The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Like Taking Candy from a Baby

29 April 2022

Underwood & anor v Bounty UK Ltd & Hampshire Hospitals NHS Foundation Trust [2022] EWHC 888 (QB)

The High Court has handed down an interesting judgment which continues a series of decisions holding that where Party A obtains unauthorised access to information held by Party B, Party B will not be held liable for the actions of Party A.

The claim was brought by a mother and her baby (the Underwoods) against Bounty UK Ltd and Hampshire NHS Foundation Trust.  Bounty was a company that, under a contractual arrangement with this NHS Trust (amongst others), would enter the Trust’s premises and offer pregnancy and parenting support services to new and expecting mothers, as well as photography services.  Personal data would be obtained, ostensibly, for the provision of these services.  It also operated a less-known data brokerage operation, selling data it had obtained to third parties.  To that end, Bounty had previously been fined £400,000 by the ICO for a “serious breach” of the first data protection principle.

The Underwoods brought a claim against the Trust for breaches of the Data Protection Act 1998, as well as for misuse of private information (MoPI), on the basis that the Trust had allowed the Bounty representative “to access the ward and the medical records, thus enabling [Bounty] to collect and ultimately distribute the [Claimants’] Private Information“.

Nicklin J found that whilst the majority of the medical records were securely stored, a limited number of documents containing personal information was left at the foot of the mother’s bed in the ward. They were accessed by a Bounty employee. The Judge held, however, that it was necessary for the records accessed by the Bounty employee to be available in the ward for the provision of medical care. 

The Judge concluded that by placing limited medical records at the end of mother’s bed the Trust had not disseminated or otherwise made available the data contained in those documents to Bounty or others.  In addition, the placing of the limited medical records in the ward did not breach of the seventh data protection principle (which requires a data controller has taken “appropriate technical and organisational measures… against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data“), since they were necessary for the provision of healthcare services.

The Judge also dismissed the MoPI claim. Applying the recent case of Warren v DSG Retail Ltd [2021] EWHC 2168, he held that merely permitting access to the Underwoods could not amount to ‘misuse’ of information. In any event the Judge held that, even if he was wrong, and access in this context amounted to misuse, the information obtained by Bounty (the baby’s name, gender and date of birth) was so trivial that its misuse would fail to reach a level of seriousness to engage the tort of MoPI. 

Finally, the Judge noted that a claim for exemplary damages, as had been brought by the Underwoods, would be made out rarely, and certainly shouldn’t be used as a way of demonstrating a claimant’s displeasure about the defendant’s conduct.

The Court’s emphatic conclusions on the DPA claim and MoPI claim will be of relief to data controllers who have taken requisite measures to secure information and that information is later obtained and abused by third parties.

Further reading

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)