Data Protection Bounty Hunters
This article considers a High Court claim after patient records at the foot of a hospital bed were inappropriately accessed by a third party.
It also briefly looks at vicarious liability of employers in connection with accessing sensitive data and hopefully provides some reassurance to organisations.
In Underwood & Another v Bounty UK Ltd & Another [2022] EWHC 888 (QB), a mother and child brought claims for the misuse of private information (MPI) and breach of the Data Protection Act 1998 (DPA) against Bounty UK Ltd (Bounty) and Hampshire Hospitals NHS Foundation Trust (Trust). Bounty operated a data broking service and provided pregnancy and parenting support services. Bounty had arrangements in place with the Trust which permitted them access to new mothers and enabled them to lawfully collect contact details for the purposes of distributing information related to pregnancy and parenting. This was on the basis that privacy of patients was respected and the requirements contained in the DPA were adhered to.
Ms Underwood alleged that in October 2017 when she gave birth to her child at a hospital operated by the Trust, a representative of Bounty (with whom she had signed up for services earlier that year) visited her in hospital and accessed patient data sheets located at the end of her hospital bed. She claimed the Bounty representative had accessed information about her and her new-born child without permission and unlawfully processed their personal data. She alleged that the Trust was also responsible for this by failing to take appropriate measures to prevent the unauthorised access to / processing of the data.
A claim was issued against Bounty and the Trust seeking damages for breach of the DPA and for the tort of MPI. Judgment in default was obtained against Bounty after the company entered into administration. Prior to that, Bounty had been fined £400,000 by the ICO for unfair data sharing following investigations into its data processing operations. The claim against the Trust proceeded to trial, but subsequently failed.
The High Court held that the Trust could not be found liable for a breach of the DPA purely because they had made documents relating to the care and treatment of the claimants available for use by Trust staff, which was necessary and practical for staff to be able to perform their duties. By leaving hospital notes at the foot of the bed, the Trust did not make the data in the documents available to Bounty, rather the Bounty representative accessed them without consent. Bounty was therefore responsible for the unlawful processing of the data - and did so without the Trust's knowledge. The Trust was not liable for the wrongdoing committed by the Bounty representative and the judge commented that the claim should never have been made against the Trust.
The MPI claim against the Trust was also dismissed. The personal data had been obtained by Bounty without the Trust's knowledge and it was not sufficient that the Trust had permitted Bounty access to the claimants. In any event, it was found that the data in question (name, gender and date of birth) was not of a sufficiently serious nature to engage the tort of MPI - ie the MPI claim was not viable as it did not pass the 'de minimis' threshold for damages to be awarded. This is of particular interest given that it is common to see opportunistic claims arising from data incidents involving this kind of trivial personal information.
The above is another example of a 'turn in the tide' in data protection litigation, moving from a landscape favouring claimants to one where claims for damages for data breaches relating to trivial data run the risk of not being entertained. We discuss this shift in more detail in our article on responding to data protection claims.
Accessing Sensitive Data
Ali v Luton Borough Council [2022] EWHC 132 (QB) is another case from earlier this year that is noteworthy to those dealing with sensitive data. The case involved a social worker employed by the Council who accessed a social care database to obtain sensitive information about the claimant which she then disclosed to the claimant's estranged husband (with whom she was in a relationship). The High Court held that the Council was not vicariously liable in the circumstances. By accessing the information in question, the social worker had gone off on a frolic of her own. Despite having access to the data through her employment, the act of accessing the records was not done for reasons connected to her role and she knew it was wrong to do so.
This stance was later mirrored in a Magistrates Court decision against a former health advisor, Christopher O'Brien. Mr O'Brien was prosecuted for unlawfully accessing the medical records of patients during the course of his employment at South Warwickshire NHS Foundation Trust, without any business need for him to do so. He viewed 14 patient records belonging to individuals personally known to him without his employer's knowledge or consent. He was found guilty of unlawfully obtaining data in breach of the Data Protection Act 2018 and ordered to pay compensation to each data subject affected.
Where Does This Leave Organisations?
These decisions should provide some comfort in that, provided appropriate protections are in place to protect personal data, and the requirements of the UK GDPR and Data Protection Act 2018 are adhered to, an organisation may not be liable for the unlawful obtaining or processing of personal data by an employee or third party. Having robust protections and policies in place is still of course vital though.
VWV has a wealth of experience and expertise in Information Law and regularly work for organisations on defending data and privacy claims such as this for clients.
