The Data Protection (Guernsey) Law, 2017 (the Law)
Public Statement
Controller: Policy and Resources Committee
- The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Policy and Resources Committee (the controller) has breached section 6(2)(a) of the Law.
- The Authority finds that an employee of the Policy and Resources Committee, in the position of manager, made reference to the health status of a managed member of staff in an email sent to several recipients.
- The disclosure of the complainant’s personal data in this context caused them considerable distress and they have ongoing concerns about the possibility of the disclosure negatively impacting future employment.
- This led to the complainant lodging a formal complaint about the Policy and Resources Committee to the Authority under section 67 of the Law.
- The Authority finds that the Policy and Resources Committee had no legal basis for disclosing this information.
- The Authority is therefore satisfied that the Policy and Resources Committee failed to comply with the lawfulness, fairness and transparency principle [s.6(2)(a)].
- Special category data (including health data) are afforded higher levels of protection in the Law, reflecting the harm and distress that can result from a breach. The Authority is clear that where organisations do not take their legal responsibilities to protect such data seriously, consideration will be given to the appropriate sanction including the issuing of a fine.
- In this case, the Authority has identified the following mitigating factors
- Early engagement and cooperation by the Policy and Resources Committee data protection officer
- Early admission of the breach by the Policy and Resources Committee
- Updated advice and support provided by the Policy and Resources Committee for employees handling personal data
- Considering the above factors, the Authority has, by written notice to the Policy and Resources Committee, imposed a reprimand.
Legal Framework
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
- Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
- In this case, the controller is the Policy and Resources Committee and liability for their employee’s action rests with them.
- The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
- In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
- Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
- Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.