Actions we've taken

In December 2021, the Medical Specialist Group LLP (“the MSG”) became aware of a personal data breach after it received several suspicious emails indicating that its e-mail server had been accessed by cyber criminals.

An internal investigation conducted by the MSG identified that the server had been compromised in August 2021 via a collection of vulnerabilities. These vulnerabilities enabled cyber criminals to access and steal e-mails stored on the server, some of which contained sensitive patient health data.

These e-mails were subsequently used to facilitate multiple phishing campaigns targeting MSG patients over a series of months. The total number of e-mails stolen is unknown but thousands were rendered vulnerable to theft.

The MSG notified the Data Protection Authority (“the Authority”) of this breach in line with its breach notification obligations under the Data Protection Law, and an inquiry was initiated by the Authority.

Read full statement

On 10 January 2023, the Authority informed Jacksons, a Channel Islands car dealership*, that it was opening an Inquiry after receiving intelligence alleging that Jacksons had carried out direct marketing communication against the wishes of some of their customers.

The investigation revealed an anomaly with a number of customer records. Upon examination these customer records showed certain Jacksons’ sales staff had amended preferences. These amendments changed the customers’ preferences for receiving direct marketing, from ‘No’ to ‘Yes’.

Read full statement

In November 2024, the Authority received a complaint from an individual in relation to a Data Subject Access Request (“DSAR”) they submitted to Mappin & Webb (part of the Watches of Switzerland (WoS) group). The DSAR included a request for material specifically relating to a decision made by WoS, involving the Complainant, and the withdrawal of certain customer services by Mappin & Webb.

WoS responded to the DSAR, providing a pack of material. However, the Complainant noted some information was missing, including any items relating to the aforementioned decision-making process. The Complainant raised concerns with WoS who advised they had provided all the information they held.

During the Authority’s investigation, WoS located additional material relating to the Complainant which they had failed to identify during the initial DSAR process. The newly identified information included material relating to the decision-making process.

Through the Authority’s review of the identified material, concerns were raised that WoS’s search process was not sufficiently extensive and did not consider appropriate sources of personal data, such as local branch staff or historic/archived material. As a result, the additional material was not captured during the original DSAR process.

It was also apparent, through discussions with WoS, that clarification was needed regarding what information may constitute a customer’s personal data and therefore be captured through a DSAR.

Read the full statement

The Data Protection Authority (“the Authority”) has issued a reprimand against the Committee for Health & Social Care (“HSC”) for breaches of the Data Protection Law, relating to the failure to take reasonable steps to ensure the security of personal data, and the failure to notify the Authority of a personal data breach.

The Authority received a complaint after HSC accidentally sent an e-mail containing an individual’s personal data to another person. This e-mail included information relating to a complaint regarding medical treatment that the individual had lodged with HSC.

Despite using a system that provided additional control over sent e-mails, HSC failed to revoke the incorrect recipient’s access to the e-mail as employees were not aware how to. Instead, HSC sought assurances from the incorrect recipient of the e-mail that they would delete the e-mail without opening it. While assurances were given, it was later established by the Authority that the incorrect recipient had accessed the e-mail and shared its contents.

Had HSC revoked access to the e-mail upon becoming aware of the breach, it would have prevented the e-mail from being accessed and mitigated the risk to the significant interests of individuals identified within the e-mail.

The investigation also found that HSC failed to notify the Authority of the breach as required by the Data Protection Law. While HSC believed that the breach did not meet the threshold for notifying the Authority, the Authority disagreed with this assessment.

Read full statement

In October 2023, the Data Protection Authority ("the Authority") initiated an Inquiry into the Policy & Resources Committee (‘P&R’), following a review into several incidents that took down certain States of Guernsey’s IT systems between November 2022 – January 2023. These outages meant people were unable to use the systems and access the personal data held on them.

The Authority’s Inquiry, as informed by the review, found that P&R had failed to take reasonable steps to maintain the air conditioning system within a data room, leading to its failure. This failure was one of multiple failures involving other technical and monitoring controls, resulting in the loss of IT services.

The Inquiry also found that prior to the incidents, P&R had failed to implement an IT disaster recovery plan as is necessary to be able to effectively respond to critical incidents such as those encountered between November 2022 and January 2023.

For these reasons, the Authority concluded that P&R did not take reasonable steps to ensure the security of personal data.

These findings, which relate to P&R’s data protection obligations, align with the findings of the recently released report of the Scrutiny Management Committee focussed on the ‘Review of the Future Digital Services Contract with Agilisys (Guernsey) Limited’.

Read the full statement

In order for their pension fund to be cashed in, an individual sent Beauvoir a set of sensitive, notarised ID/financial documentation including:

• Signed and countersigned copies of their passport
• Property details
• Their last tax return
• The front page of their bank book, detailing financial information such as their IBAN
• Details of the individual’s savings and net worth
• Their residency card, detailing their tax number and health card number
• A utility bill and last property tax bill

To facilitate this process, Beauvoir sent these documents by ordinary mail to a third-party organisation. However, they were subsequently informed by the intended recipient that the documents had not arrived. As no additional measures had been implemented to monitor outgoing post in transit, such as tracking or recorded delivery, Beauvoir were unable to determine the location and/or status of the documents. Subsequent enquiries with the third-party to establish the fate of the documents meant the individual was only informed of the loss of their documents one month later. During this period, no formal breach report was submitted to the Data Protection Authority (“the Authority”).

