Bounty fined for illegal use of woman and children's data

[RedToothBrush]

The Information Commissioner’s Office (ICO) has fined Bounty (UK) Limited £400,000 for illegally sharing personal information belonging to more than 14 million people.

An ICO investigation found that Bounty, a pregnancy and parenting club, collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.

But the company also operated as a data broking service until 30 April 2018, supplying data to third parties for the purpose of electronic direct marketing.

Bounty breached the Data Protection Act 1998 by sharing personal information with a number of organisations without being fully clear with people that it might do so.

The company shared approximately 34.4 million records between June 2017 and April 2018 with credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky.

These organisations represented the four largest recipients out of a total of 39 organisations which Bounty confirmed it shared personal data with.

The personal information shared was not only of potentially vulnerable, new mothers or mothers-to-be but also of very young children, including the birth date and gender of a child.

Steve Eckersley, ICO’s Director of Investigations, said:

“The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.

“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.

“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”

The investigation found that for online registrations, Bounty’s privacy notices had a reasonably clear description of the organisations they might share information with, but none of the four largest recipients were listed.

Additionally, none of the merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes.

👏🏻👏🏻👏🏻👏🏻👏🏻👏🏻 Good!!

It still shocked me these were even allowed on a ward to harrass vulnerable new mothers.

And finally

51. While it may not have set out to contravene the DPA, Bounty's actions in sharing the data were plainly deliberate. In any event, the Commissioner considers that Bounty knew or ought reasonably to have known that there was a risk that the contravention would (a) occur, and (b) be of a kind likely to cause substantial damage or substantial distress. She further considers that Bounty failed to take reasonable steps to prevent such a contravention in that:

(1) Bounty was aware of the terms of its own privacy notices. It should have been readily aware that those terms were inadequate for disclose for these purposes.

(2) Bounty knew its customer base. It knew why they registered with Bounty and what kind of marketing communication they would expect to recieve. It should have been very clear to Bounty that this disclosure contravened those expectations

(3) Given its own knowledge of its customer base and the common sense considerations summarised at paragraph 48 above, it should have been readily apparent to Bounty that this disclosure was likely to cause substantial distress to at least some of the affect data subjects.

(4) The ICO has published extensive guidance on the importance of valid consent and how to obtain it, and a long established organisation of Bounty's size should have been well aware of the steps it needed to take to ensure its data subjects had all the relevant information at the point of data collection.

(5) Redacted

(6) At the commencement of the Commisioner's investigation in early 2018, Bounty informed the Commissioner that it planned detailed changes to ensure that its marketing practices were compliant with the (then) forthcoming GDPR, including cessation of trading and sharing personal data with third party organisations, updating fair processing notices to ensure data obtained for marketing is fully opted-in, changes to its retention policy, cessation of hard copy claim cards, training of staff and purging its database to reduce the number of records held. Bounty knew that its data sharing practices would likely not be compliant with GDPR and confirmed that it had not carried out impact assessments prior to GDPR. If these appropriate checks had been carried out beforehand than Bounty should have known that its data sharing practices would contravene the DPA.

(7) As referred to above, the steps it took to prevent further breaches and minimise detriment to data subjects shows that Bounty was alive to the kinds of steps that would be needed to avoid contraventions of the DPA in the circumstances, but it failed to take any such steps. The Commissioner considers there was no good reason for this failure

Good!
My eldest is nearly 23 and I remember being bloody annoyed by a bounty rep coming in to sign me up and took a photo of DD. She was crying and the rep put her unwashed knuckle into her mouth to shut her up. 😡( photo was totally crap too!)

Of course we got a free little pack with a few nappies and a pot of sudocream but we're plagued for years by junk mail.

www.mumsnet.com/campaigns/bounty-reps-letter-to-prime-minister
This is Mumsnet's letter to David Cameron in 2013.

I note the following:
60% were not specifically told that their personal details would be passed on to other companies

In 2014 the CQC became involved
www.mumsnet.com/campaigns/bounty-mutiny-latest-cqc-to-review-commercial-sales-reps-on-maternity-wards
Care Quality Commission's maternity services inspections are now including questions about the presence and practice of commercial representatives on maternity wards for the first time, as well as asking women about their experiences.

Yet Bounty were allowed to continue to operate on hospital wards for another five years and Bounty were able in 2017 to do this as a result.

