Reprimand issued to Policy & Resources Committee

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
 Controller: The Policy and Resources Committee

1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that The Policy and Resources Committee (the controller) has breached section 12(3) of the Law.

2. The Authority finds that The Policy and Resources Committee, did not provide the data subjects participating in The Committee for Home Affairs Governance Review Report, titled ‘Meeting the challenge: towards better governance’, the schedule 3 information as required by the Law.

3. This led to four individuals lodging formal complaints about The Policy and Resources Committee to the Authority under section 67 of the Law.

4. The Authority finds that The Policy and Resources Committee did not provide the complainants with the information they had a right to be given, before or at the time, their personal data was collected as part of a review of committee governance.

5. The Authority is therefore satisfied that The Policy and Resources Committee failed to comply with section 12(3) relating to “Right to information for personal data collected from data subject”.

6. The Authority is clear that where organisations do not take their legal responsibilities to provide data subjects with such information as required by the Law, consideration will be given to the appropriate sanction including the issuing of a fine.

7. In this case, the Authority has identified the following mitigating factor –

– An early admission was made by The Policy and Resources Committee that they had failed to provide the data subjects with the schedule 3 information as required by the Law.

8. In this case, the Authority has also identified the following aggravating factor –

– A lack of co-operation by The Policy and Resources Committee as evidenced by its repeated failure to answer a question posed, leading to a significant delay in drawing the investigation to a conclusion.

9. Considering the above factors, the Authority has, by written notice to The Policy and Resources Committee, imposed a formal Reprimand.

Legal Framework

• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
• In this case, the controller is The Policy and Resources Committee.
• The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
• Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
• Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days. In this case the appeals period has now passed.
• If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –

(a) a reprimand,

(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and

(c) an order under subsection (2) including an administrative fine.