Reprimand to Sandpiper CI Ltd over delayed and incomplete response to subject access request

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
3. Following an investigation under section 68 of the Law, the Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that Sandpiper CI Ltd (the Controller) breached an operative provision of the Law, namely section 27 “Compliance with request to exercise data subject right”.
4. The Controller received a right of access request made under section 15 of the Law (“the request”) on 30 June 2020 from the Complainant. A request of this nature entitles an individual to, amongst other things, a copy of personal data processed by the Controller.
5. Following a complaint made under section 67 of the Law, an investigation was conducted under section 68 of the Law. The complaint related to the alleged non-compliance with the request. Certain responses provided by the Controller following questions raised by the Authority were also considered.
6. In most cases, Controllers are required to comply with requests of this nature within the designated period of one month from the date the request is received (“designated period”). In the event a Controller is unable to fulfil a request within the designated period, section 27(2) and (3) dictate that the Controller must notify the requestor, within the designated period, of their reasons for not complying, their right to complain to the Authority under section 67 and their rights of appeal under the Law. If a Controller determines that the request is complex and requires further time to collate the response, section 27(4) provides for the application of a 2-month extension on the condition that that decision is communicated to the requestor along with the reasons for the extension within the designated period.
7. It was shown during the investigation that the Controller, Sandpiper CI Ltd, had not responded to the request within the designated period, did not notify the Complainant of their reasons for not complying with the request, did not advise the Complainant that there was a right to complain to the Authority and did not advise the Complainant of their right to take civil action. In addition, the Authority considered that the Controller, requiring extra time to respond to the request, did not inform the Complainant of this within the designated period.
8. As a result of the above, the Authority determined that Sandpiper CI Ltd had failed to comply with section 27 of the Law in relation to “Compliance with request to exercise data subject right”.
9. Sandpiper CI Ltd had the right to appeal this determination but chose not to.
10. Where organisations process personal data in a manner which breaches operative provisions of the Law, the Authority will consider taking action to address those breaches and the imposition of an appropriate sanction, which can include the issuance of an administrative fine.
11. In this case, the Authority considered the following factors when determining an appropriate sanction –
    
    Mitigating factors
    - It was considered that the Controller had made efforts to respond to the Complainant’s request, albeit whilst not fulfilling the requirements of section 27.
    - The nature of the request required the Controller to access archived information, the retrieval of which was not straightforward, and as such an extension could be applied to the response period.
    - The Controller was diligent in responding to queries from the Authority.
    
    Aggravating factors
    - The reason for the delay in the request was that the Controller had not searched in archived material in its initial response to the request. Upon being notified that the response was incomplete, this became apparent and further searches were required to fulfil that request. This took the response time beyond that of the designated period. Had the Controller had a more robust data governance structure in place, allowing it to easily recognise the fact that archived material fell within the scope of the request, it is likely a breach of this nature could have been either avoided or mitigated.
     
12. The Authority, in consideration of the aforementioned failures has decided to impose a formal reprimand.
13. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“This case highlights the importance of controllers knowing exactly where the personal data they are legally responsible for are located. Archived data has as much capacity for harm as other forms of data and needs to be part of the overall data governance framework of any organisation. We are grateful for the full cooperation of the Controller in this case and hope it serves to remind us all to be prepared to respond to rights requests from individuals. The right of access, as exercised in this case, is a very important part of the data protection law and individuals seeking access to information about themselves have the right to expect timely and complete responses.”

Legal Framework

• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
• In this case, the controller is Sandpiper CI Ltd.
• Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
• Having considered the details of this case, the Authority has imposed a Reprimand in accordance with section 73(1)(b) of the Law.
• Section 84 of the Law provides for an appeal by a controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The Controller has not appealed the determination.