The NHS define harm as anything which might affect someone's mental well being or financial well being.

www.england.nhs.uk/wp-content/uploads/2015/07/safeguard-policy.pdf NHS Safeguarding Policy

It phrases the financial definition of harm in Appendix 2 of its safeguarding policy as follows:

5.0 Financial
5.1 It is the use of a person's property, assets, income, funds or any resources without their informed consent or authorisation. It includes:
- Theft
- Fraud
- Exploitation
- Undue pressure in connection with wills, property, inheritance or financial transactions;
- The misuse of misappropriation of property, possession or benefits; or
- The misuse of an enduring power of attorney or a lasting power of attorney, or appointeeship

Given that women had their data (which is their property) shared in a way which exploited them for financial gain without their proper consent, and the NHS failed to identify this potential risk, and allowed Bounty to continue to operate on its premises for a significant amount of time after warnings were explicitly made by MN that women had concerns over their data, this surely is a failure of the NHS statutory duty to protect women and children?

@ MNHQ I'd be really interested to hear your comments on this development as it has to be related to your compaign.

'(7) In representations made to the Commissioner, Bounty pointed to a lack of complaints about Bounty's processing of data in the circumstances described'

There are eleventy-billion threads on here full of women complaining about bounty people lying, encroaching, all sorts, to lever their data out of them.

Women who have just given birth probably have things on their mind other than complaining, there is also the point that Bounty and their activities seemed endorsed by both NHS and govt ( with govt saying they were best way of getting child benefit forms out).

Lack of complaints is a shit excuse.

And for sure bounty will have read on here. They are just ruthless money grabbers happy to exploit women who are often in vulnerable state.

I must admit, I can't help wondering whether the ICO Commissioner being female has helped enormously in recognising that the Bounty are lying, exploitation fuckers who have a total lack of regard for the financial well being of women and children.

Its a powerful position.

Hello - shocking stuff. Here's Justine's quote which we've just sent to the BBC - we're still digesting the news but please watch this space over the next few days...

'Mumsnet users object passionately to Bounty being given access to often shattered and emotional new mothers on postnatal wards in what is essentially a data mining exercise. We've campaigned for some years to hold NHS trusts to account for this exploitative practice; today's ruling shows just how serious and systematic the breaches have been. This simply has to end now - it never has been and never will be appropriate to allow commercial reps to wander inpatient wards in the pursuit of profit.'

Thank you Rowan!

Much appreciated.

And thanks to Justine too.

Thank you Rowan and Justine !

The MN campaign and the threads collating evidence for it were so important, very happy to see HQ are on this.

Thanks to all of you and thousands of MNers over the years for being so organised and articulate and bringing it to our attention!

Now to read your precis of the full report @redtoothbrush

Well done everyone involved in clipping the vultures' wings.

www.bbc.co.uk/news/technology-47908222
Bounty pregnancy club fined £400,000 over data handling

BBC article is live (though it hasn't had Justine's comment added just yet).

Jim Kelleher, Bounty's managing director, said: "In the past, we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough."

Despite being warned for years by MN that women were not happy about data protection and Bounty...

I am so glad of this.

When I had my first, there were always people appearing asking stuff - midwives, Nursery nurses, physios, family planning nurse etc and in amongst this you would get the bounty lady in her nursey dress and the photography lady, likewise, and lying bedbound and anaemic, as I was, is not the best time to sort the HCPs from the grifters.

I remember years and years back reading about Bounty on here.

I wrote about not having contact with a Bounty rep in my birth plan. They didn't approach me so someone must have told them to stay away from me! Thanks MN

OMG, Elizabeth Denham, the Information Commissioner, rocks!

New sheriff in town, folks!

(Yes I know she's been in place a while, but the companies have been getting away with this for years. )

I wonder if §48(4) "likely to be distressed by the percieved loss of control over their data" is a new interpretation?

She certainly focuses on distress being caused by the mere act of sharing the data, rather than assuming that there is only distress if the data-sharing can be shown to cause a consequence, where the consequence is itself distressing (eg baby-related marketing being sent after a pregnancy loss).

I hadn't seen this Huffpost investigation from last year dated 27th Oct 2018 shortly AFTER this investigation commenced and Bounty seems to have stopped sharing data with third parties.

m.huffingtonpost.co.uk/entry/nhs-has-earned-thousands-by-giving-a-private-company-access-to-new-mothers-on-maternity-wards_uk_5bd18bdee4b0d38b5880467d
The NHS Has Earned Thousands From Private Company For Access To Mums On Maternity Wards
"All they want to do is sell, sell, sell," says new mother.

