Bounty, the parenting club that hands out free guides, vouchers and samples to new parents alongside photography services after birth, has been hit with a £400,000 fine for “illegally” sharing parent and child data with third parties.
An Information Commissioner’s Office (ICO) investigation found Bounty collected personal information for the purpose of membership registration and then shared personal information with a number of organisations “without being fully clear with people that it might do so.”
The company shared approximately 34.4 million records between June 2017 and April 2018 with credit reference and marketing agencies, the ICO said. The personal information shared was not only of potentially vulnerable new mothers or mothers-to-be but also of very young children, including the birth date and gender of a child.
Steve Eckersley, ICO’s Director of Investigations, said Bounty had not been “open or transparent” with people about the fact their personal data may have been passed on other organisations.
He said the number of people affected in the case was “unprecedented”.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children,” he added.
A HuffPost UK investigation last year found some NHS hospitals were making thousands from allowing Bounty access to new mothers on maternity wards, a practice which many new mothers have raised concerns about.
Freedom of Information requests to 126 NHS Trusts showed that many hospitals had earned between 80p and £1.50 for each mother it had given access to. One new mother, Lauren Harris, launched a petition calling for Bounty reps to be banned after she was approached by one woman selling photography services following a 30-hour labour.
It’s degrading,” Harris, who is 41, told HuffPost UK at the time. “I was basically delirious and bleeding heavily... It’s embarrassing enough having family come to visit you when you’re basically wearing a nappy.”
In response to the data breach fine from the ICO, Jim Kelleher, Managing Director at Bounty said: “We acknowledge the ICO’s findings – in the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us.”
He said the issues were “historical” that it had made “significant changes” to its practices and implemented “robust GDPR training for our staff”.
“And to ensure our promise is never broken, we will appoint an independent data expert to check how we are doing every year and we will publish their findings annually on the Bounty website,” he added.