Sign up to myFT Daily Digest to be the first to know about Data protection news.
Personal information about millions of new mothers and their babies was sold illegally by a pregnancy and parenting company that operates within National Health Service hospitals, UK regulators said on Friday.
The highly sensitive information included the birth date, gender and addresses of infants, as well as names, addresses, pregnancy status and other details about new and soon-to-be parents, the Information Commissioner’s Office said, as it handed Bounty one of the largest fines for misuse of private citizen data.
The ICO, which fined Bounty £400,000, said that over a 10-month period, the company shared millions of records with 39 different credit reference and marketing groups. More than 30m records were shared with Acxiom, Equifax, Indicia and Sky alone. Individual records were frequently sold to multiple customers, in some cases up to 17 times.
Steve Eckersley, director of investigations at the ICO, said: “The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.”
Bounty is a familiar name in Britain’s maternity wards, where the company has been providing information packs and baby goody-bags to pregnant women and new parents since 1959. Bounty and its US sister company, Mom365, operate the largest in-hospital newborn photography businesses nationally in their respective markets.
The ICO first began scrutinising Bounty in 2017 as part of its wider investigation into data brokers. The regulator discovered that the pregnancy and parenting “club” also acted as a data broker itself, supplying data that it collected directly from mums to third parties for the purpose of marketing and hosting targeted advertising.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such [a] large number of organisations,” Mr Eckersley said. “Any consent given by these people was clearly not informed. Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children,” he added.
After the EU’s General Data Protection Regulation came into effect last May, the company closed down its data-selling business. The ICO fine was issued for breaching earlier UK legislation, the Data Protection Act of 1998.
Jim Kelleher, Bounty managing director, said the ICO had identified “historical” issues” and the company had made “significant changes” last spring.
“In the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough,” he said.
Bounty is widely known for its aggressive marketing practices. The company’s reps are given free access to maternity wards in dozens of NHS hospitals, asking women who have only just given birth to share their personal details.
Many mothers recall uniform-wearing Bounty reps walking into their hospital rooms with trolleys full of free samples of essentials such as nappies and Sudocream, as well as a dossier including a personal-details form and an official UK government leaflet about child benefit. Reps also carry cameras, offering to photograph new mothers and their babies.
Records made public following Freedom of Information requests show that at least 79 hospitals have contracts with the company, including St George’s Hospital in Tooting, the Oxford University Hospitals NHS Foundation Trust, and Luton and Dunstable Hospital NHS Foundation Trust. The records show that Bounty pays hospitals between 80p and £1.50 per new mother. Several trusts reported an income of £6,000-£8,000 last year from the company.
Although Bounty no longer sells data to third parties, it has more than 100 corporate partners, including Pfizer, Amazon, Tesco and Royal London, listed on its website. It offers new mothers vouchers and other promotions from its partners, but a Bounty spokesperson said all communication with parents came from the companies, rather than third parties.
A spokesman for the Department of Health and Social Care said: “It is absolutely crucial that patient data is always protected to the highest standards and the Government has introduced new legislation to support this. We are clear that NHS trusts should ensure their practices and rules for sales representatives always prioritise the privacy and dignity of new mothers and their families.”
Privacy campaigners say that Bounty and other parenting services such as Emma’s Diary are data sources for several marketing companies.
Ailidh Callander, legal officer at Privacy International, said the group had been aware of Bounty’s practices, adding: “It is one of the ones that stands out as particularly creepy.”
“There’s a huge part of the data-broking market that segments individuals by whether or not you have children,” she added. “They all want to know whether or not you have kids so they can sell that.”
Last year, the ICO fined Emma’s Diary, a pregnancy and parenting advice website, £140,000 for illegally collecting data on new mothers and selling it to the Labour party for election campaigning.
Susan Hall, partner at Clarke Willmott, a law firm, said the ICO was “sending a strong message” with its latest fine.
“The distress caused to vulnerable new or expectant mothers is reflected in the seriousness of the investigation and it is only a shame that these companies have been fined under the old law, rather than the new maximum, which is €20m or 4 per cent of turnover, whichever is higher.”
Get alerts on Data protection when a new story is published