Data protection and privacy: hospital not liable for third parties’ breach
In Underwood v (1) Bounty (2) Hampshire Hospitals NHS FT  EWHC 888 (QB), Nicklin J dismissed a claim against the Second Defendant Trust (“the Trust”) for alleged breaches of the Data Protection Act 1998 (“DPA 1998”) and misuse of private information.
The Claimants, Mrs Underwood and her son Dominic, alleged that after Mrs Underwood gave birth at the Trust in October 2017 she was approached by a representative of the First Defendant (“Bounty”). Bounty was a private company that provided pregnancy and antenatal related services at the Trust pursuant to a services agreement, for which the Trust obtained modest financial benefit. The Underwoods alleged that during their encounter with Bounty personal data relating to Dominic Underwood was obtained without permission from medical notes at the foot of the bed.
Bounty subsequently entered into administration following a substantial fine from the ICO in April 2019 relating to breaches of DPA 1998. Judgment in default on the Underwoods’ claim against it was entered at an early stage of the proceedings.
In their claims against the Trust the Underwoods alleged that the Trust acted in breach of the first, second, sixth and seventh data protection principles by granting Bounty access to the antenatal ward with the consequence that Bounty staff could obtain their private information. The Underwoods further alleged that the Trust had misused their private information by granting Bounty access to the antenatal ward and by leaving private information relating to Dominic Underwood at the foot of the bedside.
In dismissing the claims for breach of data protection Nicklin J rejected the argument that the Trust had “made available” private information relating to the Underwoods by storing limited information at their bedside. The information had been stored for the purposes of providing essential clinical services and measures were taken by the Trust to ensure that Bounty staff (and other third parties) were not provided access to sensitive personal data relating to patients. This included a mandatory Code of Conduct that required all personal data to be processed by Bounty strictly in accordance with DPA 1998.
In respect of the claim for misuse of private information Nicklin J applied the recent judgment in Warren v DSG Retail Limited  EWHC 2168 in holding that the Trust could not be liable to the Underwoods unless it itself had carried out a positive act of “misuse”. In this case the allegations against the Trust could at best be described as omissions (although no omission was in fact found by the Court).
Finally, of interest is the Court’s decision that even if the Trust had been liable for breach of DPA 1998 and/or for misuse of private information, the claim would have failed on the basis that the information obtained about Dominic Underwood (name and gender) was trivial such that no damage could reasonably have been suffered as a consequence of it having been obtained by Bounty.
The Judgement can be found here.
Nicola Atkins appeared for the Trust instructed by DAC Beachcroft