Case studies

The Authority has a statutory duty to promote awareness of data protection issues. Detailed below are anonymised and simplified case studies of real cases the Authority have handled, together with what can be learned from them.

Asking permission

An organisation posted photographs of young children on its social media account.

Asking permission

CCTV shared unlawfully

A retailer had installed CCTV to cover the public areas of their premises for security purposes (prevention and detection of crime).

CCTV shared unlawfully

Clarity

A patient asked their legal representative to make a ‘data subject access request’ (DSAR) to their GP on their behalf.

Clarity

Demonstrating consent

The complainant was approached by a recruitment agency of whom they had previously been a client.

Demonstrating consent

Discretion is key

An individual was concerned that a healthcare provider was confirming patient contact details loudly in front of other patients at the reception desk.

Discretion is key

'Legal privilege'

A member of the public made a ‘data subject access request’ to an organisation she believed had some information about her.

'Legal privilege'

Meeting minutes

A member of the public (the complainant) attended a meeting at an organisation.

Meeting minutes

Mis-trace

A legal firm were helping a client with debt recovery proceedings regarding outstanding school fees.

Mis-trace

Mix-up

An individual received an email in error from an organisation.

Mix-up

Out of date photos

A complaint was made that an individual’s former employer was still using photos of them in their marketing materials.

Out of date photos

Password protection

A health organisation emailed sensitive information relating to several patients to an incorrect and unintended recipient.

Password protection

Sharing stories

A Data Protection Officer (DPO) at a local finance company who was new in their job approached the ODPA for guidance on how to raise their colleagues’ awareness of data protection.

Sharing stories

Swift action

A device belonging to a construction company was compromised, which resulted in hackers gaining access to the company’s email mailbox.

Swift action

Working from Home

An employee sent work data to their personal email addresses so they could work from home.

Working from home

Unjustified extension

The complainant made a Subject Access Request to a healthcare provider to obtain information relating to the provision of medical care.

Unjustified extension

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Beyond our Shores - October

Guernsey’s Data Protection Authority co-coordinates global initiative focused on protecting children’s digital privacy

A View to a Thrill - data protection as a licence to innovate

Case studies

Asking permission

CCTV shared unlawfully

Clarity

Demonstrating consent

Discretion is key

'Legal privilege'

Meeting minutes

Mis-trace

Mix-up

Out of date photos

Password protection

Sharing stories

Swift action

Working from Home

Unjustified extension