Freedom of Information requests to 126 NHS Trusts shows many hospitals are earning between 80p and £1.50 for each mother it gives access to.

And

Harris gave birth at St George’s hospital in Tooting. A copy of a contract between the hospital and Bounty, obtained by HuffPost UK, shows that the NHS trust operating the hospital gives “daily access” to Bounty staff in return for a fee.

And

On Thursday evening the Department of Health and Social Care responded. It said commercial representatives on wards were “often a valuable source of information for new mothers” but that it took seriously the concerns shared about NHS trusts allowing them to approach new mothers in maternity wards shortly after they have given birth. The government would consider how to “clarify guidance”, it said.

I do not understand how the Department of Health and Social Care can continue to justify this company on hospital wards after its been found guilty of financial abuse, and that article seems to indicate a continuing pattern of women having their dignity and privacy invaded and are potentially being financially exploited because they can not walk away from a sale. And the NHS appear fully complicit in this.

The petition linked to in the above article has an official government response from October last year.

petition.parliament.uk/petitions/227744

The Government expects NHS providers to have regard for the General Data Protection Regulations and to have procedures that ensure the privacy and dignity of mothers in maternity wards is respected.

Commercial representatives on wards are often a valuable source of information for new mothers, and many value the benefits and samples they receive from said representatives. However, the Government does take seriously the concerns shared about NHS Trusts allowing commercial representatives to approach new mothers in maternity wards shortly after they have given birth. New parents have a right to dignity and to feel safe and comfortable on NHS wards. This is particularly true for women in the period after giving birth when they may feel especially vulnerable.

In 2014, the Care Quality Commission (CQC) maternity inspection framework was updated to include lines of enquiry about the processes that Trusts have in place regarding the access of commercial representatives on postnatal wards. It is for individual trusts to make decisions about allowing commercial representatives access to postnatal wards. However, as with all hospital visitors, the Department of Health and Social Care (DHSC) expects trusts to have robust procedures in place to ensure that all representatives respect the privacy and dignity of all women and their families.

Any commercial representatives speaking to patients within an NHS ward should provide clear information about how patient data will be used and ensure that they are operating in compliance of the Data Protection Act 2018. This is a matter for each individual Trust to consider, in line with their local practices. Over the last year DHSC has been working alongside system partners within a National General Data Protection Regulations (GDPR) Working Group to develop a comprehensive suite of guidance products to help organisations recognise their obligations, and put effective governance and risk management arrangements in place across health and social care. These are published on the NHS Digital website on a dedicated GDPR portal. This website can be accessed via the following link:
digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/information-governance-alliance-iga/general-data-protection-regulation-gdpr-guidance.

It is for individual organisations to take account of these guidance products when developing their own policies and risk management practices.

Ipswich hospital has introduced a system where mothers are only approached by a commercial representative if they indicate that this is something that they would like. Mothers can show their preference by placing a card on their bedside table. This is a good example of how Trusts can put processes in place to give new mothers clear control over their interaction with commercial representatives. The Government is considering how to clarify guidance, so that that the interaction between commercial representatives and new mothers on NHS wards is consistently more positive across the UK.

Department of Health and Social Care

It sounds to me like the Department was already very away there was a problem (the ICO investigation commenced in early 2018) as that comment is pretty robust.

But it also seems to suggest it does not have a problem with the continuing practice even though women after the data issue were still reporting the aggressive tactics of this company.

They do not give two shits about women.

The Hospital benefits and GDPR last year changes everything now.

Just a small thing, but GDPR came into force on 25 May 2018, not 30 April.

A history of complaints into Bounty and their shit responses:

1984
The British Medical Journal accused Bounty of "exerting pressure on new mothers at a time when they are most vulnerable".

6th July 2009
www.telegraph.co.uk/news/health/news/5749564/NHS-allowing-photo-sales-reps-on-maternity-wards.html
NHS allowing photo sales reps on maternity wards
Hospitals are making thousands of pounds by allowing a private firm access to new mothers who are persuaded into buying photos of their babies just hours after they have given birth.

