Public Statement:

Committee for Health & Social Care Reprimanded

Published: 8 May 2025

The Data Protection (Bailiwick of Guernsey) Law, 2017 ('the Law') 
Public Statement 
Issued: 8 May at 12pm
Controller: The Committee for Health & Social Care (“HSC”)

Brief background
  • The Data Protection Authority (“the Authority”) has issued a reprimand against the Committee for Health & Social Care (“HSC”) for breaches of the Data Protection Law, relating to the failure to take reasonable steps to ensure the security of personal data, and the failure to notify the Authority of a personal data breach.
 
  • The Authority received a complaint after HSC accidently sent an e-mail containing an individual’s personal data to another person. This e-mail included information relating to a complaint regarding medical treatment that the individual had lodged with HSC.
 
  • Despite using a system that provided additional control over sent e-mails, HSC failed to revoke the incorrect recipient’s access to the e-mail as employees were not aware how to. Instead, HSC sought assurances from the incorrect recipient of the e-mail that they would delete the e-mail without opening it. While assurances were given, it was later established by the Authority that the incorrect recipient had accessed the e-mail and shared its contents.
 
  • Had HSC revoked access to the e-mail upon becoming aware of the breach, it would have prevented the e-mail from being accessed and mitigated the risk to the significant interests of individuals identified within the e-mail.
 
  • The investigation also found that HSC failed to notify the Authority of the breach as required by the Data Protection Law. While HSC believed that the breach did not meet the threshold for notifying the Authority, the Authority disagreed with this assessment.

Full public statement

Background

1. In November 2024, the Authority received a complaint after an individual became aware of a personal data breach involving the HSC incorrectly sending an e-mail containing their personal data and that of their son to another person. This e-mail had been sent in January 2024 and contained information relating to a medical treatment complaint that had been submitted by the complainant to HSC.

2. The e-mail had been sent using Egress, a software solution for securely sending information by e-mail. Egress hosts content of e-mails on a platform outside of the e-mail itself, which amongst other benefits, allows for access to the e-mail’s content to be audited and revoked.

3. The error was quickly identified by HSC. However, it failed to use the appropriate capabilities within Egress to revoke access to the e-mail, as staff were not aware how to use the tool and did not review the audit log to ascertain whether any personal data had been accessed.

4. Instead, HSC contacted the incorrect recipient requesting confirmation that the e-mail had been deleted without being opened. Despite assurances being given by the recipient that the e-mail would be deleted and not viewed, it was later established by the Authority that content of the e-mail had been accessed the day after HSC’s request. Information within the e-mail was then shared by the incorrect recipient with another person and this led to the Complainant becoming aware of the breach.

5. The Authority recognises that HSC believed they could rely upon the assurance given by the incorrect recipient of the e-mail, however, there were simple technical measures available to HSC to contain the breach with certainty. Specifically, had HSC revoked access to the e-mail after realising that a breach had occurred, the e-mail would not have been accessed by the incorrect recipient, mitigating the risks of harm to the complainant.

6. The Authority’s investigation identified that this failure arose due to HSC employees neither being aware nor adequately trained on the capabilities of Egress. While it is positive that Egress was used to send the sensitive e-mail, the failures in this case rendered the additional protections offered by Egress ineffective.

7. HSC has informed the Authority that it has since implemented further measures, including dedicated training, to improve employee awareness of how to use these features within Egress.

8. The investigation also found that HSC failed to notify the Authority of the breach when required to do so by the Data Protection Law.

9. HSC believed that the threshold for notifying the Authority had not been reached, as the recipient indicated that they would not access the e-mail. While this may contribute to lowering the likelihood of risk to the significant interests of individuals identifiable from the breach, this did not provide sufficient mitigation to determine that the breach was unlikely to result in any risk to the significant interests of the affected individuals.

10. Further, the breached email included medical information, which is defined as ‘special category data’, requiring a higher level of care given its sensitivity. Therefore, HSC should have notified the Authority in line with their obligations under the Law.

Breaches of Operative Provisions of the Law

11. The Authority has found HSC in breach of the following operative provisions of the Law:
  • Section 6 – The principle of “Integrity and Confidentiality”
  • Section 41 – “Duty to take reasonable steps to ensure security”
  • Section 42 – “Notification and records required in case of personal data breach”
Sanction

12. The Authority has imposed a reprimand against HSC for the above breaches of the Data Protection Law.

Learning Points
  • Organisations must ensure that employees are aware of how and when to use technical security measures. This includes training employees, and implementing clear policies, guidance and protocols.
 
  • The Data Protection Law requires that organisations (specifically controllers) notify the Authority of all personal data breaches, except where the breach is unlikely to result in any risk to the significant interests of an individual. While an indication that an incorrect recipient will delete the personal data may contribute to lowering the assessed likelihood of risk resulting from a breach, it will not by default mean that a breach is unlikely to result in any risk to the significant interests of an individual.
 
  • Each security breach must be assessed on a case-by-case basis, taking account of the entire circumstances of the breach.
 
  • Had HSC revoked access to the e-mail upon becoming aware of the breach, and ascertained that no access had been made, the breach would have been unlikely to result in any risk to the significant interests of the identified individuals, and therefore HSC would not have been required to notify the Authority of the breach.