Underwood v Bounty UK Ltd & Hampshire Hospitals NHS Trust [2022] EWHC 888 (QB)


Ms Underwood awoke on a post-natal ward, after a difficult labour lasting more than 100 hours and ending in an emergency caesarean, to a woman whom she assumed was part of the hospital’s maternity staff hovering at her bedside and looking at paperwork. In fact, the woman was an employee of a private company, Bounty UK Ltd, who had a contractual relationship with Hampshire Hospitals NHS Trust (“the Trust”) whereby, for a cash price, they were granted access to expectant mothers in the Trust’s hospitals and permitted to distribute “Bounty Packs” (containing information about products and services for new parents) and gather information with a view to using it for marketing purposes.

An investigation by the Information Commissioner (“ICO”) found that Bounty had shared tens of millions of personal data records with 39 organisations including Sky, Equifax Acxiom (a marketing agency) and others. Bounty’s fair processing notices gave no indication that they were sharing data in these ways. The ICO found that their conduct was a serious contravention of the first data protection principle (lawfulness, fairness and transparency) and fined them £400,000.

Ms Underwood was unaware of Bounty’s commercial purposes, though she had previously provided some personal information to Bounty by signing up via their app. Appalled at Bounty for invading her personal space on the ward, and at the Trust for allowing them to do so, Ms Underwood brought claims against both. Unfortunately (at least in so far as the availability of damages was concerned), Bounty went into administration on 3 November 2020 and did not participate in proceedings ([19]).

The Claims

Two claims were brought: one in tort for the misuse of private information, and another under statute for breaches of the Data Protection Act 1998 (“the DPA”). Each claim was against both Bounty and the Trust. The claim against the Trust was more limited, arising out of the allegation that it “Allowed [Bounty] access to the ward and the medical records, thus enabling [Bounty] to collect and ultimately distribute” the Underwood’s private information ([18]).

The Claimant established that the Trust had allowed the Bounty representative access to the Claimant along with her feeding chart, from which her new-born son’s name and gender were gleaned ([36]). The Bounty representative was also found to have obtained the baby’s date of birth in conversation with the Claimant during the visit ([38]). It was also suggested, but not made out, that the Bounty Representative had access to the Claimant’s medical records ([32]).

Nicklin J found that “it was obvious that [Bounty] representatives should not be looking at patient documents/records”, and that such conduct was not authorised by the Trust ([40]). The question was whether the Trust was nonetheless liable for the omission of failing to prevent the Bounty representative gaining access to the relevant documents ([41] and [29]).

The DPA Claim

The claim under the DPA depended on whether, by placing the feeding record at the end of the Claimant’s bed, the Trust had disseminated or otherwise made available the relevant data. While the case preceded the introduction of the GDPR, the questions would have been substantially the same as under the present law. This was a question on which there was no domestic authority ([43]). Finding that they had not ([49]), The Court held that:

“In no sense could the acts of [the Trust]’s staff, in making available to the Claimant and other members of [the Trust]’s staff documents necessary for the care and treatment of the Claimants, be regarded as making those documents available to Bounty or generally”.

Rather, the Bounty representative was “acting inappropriately (and probably unlawfully)” and the Trust was “not liable for the unauthorised (and unlawful) acts of the Bounty representative” ([45]).

An argument that the Trust had breached the seventh data protection principle, which requires appropriate technical and organisational measures for the protection of personal data to be taken, also failed. While the agreement between Bounty and the Trust allowed representatives ward access, this was to be in accordance with a code of conduct, which itself required compliance with the DPA; that the representative had not done this could not lead to liability on behalf of the Trust. The Trust had not “stood by” and allowed access to the Claimant’s data, but had made some limited data available by the bedside, which they were entitled to do for reasons of medical necessity. The balance between this need and the possibility third parties would obtain the data required “a sensible accommodation of these various rights and interests” ([46]-[48]).

The Tortious Claim

There was no dispute about the test to be applied for the tort of misuse of private information. A two stage test applies: (1) does the claimant have a reasonable expectation of privacy in the relevant information, and (2) if yes, is that outweighed by countervailing interests ([50]).

This claim was also dismissed ([54]) on the basis that a misuse requires a use. This can be an unintentional use, but cannot be an omission: there must be a positive use. This was a well-established rule, followed most recently by Saini J in Warren v DSG Retail Ltd [2021] EMLR 25. The Trust had not itself provided any information to Bounty, whose representative had taken it for herself.


Bounty, identified more than once by the Court as the real wrongdoer, went into administration having transferred their assets to another company, and leaving unsecured creditors (such as the Claimant, had she been able to obtain judgment against Bounty) with no recourse. On one view, this is a quite orthodox and proper result: the Bounty representatives are quintessential independent contractors, such that no question of vicarious liability on behalf of the Trust could arise.

The Trust’s conduct neither amounted to a tort nor a breach of the DPA, as it had required the Bounty representatives to keep within a code of conduct. That they had not done so was not a matter for which the Trust could be made liable.

And yet the outcome remains unsatisfactory. It rankles that the Trust were able to obtain the benefit of a commercial relationship with Bounty, but bore no responsibility for the conduct of its representatives, to whom they gave access to new parents at a time of significant medical vulnerability and personal stress.

Legally speaking, while the Court’s reasoning was for the most part straightforward in its application of both tortious principles and the DPA, the approach to the seventh data protection principle could perhaps have been otherwise. At [47], the Court accepted that “a functioning hospital cannot do its job without making available at least some limited data about patients” and observed that “obviously, the hospital authorities would take steps to prevent people collecting and recording this information”.

But at [48], the Court rejected that such measures could have been taken in this case, as they would have meant requiring documents to all be kept under lock and key, or written in cyphers only staff could understand. A contractual term requiring the Bounty representatives to abide by a code of conduct, even if this was not in practice enforced by Bounty (at least on this occasion) was sufficient.

With respect, this was not the only approach the court could have taken. It assumes there is no middle ground between blindly trusting a code of conduct, and measures such as cyphering. The reality is that Bounty, who were fined £400,000 by the ICO for widespread bad practice with personal data, apparently could not be trusted to abide by their code of conduct. It would have been open to the Court to consider whether the lack of any organisational measures relating to, for example, the training of external staff permitted ward access, was a breach of the seventh data protection principle.

It does not seem outlandish that if the Trust is to extract financial gain from allowing external, commercially motivated third parties to access new parents, it should shoulder some of the burden of making sure that this is done sensitively and in compliance with the law. Even if this cannot be done by means of vicarious liability, there is no reason a more limited obligation could not arise now under Art. 5(f) of the UK GDPR (replacing what was then the seventh data protection principle), which requires that data is “processed in a manner that ensures appropriate security… including protection against unauthorised or unlawful processing… using appropriate technical or organisational measures”.

The Court’s framing was that the rogue representative’s actions left the Trust “more wronged against than wrongdoer” ([52]). This approach is clear in the judgment as a whole, but springs, perhaps, from a failure to appreciate the possibility of a middle ground.