A joint investigation has been launched by the Data Protection authorities of Guernsey, Jersey, the Isle of Man and the UK into the cyber incident that compromised data of the trade union Prospect Custodian Trustees Ltd (Prospect) in June 2025.
Prospect has more than 160,000 members who work as scientists, engineers, tech experts and in other specialist roles. Approximately 3,000 Bailiwick residents have been affected by the personal data breach. The organisation holds members’ personal information including financial data and sensitive data such as trade union membership, ethnic origin, sexual orientation, disability, and religious belief.
This investigation marks the first joint action between the jurisdictions’ authorities and reflects the regulators’ commitment to collaborate on protecting people’s data rights across jurisdictions. By pooling resources and expertise, they will deliver a focused, efficient and expedient inquiry.
The investigation will examine:
- the scope of personal information exposed by the breach and potential harms to affected people;
- whether Prospect had adequate technical and organisational measures in place to protect the sensitive information it holds;
- whether Prospect upheld their breach notification obligations;
- whether Prospect took appropriate steps, in their initial response to the breach, to mitigate any identified risks posed to affected data subjects.
Brent Homan, Guernsey Data Protection Commissioner, said: "Cyber-attacks are increasingly impacting organisations holding data across borders and jurisdictions. International threats demand an international response. By joining forces with our partners in the UK and British Isles we will ensure an elevated level of protection for our collective citizens' data rights.”
John Edwards, UK Information Commissioner, said: "When people share their most sensitive information with an organisation, they do so with the expectation that it will be handled responsibly and securely. We will be scrutinising the cyber incident at Prospect to check whether those expectations were met. This joint investigation demonstrates our determination to work more closely with our international counterparts to ensure that data protection standards are upheld across all jurisdictions.”
Paul Vane, Jersey Information Commissioner, said: “Cyber and Phishing attacks are on the rise and are progressively targeting organisations and businesses which span multi-jurisdictionally. We must work collaboratively with other Authorities in order to strengthen our enforcement mechanisms and protect the information and rights of data subjects in affected jurisdictions.”
Dr Alexandra Delaney-Bhattacharya, Isle of Man Information Commissioner, said: “People place enormous trust in organisations when they hand over their personal information, and that trust must be honoured. By undertaking this coordinated investigation into the incident at Prospect, we are strengthening our collective ability to safeguard individuals’ data.”
Data protection legislation allows the authorities of the UK, Guernsey, Jersey and Isle of Man to work together on matters of impact across the jurisdictions. Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.
Notes to Editors
- Prospect reported a personal data breach to the data protection authorities in relation to the cyber incident that took place in June 2025. The opening of this investigation should not be taken to mean that we have reached a conclusion that Prospect has, or continues to, infringe data protection law.
- The Guernsey Office of the Data Protection Authority is the independent supervisory authority for the purposes of The Data Protection (Bailiwick of Guernsey) Law, 2017 and associated legislation.
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The Jersey Office of the Information Commissioner is part of the Jersey Data Protection Authority. We are the independent office responsible for overseeing the Data Protection (Jersey) Law 2018 and the Freedom of Information (Jersey) Law 2011.
- The Isle of Man Information Commissioner is the independent authority responsible for upholding the public's information rights and promoting and enforcing compliance with the Island's information rights legislation, which includes the data protection legislation, the Unsolicited Communications Regulations and the Freedom of Information Act.
Pictured (left to right): UK Information Commissioner John Edwards, Bailiwick of Guernsey Data Protection Commissioner Brent Homan, Isle of Man Information Commissioner Dr Alexandra Delaney-Bhattacharya and Jersey Information Commissioner Paul Vane.