Bounty fined for illegal use of woman and children's data

[RedToothBrush]

The Information Commissioner’s Office (ICO) has fined Bounty (UK) Limited £400,000 for illegally sharing personal information belonging to more than 14 million people.

An ICO investigation found that Bounty, a pregnancy and parenting club, collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.

But the company also operated as a data broking service until 30 April 2018, supplying data to third parties for the purpose of electronic direct marketing.

Bounty breached the Data Protection Act 1998 by sharing personal information with a number of organisations without being fully clear with people that it might do so.

The company shared approximately 34.4 million records between June 2017 and April 2018 with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky.

These organisations represented the four largest recipients out of a total of 39 organisations which Bounty confirmed it shared personal data with.

The personal information shared was not only of potentially vulnerable, new mothers or mothers-to-be but also of very young children, including the birth date and gender of a child.

Steve Eckersley, ICO’s Director of Investigations, said:

“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.

“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”

The investigation found that for online registrations, Bounty’s privacy notices had a reasonably clear description of the organisations they might share information with, but none of the four largest recipients were listed.

Additionally, none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes.

[RedToothBrush]

ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/04/bounty-uk-fined-400-000-for-sharing-personal-data-unlawfully/?utm_source=twitter&utm_medium=iconews&utm_term=0b316063-3b70-456c-b573-9d763a1aec69&utm_content=&utm_campaign=

[ScrimshawTheSecond]

So glad they're finally getting done for it, the lying duplicitous mercenary bastards.

I hope they get put out of business and bosses are prosecuted.

[OrchidInTheSun]

There's a surprise. Let's hope they go under. And FYI ICO, a child's sex, not their gender, is recorded at birth.

[Roomba]

Good! Let's hope it's the beginning of the end for them.

[Bowlofbabelfish]

Where’s my grumpy cat ‘good’ meme?

[RedToothBrush]

It's shocking they were sharing with credit reference agencies without telling anyone. In theory giving your details to Bounty could have affected the amount of credit you could get.

[RedToothBrush]

And that only affects women...

[EndoplasmicReticulum]

I still don't understand why they were allowed free access to mothers on wards who had just given birth. Are they still? (Been a while since I had baby)

[AnneLovesGilbert]

About bloody time. I gave birth recently and was very clear they didn’t have permission to talk to me. But the leaflets were everywhere, the HCPs doing obs had a massive pile on their trolley thing and would offer you one and a couple of the hospital staff seemed very surprised when I said no I wasn’t interested.

What does the hospital get out of peddling Bounty? Clearly something. You’d think they’d have enough to worry about.

[AnneLovesGilbert]

They have to ask permission endoplasmic but I didn’t get the impression hospital staff were thrilled when people said no.

[ItsAllGoingToBeFine]

That is good news. I hope they go bust - they are purely a marketing organisation, yet somehow they are given the status of HCPs.

Horrible company.

[PerkingFaintly]

Oh RedToothBrush, you absolute for your work about Bounty!

Don't say if you don't want, but do you know if the ICO's investigation was in any way triggered by your campaigning?

[MamaidhMathMath]

Good, bastards that they are. It's long past time that they were banned from post natal wards too!

[Daffopill]

I just don’t understand why they are allowed to pester women who’ve just given birth. So very wrong.

[RedToothBrush]

Don't say if you don't want, but do you know if the ICO's investigation was in any way triggered by your campaigning?

Nothing to do with me.

I'm glad someone has gone after them though and who ever it is, good job!

[WhatTheWatersShowedMe]

Good, they are a shower of bastards.

[Michelleoftheresistance]

Good! Although it should have been at minimum, a pound for every single person affected.


Its nauseating that after the MN campaign and all the stories and publicity around Bounty harassing and invading/abusing women on maternity wards without conscience or caring about consent just about their financial gain, the colluding of the NHS, and the many times it was pointed out that this would never happen anywhere else but on a ward of women at their most vulnerable - and what finally corners them?


Bloody data protection.

Because nothing else was really seen as a problem.

[PanamaPattie]

I would be very concerned about a credit check. I imagine these records were accessed to see if any potential “customers” could afford any goods being touted.

