Advanced search

Bounty fined for illegal use of woman and children's data

(72 Posts)

MNHQ have commented on this thread.

RedToothBrush Fri 12-Apr-19 11:25:26

The Information Commissioner’s Office (ICO) has fined Bounty (UK) Limited £400,000 for illegally sharing personal information belonging to more than 14 million people.

An ICO investigation found that Bounty, a pregnancy and parenting club, collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.

But the company also operated as a data broking service until 30 April 2018, supplying data to third parties for the purpose of electronic direct marketing.

Bounty breached the Data Protection Act 1998 by sharing personal information with a number of organisations without being fully clear with people that it might do so.

The company shared approximately 34.4 million records between June 2017 and April 2018 with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky.

These organisations represented the four largest recipients out of a total of 39 organisations which Bounty confirmed it shared personal data with.

The personal information shared was not only of potentially vulnerable, new mothers or mothers-to-be but also of very young children, including the birth date and gender of a child.

Steve Eckersley, ICO’s Director of Investigations, said:

“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.

“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”

The investigation found that for online registrations, Bounty’s privacy notices had a reasonably clear description of the organisations they might share information with, but none of the four largest recipients were listed.

Additionally, none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes.

RedToothBrush Fri 12-Apr-19 11:26:04

ScrimshawTheSecond Fri 12-Apr-19 11:33:39

So glad they're finally getting done for it, the lying duplicitous mercenary bastards.

I hope they get put out of business and bosses are prosecuted.

OrchidInTheSun Fri 12-Apr-19 11:34:50

There's a surprise. Let's hope they go under. And FYI ICO, a child's sex, not their gender, is recorded at birth.

Roomba Fri 12-Apr-19 11:38:42

Good! Let's hope it's the beginning of the end for them.

Bowlofbabelfish Fri 12-Apr-19 11:39:00

Where’s my grumpy cat ‘good’ meme?

RedToothBrush Fri 12-Apr-19 11:40:26

It's shocking they were sharing with credit reference agencies without telling anyone. In theory giving your details to Bounty could have affected the amount of credit you could get.

RedToothBrush Fri 12-Apr-19 11:40:52

And that only affects women...

EndoplasmicReticulum Fri 12-Apr-19 11:43:15

I still don't understand why they were allowed free access to mothers on wards who had just given birth. Are they still? (Been a while since I had baby)

AnneLovesGilbert Fri 12-Apr-19 11:43:28

About bloody time. I gave birth recently and was very clear they didn’t have permission to talk to me. But the leaflets were everywhere, the HCPs doing obs had a massive pile on their trolley thing and would offer you one and a couple of the hospital staff seemed very surprised when I said no I wasn’t interested.

What does the hospital get out of peddling Bounty? Clearly something. You’d think they’d have enough to worry about.

AnneLovesGilbert Fri 12-Apr-19 11:44:27

They have to ask permission endoplasmic but I didn’t get the impression hospital staff were thrilled when people said no.

ItsAllGoingToBeFine Fri 12-Apr-19 11:45:12

That is good news. I hope they go bust - they are purely a marketing organisation, yet somehow they are given the status of HCPs.

Horrible company.

PerkingFaintly Fri 12-Apr-19 11:46:27

Oh RedToothBrush, you absolute star for your work about Bounty!

Don't say if you don't want, but do you know if the ICO's investigation was in any way triggered by your campaigning?

MamaidhMathMath Fri 12-Apr-19 11:50:56

Good, bastards that they are. It's long past time that they were banned from post natal wards too!

Daffopill Fri 12-Apr-19 11:52:27

I just don’t understand why they are allowed to pester women who’ve just given birth. So very wrong.

RedToothBrush Fri 12-Apr-19 11:55:14

Don't say if you don't want, but do you know if the ICO's investigation was in any way triggered by your campaigning?

Nothing to do with me.

I'm glad someone has gone after them though and who ever it is, good job!

WhatTheWatersShowedMe Fri 12-Apr-19 11:58:49

Good, they are a shower of bastards.

Michelleoftheresistance Fri 12-Apr-19 12:11:23

Good! Although it should have been at minimum, a pound for every single person affected.

Its nauseating that after the MN campaign and all the stories and publicity around Bounty harassing and invading/abusing women on maternity wards without conscience or caring about consent just about their financial gain, the colluding of the NHS, and the many times it was pointed out that this would never happen anywhere else but on a ward of women at their most vulnerable - and what finally corners them?

Bloody data protection.

Because nothing else was really seen as a problem.

PanamaPattie Fri 12-Apr-19 12:17:21

I would be very concerned about a credit check. I imagine these records were accessed to see if any potential “customers” could afford any goods being touted.

I am also concerned about the sharing of the DC dobs etc. It would seem that these babies are already being profiled for future targeting - all without their consent. Once the information is on a database, it will be almost impossible to delete.

PerkingFaintly Fri 12-Apr-19 12:20:22

thanks anyway.

Can I add, because this is important: you often can't know for sure that it was nothing to do with you.

