Reprimand issued by Guernsey Data Protection Authority

The Office of the Data Protection Authority (the Authority) in Guernsey has today issued a public reprimand to the States Policy & Resources Committee (P&R). This is the first example of a public reprimand issued under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) and marks the first instance of enforcement action being taken under the Law as a matter of public record.

The reprimand follows an employee of P&R (the Complainant) lodging a formal complaint about P&R to the Authority under section 67 of the Law, after a managing employee of P&R made reference to the health status of the Complainant in an email sent to several recipients (it is not clear whether or not these were internal colleagues only). This data disclosure caused the Complainant considerable distress and ongoing concerns about the possible negative impact on their future employment.

Following an investigation by the Authority it has been found that:

• P&R is a data controller, and liability for their employee’s action rests with them.

• P&R had no legal basis for disclosing the information and has failed to comply with the lawfulness, fairness and transparency principle.

Accordingly P&R has breached the Law and the Authority has, by written notice, imposed a reprimand.

In determining the appropriate sanction the Authority took into account and balanced the fact that special category data (including health data) are afforded higher levels of protection in the Law, reflecting the harm and distress that can result from a breach, against certain mitigating factors:

• Early engagement and cooperation by the P&R data protection officer

• Early admission of the breach by the P&R

• Updated advice and support provided by the P&R for employees handling personal data

Whilst a fine (being one of a range of possible sanctions) was not imposed in this case, the Authority has taken this opportunity to make clear that where organisations do not take their legal responsibilities to protect data (in particular special category data) seriously, consideration will be given to the appropriate sanction including the issuing of a fine.

In doing so, it has emphasised that in exercising enforcement powers, the Authority – and no doubt its counterparts in Jersey and elsewhere – will look closely at the type of personal data which has been misused, and the consequences for affected individuals, even if the disclosure or incident in question may at first glance seem an internal or isolated matter.