[BreachExchange] Pregnancy club Bounty UK fined £400,000 by data protection regulator

Destry Winant destry at riskbasedsecurity.com
Mon Apr 15 08:49:40 EDT 2019


https://www.healthcareitnews.com/news/pregnancy-club-bounty-uk-fined-400000-data-protection-regulator

The UK’s data protection regulator has fined pregnancy and parenting
support club Bounty UK £400,000 after an investigation found it
unlawfully shared the personal information of over 14 million people
with a number of organisations, including credit reference and
marketing companies.

Bounty collected the data for membership purposes, but the Information
Commissioner's Office (ICO) said it also acted as a "data broking
service" until the end of April 2018, breaching the Data Protection
Act 1998 by not making it clear to people that their personal
information might be shared with third parties.

Before the General Data Protection Regulation came into force, Bounty
shared over 34 million personal data records with 39 organisations for
“the purposes of direct electronic marketing” from June 2017 until
April 2018, the watchdog said on Friday (12 April).

The information was of new mothers, mothers-to-be and young children,
including their full name, date of birth, postal address, and
postcode. Each record could be shared several times, in some cases "up
to 17" over a year-long period, according to the ICO's enforcement
report.

Out of these 39 organisations, marketing agencies Acxiom and Indicia,
credit reference company Equifax and telecommunications company Sky
were the four largest recipients.

“The number of personal records and people affected in this case is
unprecedented in the history of the ICO’s investigations into data
broking industry and organisations linked to this,” said Steve
Eckersley, ICO director of investigations.

“Bounty were not open or transparent to the millions of people that
their personal data may be passed on to such large number of
organisations. Any consent given by these people was clearly not
informed. Bounty’s actions appear to have been motivated by financial
gain, given that data sharing was an integral part of their business
model at the time.

“Such careless data sharing is likely to have caused distress to many
people, since they did not know that their personal information was
being shared multiple times with so many organisations, including
information about their pregnancy status and their children,”
Eckersley added.

The maximum penalty for a breach under the previous legislation in
civil cases is £500,000; under GDPR, however, it is £17m (€20m) or
four percent of the global turnover in the previous financial year.

Bounty managing director Jim Kelleher said in a statement on Friday
that the company acknowledged the regulator’s findings.

“(…) In the past we did not take a broad enough view of our
responsibilities and as a result our data-sharing processes,
specifically with regards to transparency, were not robust enough.
This was not of the standard expected of us. However, the ICO has
recognised that these are historical issues. Our priority is to
continue to provide a valuable service for new parents that is both
helpful and trusted," Kelleher added.

The company has since reduced the number and period of time records
are being held for, Kelleher said, implemented GDPR training for its
employees, stopped working with data broker companies, and planned to
appoint an independent data expert.


More information about the BreachExchange mailing list