The Data Protection (Bailiwick of Guernsey) Law, 2017 ('the Law')
Public Statement
Issued: 14:00 Friday 12 April 2024
Controller: The Policy & Resources Committee (‘P&R')
What happened?
A jobseeker whose offer of employment was withdrawn after a reference has been provided, requested a copy of it from the Policy & Resources Committee (P&R) (the entity it was provided to). They did this by exercising their access request rights under
The Data Protection (Bailiwick of Guernsey) Law, 2017*.
P&R refused to give the jobseeker the reference on the basis that it contained information about other people.
P&R had performed a balancing test before reaching their decision, deciding that the interests of the person who wrote the reference outweighed those of the jobseeker. The jobseeker had concerns as to why P&R were refusing to tell them what was in the reference and made a formal complaint to the Data Protection Authority (the Authority). Following investigation, the Authority determined that P&R had not given appropriate consideration to the jobseeker’s significant interests.
It is reasonable for any jobseeker to understand and validate what is being said about them by a previous employer – especially when that information may impact their ability to get a job.
Why was that a problem?
The purpose of access rights is to empower individuals to understand what information about them is being used and for what purpose. This also enables them to validate whether the information about them is accurate.
P&R prevented the jobseeker from understanding what their previous employer had said about them, which meant they were unable to validate its accuracy. This made it difficult to challenge the recruitment decision as well as to exercise other rights available under the Law.
What has happened as a result?
Following the Authority’s investigation, P&R were found to have breached the Law by failing to provide information that the jobseeker was entitled to receive under the right of access.
As part of the Authority’s determination, an Enforcement Order was issued to compel P&R to provide the jobseeker with a copy of the reference, with redactions as agreed by the Authority, to which they were entitled. The Authority can now confirm that P&R did not appeal against the Authority’s Order and has provided the reference as ordered.
What can be learned from this?
Everyone has a right to know what is being said about them, especially when what is being said about them may impact their chances of getting a job. Everyone is entitled to due process, and this includes the ability to validate information about them. The individual was unable to do so in this case.
The second takeaway from this case is that personal data can relate to more than one person simultaneously. This is particularly common when it comes to opinions, such as those contained within employment references. Where personal data relates to more than one person, and cannot be redacted without losing its context, a balancing test must be undertaken to determine whether it is reasonable to refuse to give the information in response to a data subject access request.
The Authority has
guidance on its website which explains how to comply in situations where an organisation cannot comply with a request without disclosing information relating to another individual.
*
Provision of the Law that entitles a person to certain information about themselves.
Technical Background
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of
The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. In this case, the Controller is the Policy & Resources Committee (P&R).
3. The Authority may conduct an investigation under section 68 of the Law following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law. In this case, a complaint was made into the alleged non-provision of personal data contained within a reference in response to a data subject access request.
4. The basis relied upon by P&R to refuse to provide this information was section 16 of the Law; the “exception to the right of portability or access involving disclosure of another individual’s personal data”.
5. This exception applies in situations where an organisation cannot comply with a data subject access request without disclosing information relating to another individual who is identified or identifiable from that information. In these situations, a controller must determine whether it is reasonable to refuse to give that information in response to the request, considering several factors outlined in the Law, taking into account the significant interests of the requestor and the other individual.
6. Following an investigation, section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law. In this case, the Authority determined that P&R breached section 15 (Right of Access) of the Law.
7. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made. In this case, the Authority issued an Enforcement Order requiring P&R to disclose the reference with appropriate redactions applied.
8. Section 84 of the Law provides for an appeal by a controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. P&R has not appealed the determination or sanction and has complied with the Enforcement Order issued.