The burgeoning field of data breach claims has taken a blow with a High Court judge saying the disclosure of a person’s name, gender and date of birth is not serious enough.
Mr Justice Nicklin also warned that it was “never appropriate” to claim exemplary damages simply to mark how upset a claimant was about a defendant’s conduct.
The claimants here were a mother and child suing Bounty, the company behind the baby packs women receive after giving birth, and Hampshire Hospitals NHS Foundation Trust for breaches of the Data Protection Act 1998 and misuse of private information (MPI).
It followed a £400,000 fine imposed by the Information Commissioner in 2019 after it found Bounty shared the personal data of over 14 million individuals to several organisations without informing them that it might do so.
Nicklin J said Bounty’s business model was “largely based upon harvesting data from expectant mothers in order to sell that data on to third parties”. The packs were the ‘hook’ to get them to sign up.
At trial, the mother, Pamela Underwood, said her main complaint was her data being sold on to third parties by Bounty but also that the hospital had allowed the company’s representative to disturb her at the Royal Hampshire County Hospital following the birth of her son.
Bounty did not take part in the proceedings, having gone into administration in November 2020. The claimants have obtained judgment in default against Bounty but Nicklin J said he was not aware of any steps to enforce it.
The judge found that Mrs Underwood provided Bounty with some personal information when signing up online ahead of the birth, and that the Bounty representative in the hospital looked at medical information at the end of her bed to find out her child’s name and gender.
He ruled that the hospital – while it had allowed the representative onto the ward – was not responsible for them gaining access to that information.
By placing the information at the end of the bed, the hospital had not “disseminated or otherwise made available the relevant data”.
“Insofar as personal data was contained in forms that were available at the claimant’s bedside, then inclusion of that limited data was necessary for the second defendant and its staff to discharge its duties.
“The commercial arrangements with Bounty did allow access to the wards, but this access was to be exercised by Bounty representatives in accordance with the code of conduct. That code of conduct emphasised the need to respect the privacy of each patient and to abide by the requirements of the Data Protection Act 1998.”
The hospital also did not misuse the claimants’ private information – what Bounty did obtain was without its consent or knowledge.
Nicklin J added: “Although not a point that received any real attention at the trial, even if the claimants had established that the second defendant was liable under the MPI tort for Bounty acquiring information about them, the information so obtained was trivial.
“Discounting the information that the first claimant had already provided to Bounty voluntarily when she originally signed up for its products and services, this amounted only to the name, gender and date of birth of the second claimant.
“To be actionable for misuse of personal information, the information misuse must reach a level of seriousness before the tort is engaged. Had the claim not failed for other reasons, it would have failed on this ground.”
The disclosure of this type of information is often part of data breach claims
Dismissing the action, the judge added that “the real wrongdoer here was Bounty”.
He recorded too his view that the claimants should not have sought exemplary damages against the hospital.
“Claims for exemplary damages are wholly exceptional. The cases in which such damages can properly be claimed are very few; those in which they are awarded fewer still.
“It is never appropriate to add a claim for exemplary damages simply to mark how upset the claimant is about the defendant’s conduct, or as some sort of negotiating strategy.”
Last August, it was argued that a High Court ruling on a low-value data breach claims and after-the-event insurance could stem the number of claims brought by people based on security breaches.