Is the High Court’s decision in Underwood v Bounty UK Ltd and Hampshire Hospitals NHS Foundation Trust further evidence of the reduction in scope for data protection liability? The decision follows the hearing of the claimants’ claims for misuse of private information and alleged breaches of the Data Protection Act 1998 (DPA).
Back in 2019, the Information Commissioner found that Bounty (a pregnancy and parenting support club) had processed personal data unfairly and without satisfying any processing condition under Schedule 2 to the DPA. The ICO imposed a fine on Bounty of £400,000 for what was held to be a “serious contravention” of the first data protection principle in Schedule 1 to the DPA.
In this case, Bounty and Hampshire Hospitals NHS Trust had a contractual relationship whereby Bounty was given access to new mothers on Trust premises. The contract provided that Bounty agreed to use information provided “in strict accordance with the Data Protection Act” but as observed by the judge, “Bounty’s business model was largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. One such expectant mother was Mrs Underwood who claimed that a Bounty representative had obtained information about her and her new-born from the patient information sheets found at the bottom of her hospital bed. Mrs Underwood obtained judgment in default against Bounty in November 2020 as it fell into administration.
Mrs Underwood’s case against the NHS Trust was that it had made her private information available to Bounty – and it did so through its arrangements with Bounty and that information was available in the feeding charts and other notes found at the bottom of her hospital bed. The Trust denied any failure to take appropriate technical and organisational measures to prevent unauthorised processing of (or access to) Mrs Underwood’s personal data covered under seventh data protection principle. The judge accepted the Trust’s position and rejected Mrs Underwood’s claim - finding that the limited information available from the charts was necessary for the hospital staff to discharge their duties and for the hospital to function.
The judge also dismissed the claim for misuse of private information, commenting that the information had been obtained without the NHS Trust’s consent or knowledge but also that the information obtained was “trivial” and amounted only to the name, gender and date of birth of Mrs Underwood’s baby. The judge explained that for the claim to be “actionable for misuse of personal information, the information must reach a level of seriousness before the tort is engaged”. The judge’s comments will be of wider interest to data protection professionals. It is also worth noting that while the decision was made under the old regime, it is likely that the same will apply under the new regime.
And on a final note, it is worth noting the judge’s comments on the claim for exemplary damages:
“…the claim for exemplary damages ought never to have been included against the Second Defendant [Hampshire Hospitals NHS Foundation Trust]…Claims for exemplary damages are wholly exceptional. The cases in which such damages can properly be claimed are very few; those in which they are awarded fewer still. It is never appropriate to add a claim for exemplary damages simply to mark how upset the claimant is about the defendant's conduct, or as some sort of negotiating strategy.”