The Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law)
Public Statement
Issued: 12pm 31 October 2024
Controller: The Medical Specialist Group LLP (“MSG”)
What happened?
In November 2023, the parents of an MSG patient made a complaint to the Data Protection Authority (“the Authority”), relating to MSG’s processing of their child’s personal data in a medical capacity, which involved alleged errors, omissions, and inaccuracies with the data held.
A significant element of the issues highlighted related to the lack of clarity in the Joint Data Processing Agreement (“the agreement”) that MSG had in place with other parties (“controllers”) they shared personal data with. As a result, there was uncertainty about who was responsible for providing the medical records requested by patients. This resulted in the medical records the parents received from the MSG regarding their daughter being incomplete.
Why was that a problem?
The Law requires anyone working with people’s data to take steps to ensure that it is being processed appropriately, lawfully and in a transparent manner. This includes responding to requests for information made by patients using the rights contained within the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Law”).
Where the same information is used by more than one organisation, as is the case with some medical data, there should be an agreement in place between these parties to ensure that all legal requirements are suitably addressed and that it is made clear to those whose information is being used how to exercise their rights.
What has happened as a result?
As a result of the parents’ complaint, the Authority investigated MSG’s actions. This included reviewing relevant policies and procedures, which should, if appropriately detailed and applied, clearly set out which controller is responsible for what element of the processing.
It was clear from the investigation carried out, that the appropriate agreement was not in place. The existing agreement contained ambiguous information and a lack of clarity on roles and responsibilities. This resulted in confusion and uncertainty for MSG’s patients/clients.
MSG cooperated with the Authority during the investigation process, supplying all data requested and complying with deadlines imposed.
At the conclusion of the investigation, the Authority issued an Enforcement Order to MSG. This sanction legally compels MSG to take specific actions to address shortcomings in specific areas of the Law, bringing their practices into compliance. MSG did not appeal this sanction, and they have until February 2025 to demonstrate their compliance with the Enforcement Order’s requirements.
What can be learned from this?
The Authority expects all controllers to process personal data in compliance with the Law.
When more than one organisation is using the same information, it must be clear how compliance is dealt with between them. This includes ensuring agreements are in place between these parties which clearly outline the respective responsibilities and expectations of each controller, so that patients/clients understand the processes.
It is also important that controllers recognise the Law’s accountability principle, which includes accepting responsibility for their actions and showing a willingness to improve their practices when errors are identified. In this case, MSG readily acknowledged and accepted the deficiencies in their processes and engaged in assurances to undertake corrective action.
Technical Background
- This is a public statement made by the Data Protection Authority (‘the Authority’) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’).
- In this case, the Controller is the Medical Specialist group (‘MSG’).
- Where a complaint is made under section 67 of the Law, the Authority can investigate to determine if any operative provisions of the Law have been breached.
- Section 33 of the Law requires joint controllers, processing the same information, to agree on their respective responsibilities for compliance and for this to be covered in a written agreement.
- The Authority has determined that HSC breached section 33 of the Law by failing to have a sufficiently detailed agreement with its joint controllers, leading to a lack of clarity for patients.
- Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made. In this case, the Authority imposed an order on MSG to improve the agreement between itself and other, joint controllers.
- Section 84 of the Law provides for an appeal by a controller to the Court against a determination made or sanction issued by the Authority. Any such appeal must be made within 28 days of the issuance of the determination and/or sanction. MSG did not appeal the determination or sanction.