As a result, the individual submitted a formal complaint to the Authority, raising concerns regarding Beauvoir’s handling of their personal data.

The Law requires that a controller or processor take reasonable steps to ensure a level of security appropriate to the personal data and that these steps take into account:

• The nature, scope, context and purpose of the processing.
• The likelihood and severity of risks posed to the significant interests of data subjects, if the personal data is not secure.
• Best practices in technical measures and organisational measures.
• The costs of implementing appropriate measures.

The Authority’s investigation found that Beauvoir did not have a policy in place regarding outgoing mail and therefore insufficient measures were implemented, considering the sensitivity of the documents sent.

Read the full statement

Following a data breach where personal information was erroneously sent to an incorrect email address the Data Protection Authority has found that the Revenue Service failed to ensure that appropriate security safeguards were in place. This breach involved the personal information of people who owed money to the Committee for Health & Social Care.

The Revenue Service’s policy at the time of the breach was that emails containing personal data should be sent using a specialised secure platform. Further, to help employees comply with this policy, the Revenue Service had implemented an enhanced version of the platform which displayed a pop-up when sending e-mails to external parties, requiring the user to select whether the platform be used. In this case neither was the policy followed, nor the enhanced version installed.

This was not the first time that Revenue Service has reported a breach of this sort to the Authority. In 2022, the Revenue Service notified the Authority of a personal data breach following an e-mail being sent erroneously to an unintended recipient.

Following this breach, the Revenue Service discovered that not all employee accounts were configured with the enhanced version and committed to take further steps to ensure that this was done going forwards. Despite this, in this instance the enhanced version had not been installed.

The Inquiry also found that there were several other breaches where the Revenue Service had failed to send e-mails in line with this policy.

Read the full statement

A person made a data subject access request to the Committee for Health and Social Care (HSC), requesting a copy of their personal data. HSC provided some personal data in response to the request, however, the person had concerns that they had not been given everything that they were entitled to receive and raised a complaint with the Data Protection Authority.

The Authority’s investigation found that HSC had failed to consider all relevant filing systems and electronic databases when it searched for the individual’s personal information. This resulted in information that the complainant was entitled to, not being provided in response to the request. Additionally, the records created by HSC of the searches for personal data were inadequate. This meant that HSC was unable to demonstrate that reasonable steps had been taken to comply with the request.

Separately, HSC failed to comply with an Information Notice issued by the Authority within the required time period. This was a legally binding notice which required HSC to provide information to the Authority to assist in this investigation.

This is the second public statement by the Authority relating to a matter where information was missed by HSC in a subject access request, and deadlines were not met. An investigation carried out in 2022 resulted in an order to improve such search processes.

Read the full statement

In November 2023, the parents of an MSG patient made a complaint to the Data Protection Authority (“the Authority”), relating to MSG’s processing of their child’s personal data in a medical capacity, which involved alleged errors, omissions, and inaccuracies with the data held.

A significant element of the issues highlighted related to the lack of clarity in the Joint Data Processing Agreement (“the agreement”) that MSG had in place with other parties (“controllers”) they shared personal data with. As a result, there was uncertainty about who was responsible for providing the medical records requested by patients. This resulted in the medical records the parents received from the MSG regarding their daughter being incomplete.

Read the full statement

The Committee for Health and Social Care (‘HSC’) failed to notify the Data Protection Authority (‘the Authority’ or the ‘ODPA’) and affected individuals of a personal data breach within the period required by the Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’).

In December 2023, HSC became aware of a data breach which affected the personal data of three individuals. 

The Law requires that all personal data breaches be reported to the Authority except where the breach is unlikely to result in any risk to the significant interests of an individual. This notification must be made within 72 hours, unless it is not practicable to do so.

In this case, HSC failed to notify the Authority until 52 days after becoming aware of the breach.

HSC explained the reason for this delay to be that the matter required further internal investigation to ascertain the extent of the breach, as some elements were under dispute. Despite this, the Authority considered that HSC had sufficient information from the outset to ascertain that there had been a personal data breach, and that there was no valid reason why HSC should not have notified the Authority within 72 hours.

The personal data that was subject to the breach included information relating to substance misuse, with HSC determining that the breach was likely to present a high risk to the significant interests of the three individuals that it affected. Where this is the case, individuals must be given written notice of the breach as soon as practicable.

HSC failed to notify these individuals until, in one case – 50 days, and in the other two cases – 62 days, after becoming aware of the breach. 

