.

Underwood and another v Bounty UK Ltd and another [2022] EWHC 888 (QB)

What are the practical implications of this case?

This decision highlights the limits on claims framed under the tort of misuse of private information and civil claims framed by reference to breaches of data protection law.

The case serves as a reminder of the need to clearly identify a positive act or ‘use’ by a defendant to establish the tort of misuse of private information and the need to establish the materiality of any breach (non-trivial) before a remedy will be available.

The judge also noted the limited circumstances in which it will be appropriate to make a claim for exemplary damages.

What was the background?

The claim was brought by a mother for herself and as representative of her recently born son against the first defendant, Bounty UK Ltd, a commercial entity harvesting and selling to third parties the personal data of expectant and new mothers (Bounty); and against the second defendant, Hampshire Hospitals NHS Foundation Trust (the Trust) as the introducer of Bounty to the claimants and the holder of the claimants’ personal data and private information.

Bounty had contracts with the Trust whereby the Trust would provide Bounty access to maternity ward patients to enable Bounty to provide the expectant mothers with a maternity package and so as to provide Bounty the opportunity to ‘register’ expectant mothers in order to harvest their personal data.  Unknown to the Trust, Bounty intended to sell that data and failed to obtain informed consent before passing on the data.

The claim against Bounty

On 23 May 2019, Bounty responded to a subject access request submitted by Mrs Underwood, confirming that it held data relating to her (and her son) being: ‘her name, date of birth, child’s name, child’s gender, child’s date of birth, home address and email address’.  Bounty also confirmed that some, or all, of the data was shared with nine other companies. The Master Photographers Association had been provided with the first claimant’s name, postal and email addresses, due date, baby’s date of birth and baby’s gender.

On 9 April 2019, the Information Commissioner held in a decision that based upon the information provided by Bounty, any consent to retention and processing of data provided by data subjects was not informed, and the relevant data subjects could not have foreseen that their data would be shared with the third-party organisations.

Further, Bounty was found to have shared the personal data of over 14 million individuals to several organisations without informing those individuals that it might do so.

Thus, Bounty was found to have processed that personal data unfairly and without satisfying any processing condition under Schedule 2 to the Data Proptection Act 1998 (DPA 1998). The Information Commissioner imposed a financial penalty on Bounty of £400,000 pursuant to DPA 1998, s 55A for what was held to be a ‘serious contravention’ of the first data protection principle in DPA 1998, Sch 1.

Bounty went into administration and did not defend the claim resulting in a default judgment against it.  The claim continued solely in relation to the Trust.

The claim against the Trust

The claim against the Trust focused on a visit to the ward by a photographer who introduced herself as a Bounty representative and tried to convince Mrs Underwood to have a picture with her husband and newly born son. The evidence was that the photographer made an aggressive bed-side sale pitch and consulted what the court found to be a feeding chart left by Trust staff at the end of Mrs Underwood’s bed.

Mrs Underwood had been in labour for 102 hours and understandably objected to the intrusion and refused to have her photo taken.

The question for the court was whether the Trust could be held responsible for the actions of the photographer in intruding on Mrs Underwood’s privacy and accessing her and her son’s personal data held on the feeding chart.  It was not contended that the Trust was vicariously or otherwise responsible for the photographer’s actions.

What did the court decide?

The judge noted that:

‘no claim is made that there was a deliberate act of disclosure of the Claimants’ private information by the [Trust], the Claimants’ claim depends on demonstrating a culpable omission by the [Trust].’

That omission was said to be the Trust failing to prevent the photographer from reading the feeding chart.

The court dismissed the claim framed under the DPA 1998.  The Trust did not authorise or allow her to access the feeding chart.  The Court found that the Trust could not be held responsible for the photographer’s unlawful conduct.

Further, the court held that the steps the claimant claimed were necessary to protect the quite limited personal data held on the feeding charts was disproportionate to the risk of unauthorised disclosure particularly given the need to have the chart readily available to treat the mother and child in an emergency.

The court also dismissed the misuse of private information.

The court found that the tort requires a misuse and that the notion of ‘use’ carries with it the implication of a positive act quoting Warren v DSG Retail Ltd [2021] EMLR 25:

‘[27] I accept that a ‘misuse’ may include unintentional use, but it still requires a ‘use’: that is, a positive action. In the language of art.8 ECHR (the basis for the MPI tort), there must be an ‘interference’ by the defendant, which falls to be justified. I have not overlooked the Claimant’s argument that the conduct of DSG was ‘tantamount to publication’. Although it was attractively presented, I do not find it persuasive. If a burglar enters my home through an open window (carelessly left open by me) and steals my son’s bank statements, it makes little sense to describe this as a ‘misuse of private information’ by me.  Recharacterising my failure to lock the window as “publication” of the statements is wholly artificial. It is an unconvincing attempt to shoehorn the facts of the data breach into the tort of MPI.’

The judge opined that even if the claim under the tort of misusing private information was well-founded, he would nevertheless have found that the information misused was too trivial to warrant the grant of a remedy. After all, Mrs Underwood had voluntarily provided significant information to Bounty and the additional information contained on the feeding chart was very limited.

The judge noted that Bounty was the real cause of the claimant’s distress and that the claims against the Trust were not well founded.

The judge opined that the claim for exemplary damages should not have been brought against the Trust as such claims are available only in exceptional circumstances and the basis of any such claim should be pleaded clearly based on available evidence or the evidence likely to be available at trial.

Case details

• Court: High Court
• Judge: Mr Justice Nicklin
• Date of judgment: 13 April 2022

Article by Lauren Godfrey – first published by Lexis PSL