The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”)
The Data Protection Authority (“The Authority”)
Issued: 12pm, 14 April 2026
Controller: The Committee for Home Affairs
What happened?
The Committee for Home Affairs (“CfHA”) failed to comply with a Data Subject Access Request within the timeframe required by the Law. Although an extension had been applied, the CfHA did not meet this deadline. Instead, disclosures were made in stages with the final information provided 71 days after the legal deadline.
During the investigation it was also identified that the CfHA’s initial searches did not capture all personal data within the scope of the request. Additional personal data, relating to a specific period previously overlooked, was only identified and disclosed just over two months after the statutory deadline had expired.
The CfHA cited workload, staff shortages and changes in personnel as having contributed to the delays.
Why was that a problem?
Section 27 of the Law (“Compliance with request to exercise data subject right”) requires controllers to respond to a data subject access request within the statutory timeframe. This obligation is central to ensuring individuals can exercise their rights effectively.
By failing to meet these deadlines, the CfHA prevented the complainant from accessing their personal data within the period mandated by the Law. Administrative pressures and staffing challenges do not diminish or remove a controller’s legal responsibilities under section 27.
The omission of data from initial searches demonstrated that the CfHA processes for locating and collating personal data were not sufficiently robust to ensure a complete and timely response.
What has happened as a result?
The Authority determined that the CfHA contravened the Law as follows:
- The CfHA failed to comply with section 27 of the Law by not responding to the Data Subject Access Request within the (extended) statutory timeframe.
- The CfHA failed to ensure that its internal search processes were sufficiently comprehensive, resulting in personal data being identified and disclosed only after significant delay. As a result, the Authority has issued the Committee for Home Affairs with a reprimand
The Authority notes that the Committee for Home Affairs has since reviewed its internal processes and identified measures to reduce the likelihood of similar issues arising in future. These measures include: (i) tailored data protection training with a particular focus on the handling and fulfilment of Data Subject Requests, and (ii) the development of a new Subject Access Request policy for the Family Proceedings Advisory Service.
What can be learned from this?
The right of access is a fundamental right under the Law, controllers must therefore ensure the right of access is respected in full and within the timeframe required by law.
“Failing to meet statutory deadlines undermines trust in an organisation’s ability to protect and manage personal data responsibly,” Bailiwick of Guernsey Data Protection Commissioner Brent Homan said. “It also limits an individual’s ability to make informed decisions about their information.”
Organisations should maintain well documented procedures for searching for and disclosing personal data in response to access requests. Searches need to be thorough, covering all systems that may hold relevant information.