Pregnancy club fined £400,000 for data handling violation
A Herfordshire based pregnancy club has been fined £400,000 by the Information Commissioner’s Office (ICO) for illegally sharing the personal information of more than 14 million people.
Pregnancy and parenting club Bounty UK compiled personal data but did not tell people that their data was shared with 39 other organisations, according to the ICO.
A Bounty spokesperson said the company “acknowledged” the ICO’s findings and had now made changes to how it handled member data.
The club offers free samples, vouchers and guides to new and prospective parents by distributing merchandise packs in hospitals or sending them to people who use its app.
Bounty collected data via its website and its app, as well as cards in merchandise packs and from new mothers in hospital.
The personal information shared by the company was not only of potentially vulnerable new mothers, or expectant mothers, but also of very young children, including dates of birth and the sex of a child.
The personal data, containing 34.3 million records from June 2017 to April 2018, was shared with 39 other organisations including marketing agencies Equifax, Acxiom and Indicia.
The ICO said that while many people knew Bounty as a pregnancy club, few were aware that it was also a data broker that supplied information to third parties that would use it for direct marketing purposes.
Bounty (UK) Ltd was found to be in breach of the 1998 Data Protection Act because they failed to be “open and transparent” with people about what they would do with their personal data.
The data shared was of “potentially vulnerable” people including new mothers and very young children, said the ICO.
“Bounty’s actions appear to have been motivated by financial gain…”
Steve Eckersley, the ICO’s director of investigations, said:
The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this. … Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed. … Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time. … Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.
Bounty UK’s managing director, Jim Kelleher said “In the past, we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough.”
He added that the ICO had acknowledged that Bounty had changed its data handling policies and that it now kept fewer records. It had also ended relationships with all data brokers. Employess of the company had also been trained to handle data in compliance with current legislation.
Bounty planned to appoint an independent data expert to carry out an annual survey to ensure it did not breach data protection laws, said Kelleher.