Several hospitals and Bounty itself face investigation by the data protection watchdog, the Information Commissioner's Office, for passing on private details of this newspaper's investigation.

and

Bounty said in a statement: "We have strong relationships with healthcare professionals because we respect and value their judgment and adhere to strict best practice and data protection guidelines.

"Bounty operates purely on a basis of choice with mums and hospitals and we take our responsibility very seriously. Every day thousands of new mums choose to receive a free sample pack and other services from Bounty."

22nd August 2011
www.independent.co.uk/life-style/health-and-families/health-news/how-maternity-wards-cash-in-on-mothers-2341654.html

Bounty said: "Bounty operates respectfully on the basis of choice and if the vast majority of mums didn't agree, we wouldn't be able to provide the services that we have for over 50 years."

2013 - MN launch their campaign

12th June 2013
www.telegraph.co.uk/news/health/news/10047737/NHS-cash-for-access-salespeople-posing-as-medical-staff-to-obtain-pictures.html
NHS cash-for-access: salespeople 'posing as medical staff' to obtain pictures
Unqualified maternity ward photographers have been posing as medical staff and claiming pictures need to be taken for "security reasons" to obtain images and personal details, mothers have said.

A Bounty spokesperson said they would "welcome" a dialogue with Mumsnet over the complaints.

"We are saddened to hear of any individual situation, which suggests we have fallen short of the high standards that mums demand of us and we demand of ourselves.

"We take mums’ feedback seriously and would ask anyone who feels they have a complaint to contact us as we deal with any lapse robustly and promptly."

21st June 2013
www.telegraph.co.uk/news/health/news/10134213/NHS-cash-for-access-Bounty-whistleblower-claims-superior-showed-her-how-to-steal-patient-details.html
NHS cash-for-access: Bounty whistleblower claims superior showed her how to steal patient details

A Bounty spokeswoman said: “We were very surprised and disappointed by these allegations as they are dated from 2009 and they were not raised with Bounty, either at the time or subsequently.

"We fully agree that it would be unacceptable for any organisation to share private data without the express and informed consent of mums, and that is why we have an extensive Code of Conduct to ensure that this does not happen.

"Any complaint is investigated fully and we also conduct exit interviews with all employees. Having checked our records, it is clear that no such complaint has been made to us. Nevertheless we would be happy to investigate this compliant, albeit it is somewhat historic.”

28th June 2013
www.telegraph.co.uk/news/health/news/10148634/NHS-cash-for-access-hospital-cancels-contract-with-Bounty-following-complaints.html
NHS cash-for-access: hospital cancels contract with Bounty following complaints
A hospital has cancelled its contract with Bounty after a Telegraph investigation found that new mothers were being targeted just hours after they had given birth under cash-for-access deals.

A Bounty Spokesperson said: “It is a shame that new mums in Poole will miss out on free Bounty packs and essential health information.

"The truth is complaints are very rare for us and typically, they tend to be when mums miss the Bounty lady and don’t receive their packs. We achieve a 93% satisfaction rating of our Bounty staff from midwives and heads of midwifery, and independently run research shows that 92% of mums love the Bounty packs.”

2013 - CQC become involved

4th August 2013
www.independent.co.uk/life-style/health-and-families/health-news/watchdog-to-act-over-firms-who-bombard-new-mothers-with-marketing-material-on-nhs-maternity-wards-8744977.html
Watchdog to act over firms who bombard new mothers with marketing material on NHS maternity wards

Clare Goodrham, General Manager of Bounty said: "We enforce a rigorous Code of Conduct, which respects mums’ privacy as well as use of any data collected. Bounty ladies, many of whom are mums themselves, never enter a ward without being cleared to do so by medical staff. We take any violation of the code of conduct seriously and regularly review it as part of our collaboration with the NHS.

"For over 50 years, we have worked in partnership with NHS hospitals and trusts to ensure that mums and hospital staff are happy with the service we provide, as we strive to achieve 100% satisfaction amongst mums. The Department of Health have also confirmed recently that they continue to value their relationship with Bounty.

We are proud to say that Bounty is welcomed by 99% of maternity units, and an independent survey by IPSOS-Mori shows that 93% of all midwives and heads of midwifery approve of the service provided by Bounty staff. We are also proud of the fact that 92% of mums say that they love Bounty packs, as it gives them free products and money off coupons - as well as access to essential health information. This is important to all mums, and particularly to those from lower socio-demographic groups who might not have access to this from other sources.

"Our work to deliver child benefit forms to mums is hugely successful and helps 82% of mums, of all backgrounds, to claim this important financial assistance."

Early 2018 the ICO launch investigation into Bounty

24th September 2018
www.independent.co.uk/life-style/health-and-families/mothers-hospital-maternity-ward-uk-salesmen-bounty-care-minister-cqc-a8551516.html
Hospitals are not doing enough to protect new mothers from salesmen, report states

In response to the concerns, a Bounty representative told The Telegraph: “We are very sorry if anyone has had an experience with us that is not up to our high standards. Bounty fully supports and acknowledges the need to respect the privacy and dignity of families on the maternity ward.

“Our code of conduct requires that we check with the midwifery team to establish which mums we may or may not visit. Research shows that the vast majority of new mothers enjoy, expect and welcome our services.

“We work closely with the NHS to ensure our services are offered on the basis of choice and that they comply with the standards required by our hospital partners.”

1st October 2018
www.bbc.co.uk/news/uk-wales-45710941
New mums' anger at photo rep tactics at Wrexham hospital

A spokeswoman for Bounty said: "We are very sorry if anyone has had an experience with us that is not up to our high standards.

"Bounty fully supports and acknowledges the need to respect the privacy and dignity of families on the maternity ward."

27th October 2018
www.huffingtonpost.co.uk/entry/nhs-has-earned-thousands-by-giving-a-private-company-access-to-new-mothers-on-maternity-wards_uk_5bd18bdee4b0d38b5880467d
The NHS Has Earned Thousands From Private Company For Access To Mums On Maternity Wards
"All they want to do is sell, sell, sell," says new mother.

HuffPost UK has contacted Bounty but the company had not responded at the time of writing.

10th December 2018
www.thesun.co.uk/fabulous/7901510/marketing-scandal-maternity-wards/
MUMBELIEVABLE The shocking truth about the marketing scandal on Britain’s maternity wards

From souvenir scans to sale reps stalking antenatal wards, we investigate why vulnerable new mums are being targeted more than ever before

Meanwhile, Bounty has issued a statement saying that the privacy and dignity of new mums are of paramount importance, and that the organisation “welcomes the idea of developing criteria for hospitals to determine how privacy and dignity are respected”.

April 2019 - ICO release their report into illegal data sharing by Bounty
From the ICO report

48. (7) In representations made to the Commissioner, Bounty pointed to a lack of complaints about Bounty's processing of data in the circumstances described.

12th April 2019
www.bbc.co.uk/news/technology-47908222
Bounty pregnancy club fined £400,000 over data handling

Jim Kelleher, Bounty's managing director, said: "In the past, we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough."

He added that the ICO had recognised that Bounty had changed its data-handling policies and that it now kept fewer records for less time. It had also ended relationships with all data brokers. Staff had also been trained to handle data to comply with the latest legislation.

In addition, said Mr Kelleher, Bounty planned to appoint an independent data expert to carry out an annual survey to ensure it did not breach data protection laws.

12th April 2019
www.telegraph.co.uk/news/2019/04/12/bounty-fined-400k-sharing-14-million-peoples-data-unlawfully/
Bounty fined £400k for sharing 14 million peoples' data unlawfully

Jim Kelleher, managing director of Bounty said: “We acknowledge the ICO’s findings – in the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us. However, the ICO has recognised that these are historical issues. Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted."

12th April 2019

Bounty.com @BountyUK
Before Spring 2018, our data handling processes did not meet the standards that could be expected of us. We made a mistake for which we are sorry. As well as improving our processes in Spring 2018, we have now launched the Bounty Promise
www.bounty.com/promise

Complaints have been ongoing since 2009. Every time Bounty has been dismissive and pointed to how trusted they are and how they haven't heard about these complaints.

And now they launch a fucking promise??!!!

Are they having a laugh???!!!

And what the fuck have the CQC been doing over this???!

The government keep churning out this tired old trope: Commercial representatives on wards are often a valuable source of information for new mothers........ said no post-birth woman ever....

The fine is pretty pathetic. Less than 3p per person.

Perhaps the monetary fine imposed should be the value of all profits accrued for the entire period the data breach was in progress?

You know who else will sell your data? Recruitment agencies. If you ever need a new job, make a new email account just for that and then delete it when you are well settled in your new job.