I am also concerned about the sharing of the DC dobs etc. It would seem that these babies are already being profiled for future targeting - all without their consent. Once the information is on a database, it will be almost impossible to delete.

[PerkingFaintly]

anyway.

Can I add, because this is important: you often can't know for sure that it was nothing to do with you.

Don't want to out myself, but I made a series of complaints to a regulator about a single business which was breaking a commonly broken law.

The complaints were upheld and the adjudications published on the regulator's website. And lo! a year or so later I saw people discussing those adjudications and saying they too were going to complain to that regulator. It actually became a way to tackle a particularly nasty industry.

We each bring our brick, and wait for others to lay their brick upon it, and so the house is built.

[truthisarevolutionaryact]

Thank you RTB. What is needed is a response from the NHS / government to this massive invasion of privacy. But I expect they'll be following the money as usual.

In a week where a film company were fined for invading the privacy of women in a maternity unit at Addenbrooke's hospital I'm not sure that women's ability to consent to invasions of privacy / dignity is even recognised in the NHS any longer.

www.thetimes.co.uk/article/tv-firm-secretly-filmed-mothers-who-lost-babies-t8tk0rkv5?shareToken=b6bdc65716482858dc3e93804e497dc0

[RedToothBrush]

ICO @ICOnews
Our investigation found that Bounty collected personal information for it's membership cards directly from new mothers at hospital bedsides. But the company also operated as a data broker and supplied this data to third parties.

I'm just reading the report its self. Its damning.

[MenuPlant]

Good, about time.

How they have been allowed to carry on for so long when they are such total obvious bastards is anyone's guess. It should never have been allowed.

Just women affected I guess.

[RedToothBrush]

37. The "fairness" requirement under DPP1 also included a substantive duty to treat individuals fairly when using their personal data. In particular, fairness involves adhering to individual's reasonable expectations of how their data will be used and not using their data in ways that risk causing them damage or distress, unless there is some sufficiently weighty justification for doing so. Bounty failed to use the personal data of the affected data subjects fairly in this case. As indicated above, data subjects registering with a pregnancy and parenting clude would not reasonably have expected their personal data to be disclosed to the likes of credit reference, marketing and profiling agencies. Bounty had no adequare justification for acting as it did. Its actions appear to have been motivated by finacial gain, given that data sharing was an integral part of Bounty's business model, and as confirmed by Bounty, cessation of its data sharing practice on 30 April 2018 resulted in significant commerical impact.

(30th April 2018 was the date GDPR came in).

I note that I certainly have said on MN for a long time that most people didn't really have much of an idea of what they were signing up to in terms of what they were signing away. It actually looks worse than I thought it was given who they were sharing with.

Not only that MN made the point that collecting of this data - for women who recieved information after having a stillbirth for example - did find it incredibly distressing. And this was YEARS ago.

Under the heading
Seriousness of the contravention
46. The Commissioner is satisfied that the contravention identified above was serious, in that:
(1) The number of affected data subjects was extraordinarily high - in excess of 34 million records having been disclosed, comprising the personal data of over 14 million individuals. This represents an unprecedented number of affected data subjects in the history of the Commissioner's investigations into data broking organisations. As her investigation focussed on only four 4 out of 39 organisation with which Bounty shared data, it is resonable to suppose that the number of records disclosed could have been significantly higher.

(2) In addition, some of the affected individual's data was shared on multiple occasions and with multiple organisations, further impacting on their data rights. Whilst Bounty stated it tracked the data it shared, trading data up to 17 times in a 12 month period is arguably disproportionate, and opened the affected individuals to excessive processing that they did not consent to.

(3) The sustained and prolonged duration of the contravention - approximately 7 months in respect of 'online' member registrations, and 11 months in respect of 'offline member registrations

[RTB the period the ICO refer to is from 1st June 2017 to 30 April 2018]

(4) The data subjects were not only potentially vulnerable new mothers/mothers-to-be, but also very young children. Furthermore, whilst Bountry advised that its 'philosophy and policy' is never to market to children, and it did not share children's names with third parties, the Commissioner considers that sharing the birth date and gender of a child along with information about its parent, creates the potentia this data to be appended to create a fuller profile of the child, which may then be used for future targeted marketing. In these circumstances a loss of control of data has already taken place before the child has capacity to consent for its data to be used for marketing purposes.

