Data protection claim for unauthorised acts of third party in NHS hospital fails18/05/22
A recent Court case brought against the NHS, which arose from a third party making unauthorised use of patient information, has failed. In Underwood and another v Bounty UK Ltd and Hampshire Hospitals NHS Foundation Trust  EWHC 888 (QB), the High Court dismissed a claim for a breach of the Data Protection Act 1998 and misuse of private information.
However, the case illustrates the importance of putting in place appropriate access arrangements with third parties who work on NHS premises, and being able to justify how, why, and where patient information is stored and made available. We summarise the case details and what the judgment means for healthcare organisations.
The agreement between Bounty and the Trust
Bounty UK Ltd was a business which used network representatives to gather personal data such as contact details from individual patients in hospital. Their business model was to invite new parents to agree to supply their personal information in exchange for sample packs of baby supplies or photographs (although some new parents have been critical of being ‘pressured’ by Bounty representatives). Bounty then supplied the information its representatives had gathered to other businesses for marketing.
To gain access to patients, Bounty entered into contracts with NHS hospitals, including the Trust, allowing its representatives to go into wards and speak to patients. The Trust did not allow Bounty to access its own systems to gather patient details. The contract terms between the Trust and Bounty included a ‘Code of Conduct’ requiring Bounty to comply with data protection law. The Trust was paid £1.50 for every patient who agreed to share details with Bounty.
The case incident
Mrs Underwood gave birth at the Trust in October 2017. Whilst she was in hospital, a Bounty representative appeared at Mrs Underwood’s bedside and seemed to be looking at some records stored in a holder at the end of her bed. The Bounty representative was asked to leave and Mrs Underwood did not agree to share any information with Bounty in that interaction. Mrs Underwood subsequently discovered that Bounty held data about her family, including her child’s name, gender and date of birth.
The Court held that the information at the end of the bed was not the ‘full’ patient record, which was stored securely in the midwifery office, but likely comprised a feeding chart and ‘NIPE’ infant physical examination form which was completed by midwifery staff and doctors doing ward rounds. It was likely that the Bounty representative inappropriately obtained some information from these information sheets.
Bounty was fined £400,000 by the ICO following an investigation into its wider data processing activities.
The patient’s data protection and privacy claim against Bounty and the Trust
Mrs Underwood brought a claim against Bounty and the Trust concerning the unauthorised access to her family’s personal data at her bedside. She alleged that this was a misuse of private information and that the Trust had failed to take appropriate technical and organisational measures to prevent unauthorised access to it, in breach of the security requirements set out in data protection law. Default judgment was obtained against Bounty, which by that time had gone into administration, and the claim proceeded to trial against the Trust.
The Court held that the limited data stored at the patient’s bedside was necessary for the Trust and its staff to discharge its duties, and also was needed for patients to complete the feeding chart. Data protection law did not impose an absolute requirement as to security, which would mean that absolutely all patient information would need to be stored in conditions of strict security akin to the main patient record. The effect of imposing such an absolute requirement would be inconvenient for the delivery of patient care and potentially unsafe.
The Trust making documents accessible at the bedside to its staff for patient care was not the same as it making those documents freely available to the Bounty representative working in the hospital. Accordingly, the Trust was not liable for the unauthorised (and unlawful) acts of the Bounty representative when she looked at them herself. Whilst the commercial arrangements between the Trust and Bounty did allow access to the wards, this access was to be exercised by Bounty representatives in accordance with the Code of Conduct. That Code of Conduct emphasised the need to respect the privacy of each patient and to abide by the requirements of the Data Protection Act 1998 and this provided a safeguard.
A copy of the judgment can be found here.
What to take away
The case illustrates the importance of being able to justify how and where patient information is stored on a case-by-case basis. Together with other recent cases, the Courts have been clear that for the purposes of data protection law at least, an ‘absolute’ security requirement is not imposed, but the context needs to be taken into account in deciding what is appropriate and reasonable.
Where hospitals enter into commercial or other arrangements, careful account needs to be taken of data protection implications and contractual terms. The Underwood family were clearly left very upset by the behaviour of Bounty at a time at which they were vulnerable, and irrespective of the lawfulness of any arrangements that healthcare organisations enter into, the impact of such arrangements on the patient experience also needs to be considered.
Of note, compared to the Data Protection Act 1998, the UK GDPR (which is now in force) places a heavier emphasis on ‘joint controller’ arrangements and joint liability between multiple data controllers, which may pose a greater risk for healthcare providers.
How Capsticks can help
Our team at Capsticks consists of experts in all areas of information law concerning healthcare and housing organisations, regulators and emergency services. We give practical advice on the full range of advisory, transactional, regulatory and litigated issues including effective information sharing between organisations, complex subject access requests, and responding to information security incidents and cyber-attacks.
To discuss this case and any implications for your organisation, please speak to Andrew Latham, Peter Marquand, Lauren Danks or Kathryn Stewart.