Don't want to out myself, but I made a series of complaints to a regulator about a single business which was breaking a commonly broken law.

The complaints were upheld and the adjudications published on the regulator's website. And lo! a year or so later I saw people discussing those adjudications and saying they too were going to complain to that regulator. It actually became a way to tackle a particularly nasty industry.

We each bring our brick, and wait for others to lay their brick upon it, and so the house is built.

truthisarevolutionaryact Fri 12-Apr-19 12:28:04

Thank you RTB. What is needed is a response from the NHS / government to this massive invasion of privacy. But I expect they'll be following the money as usual.

In a week where a film company were fined for invading the privacy of women in a maternity unit at Addenbrooke's hospital I'm not sure that women's ability to consent to invasions of privacy / dignity is even recognised in the NHS any longer.

RedToothBrush Fri 12-Apr-19 12:34:25

ICO @ICOnews
Our investigation found that Bounty collected personal information for it's membership cards directly from new mothers at hospital bedsides. But the company also operated as a data broker and supplied this data to third parties.

I'm just reading the report its self. Its damning.

MenuPlant Fri 12-Apr-19 12:44:06

Good, about time.

How they have been allowed to carry on for so long when they are such total obvious bastards is anyone's guess. It should never have been allowed.

Just women affected I guess.

RedToothBrush Fri 12-Apr-19 13:01:10

37. The "fairness" requirement under DPP1 also included a substantive duty to treat individuals fairly when using their personal data. In particular, fairness involves adhering to individual's reasonable expectations of how their data will be used and not using their data in ways that risk causing them damage or distress, unless there is some sufficiently weighty justification for doing so. Bounty failed to use the personal data of the affected data subjects fairly in this case. As indicated above, data subjects registering with a pregnancy and parenting clude would not reasonably have expected their personal data to be disclosed to the likes of credit reference, marketing and profiling agencies. Bounty had no adequare justification for acting as it did. Its actions appear to have been motivated by finacial gain, given that data sharing was an integral part of Bounty's business model, and as confirmed by Bounty, cessation of its data sharing practice on 30 April 2018 resulted in significant commerical impact.

(30th April 2018 was the date GDPR came in).

I note that I certainly have said on MN for a long time that most people didn't really have much of an idea of what they were signing up to in terms of what they were signing away. It actually looks worse than I thought it was given who they were sharing with.

Not only that MN made the point that collecting of this data - for women who recieved information after having a stillbirth for example - did find it incredibly distressing. And this was YEARS ago.

Under the heading
Seriousness of the contravention
46. The Commissioner is satisfied that the contravention identified above was serious, in that:
(1) The number of affected data subjects was extraordinarily high - in excess of 34 million records having been disclosed, comprising the personal data of over 14 million individuals. This represents an unprecedented number of affected data subjects in the history of the Commissioner's investigations into data broking organisations. As her investigation focussed on only four 4 out of 39 organisation with which Bounty shared data, it is resonable to suppose that the number of records disclosed could have been significantly higher.

(2) In addition, some of the affected individual's data was shared on multiple occasions and with multiple organisations, further impacting on their data rights. Whilst Bounty stated it tracked the data it shared, trading data up to 17 times in a 12 month period is arguably disproportionate, and opened the affected individuals to excessive processing that they did not consent to.

(3) The sustained and prolonged duration of the contravention - approximately 7 months in respect of 'online' member registrations, and 11 months in respect of 'offline member registrations

[RTB the period the ICO refer to is from 1st June 2017 to 30 April 2018]

(4) The data subjects were not only potentially vulnerable new mothers/mothers-to-be, but also very young children. Furthermore, whilst Bountry advised that its 'philosophy and policy' is never to market to children, and it did not share children's names with third parties, the Commissioner considers that sharing the birth date and gender of a child along with information about its parent, creates the potentia this data to be appended to create a fuller profile of the child, which may then be used for future targeted marketing. In these circumstances a loss of control of data has already taken place before the child has capacity to consent for its data to be used for marketing purposes.

(5) In the Commissioner's assessment, this disclosure went clearly against the terms of the privacy notices in place at the time. As subjects signed up to a parenting club it is considered highly unlikely that individuals would reasonably expect their personal data to be shared with credit referencing, marketing and profiling agencies, unless explicitly informed that it would be.

(6) The nature of the data data involved - this included information relating to number, age and gender of children, and [redacted] pregnancy status. Disclosure of such information in this context created a real risk of distress (see further below).

(7) Individuals were exposed to a significant loss of control over their data, exacerabated by the fact that Bounty did not inform them about this disclosure either before or after it had taken place.

MenuPlant Fri 12-Apr-19 13:10:20

Thanks for times link and wow at comment from company who filmed at the end, true vision, saying they fought this decision and its wrong. Ie they should be able to film women having miscarriages without asking them first.

Another bastard company to add to the list. At least the hosp had the decency (and common sense) to apologise.

Join the discussion

Registering is free, quick, and means you can join in the discussion, watch threads, get discounts, win prizes and lots more.

Get started »