Important High Court judgment impacting the viability of data breach and misuse of private information claims - Underwood v Bounty

On 13 April 2022, the High Court handed down judgment in Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), dismissing claims for misuse of private information (MPI) and breach of the Data Protection Act 1998 (DPA), holding that:

• A person’s name, gender and date of birth is not information of a level of seriousness to engage the tort of MPI; and
• The availability of paperwork for inspection did not constitute the making available of the data within it. The unlawful access to such data by a third party were actions of that third party, acting as a data controller, and to whom responsibility for such unlawful processing therefore attached.

Background

The First and Second Claimant were a mother and child. The First Defendant was Bounty UK Ltd (Bounty), a company providing pregnancy and parenting support services, alongside a data broking service.

Bounty had obtained the First Claimant’s personal data when she signed up to their services in April 2017. On 16 October 2017, the First Claimant gave birth to the Second Claimant at a hospital operated by Hampshire Hospitals NHS Foundation Trust (Trust).

In the hours after the birth, a Bounty employee visited the First Claimant at her hospital bedside. During that visit, without the permission of the First Claimant and unknown to the First Claimant at that time, the Bounty employee read certain paperwork at the end of the First Claimant’s bed, and obtained personal data of the new-born Second Claimant.

Shortly after leaving hospital, the First Claimant began receiving marketing communications and suspected that the cause of these was as a result of Bounty obtaining her personal data and selling it to third parties. Data subject access requests subsequently confirmed her suspicions¹.

Claim

On 27 August 2020, proceedings were issued in the High Court in which the Claimants sought damages against Bounty and the Trust for breaches of the DPA 1998 and for the tort of MPI. Bounty subsequently entered administration and judgment in default was entered against it.

As against the Trust, the Claimants alleged it had i) breached the seventh Data Protection Principle by failing to take appropriate technical and organisational measures to prevent the unauthorised processing of and access to the Claimants' personal data, and ii) that it had committed acts rendering it liable to the Claimants in the tort of MPI. Claims for exemplary damages against the Trust were also pursued.

Decision

Dismissing the claims against the Trust, the Judge held:

1. the Trust had not breached DPP7 in making available limited paperwork at the First Claimant’s bedside – its presence was necessary for the Second Defendant and its staff to discharge its duties. The Trust had commercial arrangements with Bounty which included a Code of Conduct which emphasised the need to respect the privacy of each patient and adhere to DPA 1998 requirements. The Trust was not liable for the unauthorised (and unlawful) access by the Bounty employee to the limited documentation at the bedside.
2. the claim for MPI failed as the Trust had not “misused” the Claimant's personal data. The Judge held that it was insufficient to sustain a cause of action in MPI that the Second Defendant permitted the Bounty representative to have access to the Claimants. To the extent that there has been an unauthorised obtaining of private information relating to the Claimants by the Bounty representative, the Trust was more wronged against than wrongdoer. Further, even if the Claimants had established that the Trust was liable under the MPI tort for Bounty acquiring information about them, the information obtained was trivial. Had the claim not failed on other grounds, it would have failed the de minimis² test in any event.
3. the claim for exemplary damages against the Trust should never have been included. Exemplary damages represent situations which are "wholly exceptional" and should never be used as a "negotiating strategy" or as a way of signalling the Claimant's level of upset.

Important takeaways from the Judgment

• A data breach or MPI claim in which only the data subject (claimant’s) name, gender and data of birth is compromised is unlikely to exceed the de minimis threshold for damages, meaning any such claim is unviable.
• Organisations may feel reassured that when allowing third parties onto their premises, provided there are appropriate protections concerning the data protection obligations of the parties, and that those organisations adhere to the requirements of the General Data Protection Regulation 2016/679 and Data Protection Act 2018, that they will not be liable for any unlawful acts (as far as misuse of personal data is concerned) committed by such third parties³.

Comment

The judgment makes for welcome reading for organisations that have robust data protection policies in place, and is another firm signal by the judiciary that claims for damages for alleged breaches of data protection legislation, and misuse of private information, where trivial data is concerned, will not be entertained.