The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”)
The Office of the Data Protection Authority (“the Authority”)
The Committee for Health & Social Care (“HSC”)
Date issued: 26 June 2026
What happened?
Over a short period of time, the Authority received multiple complaints from people attempting to exercise their right of access, by submitting Data Subject Access Requests (“DSARs”) to HSC. These specifically related to Children and Family Community Services, which receives a large portion of the DSARs submitted to HSC. A common theme of these complaints was HSC’s failure to comply with the DSARs within the designated period.
In addition, the Authority had previously dealt with compliance concerns relating to HSC’s handling of DSARs that, in certain instances, required formal enforcement action.
The Authority noted the nature of HSC’s functions, providing healthcare services to the Bailiwick, and was concerned by ongoing challenges in facilitating data subject rights. The Authority, therefore, commenced an inquiry (“the Inquiry”) into HSC to properly investigate its compliance concerns.
As part of the Inquiry, the Authority reviewed HSC’s DSAR compliance record over a three-year period (2023-2025), taking multiple factors into account, including:
• DSARs received/disclosed
• Time taken to disclose
• Number of extensions applied (s.27 of the Law)
• DSARs disclosed after the legal deadline
• Overdue DSARs
• Communication with requestors
During the Inquiry, the Authority made the following observations:
• Information provided by HSC and complaints received by the Authority demonstrated an ongoing failure to facilitate DSARs within the designated period.
• HSC are regularly failing to communicate information regarding extensions or non-compliance to requestors within the designated period required by the Law.
• HSC claimed a significant factor impacting their compliance was a lack of resources.
As a result of these findings, the Authority determined that HSC had failed to comply with the following provisions of the Law:
• Section 15 - relating to an individual’s right to be given a copy of their personal data by the controller (the right of access);
• Section 27 - relating to the controller’s duty to comply with a request to exercise a data subject right (extensions and non-compliance); and
• Section 31 - relating to the controller’s duty to take reasonable steps to ensure that processing of personal data is carried out in compliance with this Law.
A sanction was issued against HSC in the form of an Enforcement Order, requiring that HSC:
1. Contact all requestors with overdue DSARs, providing revised completion dates.
2. Resolve all overdue DSARs by the revised completion date.
3. Develop a detailed plan of action for addressing the backlog of DSARs.
4. Provide the Authority with monthly updates regarding overdue DSARs.
5. Implement changes to ensure any DSARs received following the date of implementation are dealt with promptly and effectively, within the designated period.
6. Implement changes to ensure any communications to requestors, regarding notification of extensions or HSC failing to comply, are provided within the designated period.
[Further details of the Authority’s findings and subsequent sanction can be found in the linked determination]
During the Inquiry, HSC also confirmed that an administrative document, developed in response to a previous Enforcement Order was no longer being utilised. This was particularly concerning as the document had been created to improve HSC’s management of DSARs. HSC cited significant resource constraints as the primary reason for this tool being dropped, noting that additional measures had since been implemented. The sanction in question was general and not prescriptive, requiring that HSC “…create, document and implement improved processes, which will ensure compliance with future requests made under section 15 of the Law”.
Taking into consideration HSC’s response, referencing additional measures implemented, the Authority concludes that, while not the initial safeguard level and form pledged, the general requirements of the Order have not been contravened.
Why is this important?
The impact of DSARs can vary depending on the size and nature of an organisation. Public authorities, including government bodies, naturally process much larger volumes of personal data and special category data as part of their day-to-day functions. Failing to action an individual’s right of access can, therefore, be more impactful on their significant interests.
This is particularly relevant when considering the types of information held by HSC and relevant departments under it or other government committees.
Individuals will often be requesting sensitive information relating to their medical history and/or childhood. Failing to provide this information within the designated period restricts their ability to understand important life events or inform medical decisions and can lead to the individual feeling unseen by a large government body.
With respect to the prior Order, although not reaching the threshold of a contravention, it was not honoured in the manner pledged by HSC. On this point we would emphasise the importance of compliance with an Order in order to avoid further regulatory action and enhanced sanctions.
What can be learned from this?
In their response to the Inquiry, HSC claimed that their compliance challenges were a result of being under-resourced. While resources can impact operational efficiency, this is a factor squarely under the control of the controller, who is responsible for deciding the priority and resourcing given to their statutory obligations under the Law. Insufficient resourcing may, therefore, be an indicator that Data Protection is of a lower priority than other functions/services. This can be particularly concerning where there is an increased sensitivity and volume of personal data (including special category health information). Where there is a clear ongoing issue with compliance, the controller should review their current structure, resourcing and processes and identify points of weakness. Addressing these weaknesses should be treated with the appropriate level of priority to improve compliance and ensure issues are addressed in a timely manner.