Bounty UK fined £400,000 by ICO for sharing data of 14 million people
News / Bounty UK fined £400,000 by ICO for sharing personal data of 14 million people
15 April 2019
Bounty UK, a popular pregnancy and parenting club headquartered at Welwyn Garden City in Hertfordshire, has been served a fine of £400,000 by the Information Commissioner’s Office (ICO) for sharing personal data of millions of young mums, toddlers, and other people with third-party firms who used such data for direct marketing.
The fine was issued by the ICO after Bounty UK was found guilty of sharing as many as 34.4 million data records with third-party agencies, the largest of whom were Acxiom, Equifax, Indicia, and Sky. Over 14 million people are said to have been affected by the deliberate breach.
Data breached by Bounty unprecedented in history: ICO
The £400,000 fine issued to Bounty UK was eclipsed only by the £500,000 fine issued to Facebook by the ICO in the past year, suggesting that the breach was catastrophic both in terms of size and potential impact on UK citizens. According to the ICO, the number of personal records and people affected in this case is “unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this”.
The fine was issued under the Data Protection Act, 1998 as the pregnancy and parenting club shared data with third-party companies between June 2017 and April 2018. Had the sharing of data taken place after the arrival of GDPR, the fine issued to Bounty UK could have been catastrophic for the company.
According to the ICO, Bounty obtained personal information of millions of parents and their children through membership registration forms on its website and app, through merchandise pack claim cards, and directly from new mothers at hospital bedsides.
While the firm did inform those signing up for its services that it may share their data with third-party companies, it failed to mention the names of Acxiom, Equifax, Indicia and Sky, the four largest recipients of personal data between June 2017 and April 2018. The ICO also found that none of Bounty’s merchandise pack claim cards and offline registration methods had an opt-in for marketing purposes.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children,” said Steve Eckersley, ICO’s Director of Investigations.
Bounty says data protection processes have been reformed
“We acknowledge the ICO’s findings – in the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us,” said Jim Kelleher, Managing Director of Bounty.
He added that in Spring 2018, the company made significant changes to its data security processes, reduced the number of personal records it retained and how long it kept them, ended existing relationships with data brokerage companies, and implemented robust GDPR training for its staff.
“Our ‘Bounty Promise’ sets out our continued commitment to carefully look after our members’ personal information. And to ensure our promise is never broken, we will appoint an independent data expert to check how we are doing every year and we will publish their findings annually on the Bounty website,” Kelleher added.
The ICO’s decision to penalise Bounty UK for data protection offenses came shortly after the watchdog issued a fine of £120,000 to a London-based television production company named True Visions Productions for using CCTV-style cameras and microphones in examination rooms at the clinic at Addenbrooke’s Hospital Cambridge for a documentary on stillbirths.
The production company recorded footage of pregnant women in examination rooms at the hospital between July to November 2017 without adequately informing patients about the filming or getting adequate permission from those affected by the filming in advance.
“The recorded footage would have included the sensitive personal data of patients who could already be suffering anxiety and stress. Patients would not have expected to have been filmed in this situation, and many will have been very distressed when they learned such a private and potentially traumatic moment had been recorded,” noted Steve Eckersley, Director of Investigations at the ICO.