HSC explained that it had needed to take steps to verify the accuracy of contact details it held for two of these individuals, prior to sending written notification. While this was a reasonable step to take, HSC failed to do this in a timely manner, waiting until it had notified the Authority of the breach and not as soon as practicable as required by the Law.

Read the full statement

The Data Protection Authority (‘the Authority’) has opened an inquiry into a data breach at the Director of the Revenue Service, alleged to involve a significant volume of personal information.

The decision to initiate this inquiry under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017 has been made following consideration of a breach notification submitted to the Authority by the Director of the Revenue Service and seeks to establish whether the Director of the Revenue Service has breached an operative provision of the Law. Not all breach notifications result in investigations or inquiry. They are assessed on their particular fact and risk situations.

The outcome of the Authority’s inquiry should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time.

Read the full statement

A jobseeker whose offer of employment was withdrawn after a reference has been provided, requested a copy of it from the Policy & Resources Committee (P&R) (the entity it was provided to). They did this by exercising their access request rights under The Data Protection (Bailiwick of Guernsey) Law, 2017*.

P&R refused to give the jobseeker the reference on the basis that it contained information about other people. 

P&R had performed a balancing test before reaching their decision, deciding that the interests of the person who wrote the reference outweighed those of the jobseeker. The jobseeker had concerns as to why P&R were refusing to tell them what was in the reference and made a formal complaint to the Data Protection Authority (the Authority). Following investigation, the Authority determined that P&R had not given appropriate consideration to the jobseeker’s significant interests. 

It is reasonable for any jobseeker to understand and validate what is being said about them by a previous employer – especially when that information may impact their ability to get a job.

Read the full statement

In January 2024, the Office of the Data Protection Authority (ODPA) successfully took six companies to court for the non-payment of registration fees. The ODPA were awarded full judgement and costs in all cases.

It is a legal requirement for all entities (including small businesses and sole traders) that process personal data and are established in the Bailiwick to register with the ODPA and renew that registration annually.

Failure to do so may result in the ODPA using its enforcement powers and, in cases of non-payment, pursuing payment through the Magistrate’s Court Petty Debt process.

The annual registration fee is based on the number of ‘full-time equivalent’ staff in each organisation. These levies enable the Authority to operate independently and fulfil its statutory role of regulating the local data protection law.

Read the full statement

The Data Protection Authority (the Authority) has served The Committee for Health and Social Care (HSC) with an Enforcement Order in relation to a data subject access request it failed to handle appropriately. This is the fourth public statement issued by the Authority in relation to HSC. However, it should be noted that HSC is a large organisation with a number of service areas, and this is the first for this particular service area. 

Concerns were raised about the treatment of a vulnerable adult living in HSC supported accommodation and a safeguarding review was carried out. The family of the vulnerable adult, although made aware of the concerns, were not provided with a copy of the final safeguarding report and as such, were unsure as to what, if anything, had happened to their family member and any action to be taken as a result. 

The vulnerable adult’s appointed guardian made a data subject access request on their behalf asking for an HSC investigation report into the alleged physical and emotional abuse. HSC provided a heavily redacted version of the report and left out the report’s appendices. This made it very difficult for the family to understand what had happened and what would be done to protect their family member. 

As a result, the guardian made a formal complaint to the Authority about HSC’s handling of their request. Following an investigation, the Authority determined that the redactions to the disclosed report were not appropriate under the Law and that the appendices should have been disclosed with the report. The Authority issued HSC with an Enforcement Order which compelled them to release the full report to the family, five months after their initial request, with only minimal redactions.  

Read the full statement

The Guernsey Union D’Escrime LBG (‘the GUE’) has been served with an Enforcement Order requiring it to improve its processes for dealing with data subject access requests.

The Data Protection Authority conducted an investigation following a complaint from a family that they hadn’t been provided with information being held about them.

A ‘data subject access request’ entitles an individual (known as the ‘data subject’) to, amongst other things, be provided with any information about or related to them (‘personal data’) that is held by an organisation (known as a ‘controller’). In this instance the data subject was a minor and the request was made by a parent on their behalf.

The family requested information about the GUE’s involvement with the minor, due to safeguarding concerns which have caused anxiety and distress to the data subject.

The GUE sought guidance from the Authority when it first received the request, in order to understand its responsibilities. However, when it became clear that these had not been properly fulfilled, the Authority was disappointed by the GUE’s apparent reluctance during the course of the investigation to accept advice.

Read the full statement

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.

3. The Office of the Data Protection Authority (ODPA) has begun an inquiry in relation to data room service outages that affected the States of Guernsey’s IT systems between November 2022 – January 2023.

Read the full statement

The Data Protection Authority initiated two independent investigations. Both investigations focused on whether the Committee for Health and Social Care's (‘HSC’) processes for staff training and personal data security, were robust enough. The investigations were launched following concerns brought to the Authority’s attention by two complainants. One complaint related to unauthorised access to medical information held on hospital systems, whilst the other complaint related to an HSC staff member using a service-user’s device for work purposes.

Both complaints resulted in investigations that were lengthy and complex and involved significant communications with HSC.

Read full statement