What’s this all about?
In the case of Pamela & Dominic Underwood (the latter being the child of the former) v. Bounty UK Limited & Hampshire Hospitals NHS Foundation Trust the UK High Court dismissed a data protection compensation claim for alleged failure to take appropriate technical and organisational measures. This article is a summary of the ruling and its implications.
Background
An individual and her son alleged that after the individual had given birth at a hospital falling within the Hampshire Hospitals NHS Foundation Trust (“the Trust”) in October 2017 the individual was approached by a representative of Bounty UK Limited (“Bounty”), a pregnancy and parenting support company that provided various services at the Trust (through a commercial arrangement). The individual and her son alleged that during their encounter with the Bounty representative, personal data relating to the son was obtained without permission from medical notes at the foot of the individual’s antenatal ward hospital bed.
Bounty also operated a data broking service, providing hosted marketing on behalf of third parties and (until 30 April 2018) it supplied data to third parties for the purpose of electronic direct marketing. Separate to this court case, the way that Bounty collected and processed data was investigated by the UK’s data protection regulator the Information Commissioner (“ICO”) in 2017-2018. In 2019 the ICO held that any consent to retention and processing of data provided by data subjects was not informed and the relevant data subjects could not have foreseen that their data would be shared with the third-party organisations – Bounty was found to have shared the personal data of over 14 million individuals to several organisations without informing those individuals that it might do so. As a result, Bounty was found to have processed that personal data unfairly and without satisfying any processing condition under the pre-GDPR UK data protection regime. As a consequence the ICO fined Bounty £400,000, which in effect ended the business.
Through a Subject Access Request in 2019 the individual obtained confirmation that Bounty held certain personal data on her and her son much of which it was also confirmed had been shared with third-party companies/organisations.
The individual and her son brought legal proceedings, claiming damages, alleging that the Trust had breached several of the so-called data protection principles under the pre-GDPR UK data protection regime by (through culpable omission) granting Bounty access to the antenatal ward with the consequence that Bounty staff could obtain private information about the individual and her son; a misuse of private information claim was also made.
What did the court rule?
The court ruled as follows:
• In no sense could the acts of the Trust, in making available to the individual and other members of the Trust’s staff documents necessary for the care and treatment of the individual and her son, be regarded as making those documents available to the Bounty representative (or generally). The Bounty representative had simply acted inappropriately (and probably unlawfully) by looking at those documents. So the Trust was not liable for the unauthorised (and unlawful) acts of the Bounty representative;
• Any access to data by the Bounty representative during the encounter in the hospital was unauthorised. The Bounty representative was not processing data authorised by the Trust and in respect of any processing by Bounty the Trust was not liable as a data controller;
• The claim of the individual and her son for a breach of the so-called Seventh Data Protection Principle (under the pre-GDPR UK data protection regime), namely an alleged failure to take appropriate technical and organisational measures to prevent unauthorised processing of (or access to) the personal data of the individual and her son was dismissed. The medical records of the individual and her son were kept in the ward office. Insofar as personal data was contained in forms that were available at the bedside of the individual, then inclusion of that limited data was necessary for the Trust and its staff to discharge its duties. The commercial arrangements between the Trust and Bounty did allow access to the wards, but this access was to be exercised by Bounty representatives in accordance with the need to respect the privacy of each patient and to abide by the requirements of the pre-GDPR UK data protection regime;
• As the judge also said: ‘A functioning hospital cannot do its job without making available at least some limited data about patients. Unavoidably, some of that data may come into the hands of third parties. For example, a notice may be placed above a patient’s bed warning of an antibiotic intolerance. A nurse administering medication may (as part of a failsafe) ask for a patient’s name and date of birth to ensure that the correct medication is being provided, in circumstances where a visitor with a neighbouring patient may overhear that information. Obviously, the hospital authorities would take steps to prevent people collecting and recording this information if such activities came to their attention. But the decision whether a data controller has taken “appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (Seventh Data Protection Principle), is fact sensitive and requires a sensible accommodation of these various rights and interests’;
• The judge also further said: ‘I have no hesitation in rejecting the complaint that the [Trust] has breached the Seventh Data Protection Principle by failing to prevent the Bounty employee from reading the NIPE [New Infant Physical Examination Form] and/or feeding chart. One only needs to consider the alternative to see why the [individuals and her son’s] argument must be rejected. To avoid liability on this ground, all patient data would have to be strictly withheld. Presumably, a new mother would have to ask to be provided with the feeding chart, complete it, and then have it collected back and returned to secure storage. It seems to me to follow from [one of the witness’s] submission that plain words on a notice warning of a patient’s antibiotic intolerance would perhaps have to be replaced with some code intelligible only to staff. The inconvenience and risk, were it necessary for such steps to be taken to avoid liability under the Seventh Data Protection Principle, demonstrate that such measures are neither appropriate nor necessary’.
Takeaways
This ruling continues a current trend of compensation claims for alleged breach of data protection rules being thrown out by courts in the UK.
This case is also a clear reminder that data protection rules cover hard-copy data, i.e. data security is not just about electronic data. Many data breach matters occur because of a failure to keep hard-copy data secure.
Finally, although the court applied a practical, commonsense and level-headed approach to the issue of technical and organisational measures (TOMs) to the facts of this case, organisations should always make sure that they have top-level TOMs in place to keep personal data secure.
Resources
We have written about data protection compensation claims including here: https://www.corderycompliance.com/ali-v-luton-rogue-employee/ & here https://www.corderycompliance.com/dp-infringement-stadler-currys/ & here https://www.corderycompliance.com/damages-minor-dp-infringement/ & here https://www.corderycompliance.com/lloyd-v-google-ruling/.
We report on data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The court’s ruling can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2022/888.html
We report about compliance issues here: https://www.corderycompliance.com/news/
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |