This is a selection of Comments the ICO made in reference to the Bounty case which was under the less strict Data Protection Act which has since been succeed by GDPR
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children”
And
37. The "fairness" requirement under DPP1 also included a substantive duty to treat individuals fairly when using their personal data. In particular, fairness involves adhering to individual's reasonable expectations of how their data will be used and not using their data in ways that risk causing them damage or distress, unless there is some sufficiently weighty justification for doing so. Bounty failed to use the personal data of the affected data subjects fairly in this case. As indicated above, data subjects registering with a pregnancy and parenting clude would not reasonably have expected their personal data to be disclosed to the likes of credit reference, marketing and profiling agencies. Bounty had no adequare justification for acting as it did. Its actions appear to have been motivated by finacial gain, given that data sharing was an integral part of Bounty's business model, and as confirmed by Bounty, cessation of its data sharing practice on 30 April 2018 resulted in significant commerical impact
Under the heading
Seriousness of the contravention
46. The Commissioner is satisfied that the contravention identified above was serious, in that:
(1) The number of affected data subjects was extraordinarily high - in excess of 34 million records having been disclosed, comprising the personal data of over 14 million individuals. This represents an unprecedented number of affected data subjects in the history of the Commissioner's investigations into data broking organisations. As her investigation focussed on only four 4 out of 39 organisation with which Bounty shared data, it is resonable to suppose that the number of records disclosed could have been significantly higher.
(2) In addition, some of the affected individual's data was shared on multiple occasions and with multiple organisations, further impacting on their data rights. Whilst Bounty stated it tracked the data it shared, trading data up to 17 times in a 12 month period is arguably disproportionate, and opened the affected individuals to excessive processing that they did not consent to.
(3) The sustained and prolonged duration of the contravention - approximately 7 months in respect of 'online' member registrations, and 11 months in respect of 'offline member registrations
My bold
(4) The data subjects were not only potentially vulnerable new mothers/mothers-to-be, but also very young children. Furthermore, whilst Bountry advised that its 'philosophy and policy' is never to market to children, and it did not share children's names with third parties, the Commissioner considers that sharing the birth date and gender of a child along with information about its parent, creates the potentia this data to be appended to create a fuller profile of the child, which may then be used for future targeted marketing. In these circumstances a loss of control of data has already taken place before the child has capacity to consent for its data to be used for marketing purposes.
(5) In the Commissioner's assessment, this disclosure went clearly against the terms of the privacy notices in place at the time. As subjects signed up to a parenting club it is considered highly unlikely that individuals would reasonably expect their personal data to be shared with credit referencing, marketing and profiling agencies, unless explicitly informed that it would be.
My bold
(6) The nature of the data data involved - this included information relating to number, age and gender of children, and [redacted] pregnancy status. Disclosure of such information in this context created a real risk of distress (see further below).
(7) Individuals were exposed to a significant loss of control over their data, exacerabated by the fact that Bounty did not inform them about this disclosure either before or after it had taken place
Under the heading
Contraventions of a kind likely to cause substantial damage or substantial distress
48. The Commissioner considers that this contravention was of a kind likely to cause substantial damage or substantial distress, in that:
(1) For those data subjects registering online, Bounty's privacy notices contained reasonably clear descriptions of the kinds of third parties who might recieve personal data from Bounty. However, none of the four most supplied organisations were listed, and the broad category types did not clearly indicate the types of organisations with which the data the subject of the Notice was shared. At least some of the affected data subjects are likely to have been distressed by this failure to adhere to their expectations about how their data would have been used. At least some of these data subjects would reasonably feel mislead.
(2) In addition, given that Bounty failed to be transparent with the data subjects about this disclosure, the data subjects may well have been distressed by uncertainty as to how the organisations in this case obtained information with which to target them based on their personal circumstances.
My bold
(3) This sense of distress is likely to have been exacerbated by the fact that it focussed on the affected data subjects' status as new or expectant mothers, as well as on their young children. It is highly likely that at least some data subjects who may not be concerned about their name or email address being shared with a marketing company, would have been distressed by the inclusion of information about their pregnacy status and children without their explicit consent.
(4) At least some of the affected data subjects are likely to be distressed by the percieved loss of control over their data when it was shared without their knowledge with large marketing organisations.
(5) At least some of the affected data subjects are likely to be distressed by the fact that their personal data has been shared on numerous occasions with multiple organisations. Some data records were shared up to 17 times over a 12 month period. This, in the Commissioners view, would exacerbate the level of any distress caused.
(6) The Commissioner has also given weight to the number of affected data subjects: in excess of 14 million. The Commisioner considers that even if the damage or distress likely to have been suffered by each affect individual was less than substantial, the cumulative impact would clearly pass the threshold of "substantial".
(7) In representations made to the Commissioner, Bounty pointed to a lack of complaints about Bounty's processing of data in the circumstances described. Bounty also stated that only a tiny proportion of those registering 'online' went on to view the supplementary list linked to the Privacy Policy, suggesting that very few data subjects were concerned about the 'named list' and so (if any) detriment to those individuals would be minumal.
Bounty relies upon a lack of any evidence of actual distress, stating this case is based upon an assumption of 'risk'. The Commissioner's view is that the above is demonstrative of the 'invisible' nature of the processing whereby individuals are unaware, either before or after, of the processing of their data in these circumstances. She considers that if individuals were aware of the processing of their personal data in these circumstances there would be a real likelihood of substantial damage or distress of the nature described above.
And finally
51. While it may not have set out to contravene the DPA, Bounty's actions in sharing the data were plainly deliberate. In any event, the Commissioner considers that Bounty knew or ought reasonably to have known that there was a risk that the contravention would (a) occur, and (b) be of a kind likely to cause substantial damage or substantial distress. She further considers that Bounty failed to take reasonable steps to prevent such a contravention in that:
(1) Bounty was aware of the terms of its own privacy notices. It should have been readily aware that those terms were inadequate for disclose for these purposes.
(2) Bounty knew its customer base. It knew why they registered with Bounty and what kind of marketing communication they would expect to recieve. It should have been very clear to Bounty that this disclosure contravened those expectations
My bold
(3) Given its own knowledge of its customer base and the common sense considerations summarised at paragraph 48 above, it should have been readily apparent to Bounty that this disclosure was likely to cause substantial distress to at least some of the affect data subjects.
(4) The ICO has published extensive guidance on the importance of valid consent and how to obtain it, and a long established organisation of Bounty's size should have been well aware of the steps it needed to take to ensure its data subjects had all the relevant information at the point of data collection.
(5) Redacted
(6) At the commencement of the Commisioner's investigation in early 2018, Bounty informed the Commissioner that it planned detailed changes to ensure that its marketing practices were compliant with the (then) forthcoming GDPR, including cessation of trading and sharing personal data with third party organisations, updating fair processing notices to ensure data obtained for marketing is fully opted-in, changes to its retention policy, cessation of hard copy claim cards, training of staff and purging its database to reduce the number of records held. Bounty knew that its data sharing practices would likely not be compliant with GDPR and confirmed that it had not carried out impact assessments prior to GDPR. If these appropriate checks had been carried out beforehand than Bounty should have known that its data sharing practices would contravene the DPA.
My bold and remembering that Mermaids have recently had a data breech involving email
(7) As referred to above, the steps it took to prevent further breaches and minimise detriment to data subjects shows that Bounty was alive to the kinds of steps that would be needed to avoid contraventions of the DPA in the circumstances, but it failed to take any such steps. The Commissioner considers there was no good reason for this failure
Now Bounty is a much bigger organisation than Mermaids and the scale of the data sharing was much much bigger, but its interesting to see exactly where the ICO stress severity and emphasis.
One of these is the point that young children involved do not have the capacity to give informed consent to their data being shared!
In this particular case, Mermaids don't make money out of children but there is a clear demonstration that they are using children's data to further their own political aims by using it to apply pressure. This is without the express consent of parents and it should be noted that young children don't have the capacity to consent to their data being used in ways which might have a long term effect on them in terms of their health. The data of the data leaked is particularly sensitive and extensive. Some of this data sharing was very deliberate and there are serious questions over who this benefits and whether doing this without explicit consent could cause serious distress.
Nothing that the ICO operate on the risk of harm, not whether there is proof of harm.
I really do hope that those involved or The Times make sure that the ICO deal with this data breach in the appropriate fashion.
And the Trustee has the nerve to say The Times did an attack piece, for pointing out their legal responsibilities as Trustees in a charity.
Indeed, this in itself is probably worthy of a complaint to the charity's commission for evidence of the charity's failure to understand and take its legal responsibilities to children seriously.