(5) In the Commissioner's assessment, this disclosure went clearly against the terms of the privacy notices in place at the time. As subjects signed up to a parenting club it is considered highly unlikely that individuals would reasonably expect their personal data to be shared with credit referencing, marketing and profiling agencies, unless explicitly informed that it would be.

(6) The nature of the data data involved - this included information relating to number, age and gender of children, and [redacted] pregnancy status. Disclosure of such information in this context created a real risk of distress (see further below).

(7) Individuals were exposed to a significant loss of control over their data, exacerabated by the fact that Bounty did not inform them about this disclosure either before or after it had taken place.

[MenuPlant]

Thanks for times link and wow at comment from company who filmed at the end, true vision, saying they fought this decision and its wrong. Ie they should be able to film women having miscarriages without asking them first.

Another bastard company to add to the list. At least the hosp had the decency (and common sense) to apologise.

[RedToothBrush]

Contraventions of a kind likely to cause substantial damage or substantial distress

48. The Commissioner considers that this contravention was of a kind likely to cause substantial damage or substantial distress, in that:

(1) For those data subjects registering online, Bounty's privacy notices contained reasonably clear descriptions of the kinds of third parties who might recieve personal data from Bounty. However, none of the four most supplied organisations were listed, and the broad category types did not clearly indicate the types of organisations with which the data the subject of the Notice was shared. At least some of the affected data subjects are likely to have been distressed by this failure to adhere to their expectations about how their data would have been used. At least some of these data subjects would reasonably feel mislead.

(2) In addition, given that Bounty failed to be transparent with the data subjects about this disclosure, the data subjects may well have been distressed by uncertainty as to how the organisations in this case obtained information with which to target them based on their personal circumstances.

(3) This sense of distress is likely to have been exacerbated by the fact that it focussed on the affected data subjects' status as new or expectant mothers, as well as on their young children. It is highly likely that at least some data subjects who may not be concerned about their name or email address being shared with a marketing company, would have been distressed by the inclusion of information about their pregnacy status and children without their explicit consent.

(4) At least some of the affected data subjects are likely to be distressed by the percieved loss of control over their data when it was shared without their knowledge with large marketing organisations.

(5) At least some of the affected data subjects are likely to be distressed by the fact that their personal data has been shared on numerous occasions with multiple organisations. Some data records were shared up to 17 times over a 12 month period. This, in the Commissioners view, would exacerbate the level of any distress caused.

(6) The Commissioner has also given weight to the number of affected data subjects: in excess of 14 million. The Commisioner considers that even if the damage or distress likely to have been suffered by each affect individual was less than substantial, the cumulative impact would clearly pass the threshold of "substantial".

(7) In representations made to the Commissioner, Bounty pointed to a lack of complaints about Bounty's processing of data in the circumstances described. Bounty also stated that only a tiny proportion of those registering 'online' went on to view the supplementary list linked to the Privacy Policy, suggesting that very few data subjects were concerned about the 'named list' and so (if any) detriment to those individuals would be minumal. Bounty relies upon a lack of any evidence of actual distress, stating this case is based upon an assumption of 'risk'. The Commissioner's view is that the above is demonstrative of the 'invisible' nature of the processing whereby individuals are unaware, either before or after, of the processing of their data in these circumstances. She considers that if individuals were aware of the processing of their personal data in these circumstances there would be a real likelihood of substantial damage or distress of the nature described above.

My bold above and BOOM. Both Bounty AND the NHS used this as an excuse against women to say that because there were no complaints there was not a problem. The ICO have now ruled this is not an acceptable excuse. And I would suggest this has implications for the NHS in terms of a failure of safeguarding. I need to have a good look at what MN put to the Department of Health on this because I suspect there is a good case to make that the DoH have failed in their statutory duty to protect women and children by failing to properly risk assess the presence of Bounty on their ward AFTER MN whistleblew. If I'm right the NHS could be exposed to being legally liable to anyone who had their data taken whilst they were in a hospital setting.