The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Controller: Channel Islands Financial Ombudsman
- The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Channel Islands Financial Ombudsman (the controller) has breached section 6(f) of the Law.
- The Authority finds that the Channel Islands Financial Ombudsman sent an email containing personal data, including special category data, intended for the complainant to an erroneous email address.
- This led to the complainant lodging a formal complaint about the Channel Islands Financial Ombudsman to the Authority under section 67 of the Law.
- The Authority finds that the Channel Islands Financial Ombudsman, did not process the complainant’s personal data in a manner that ensured its security appropriately.
- The Authority is therefore satisfied that the Channel Islands Financial Ombudsman failed to comply with section 6(f) relating to “Integrity and confidentiality”.
- The Authority is clear that where organisations do not ensure that personal data is processed in a manner which ensures its security, consideration will be given to the appropriate sanction including the issuing of a fine.
- In this case, the Authority has identified the following mitigating factor
- An early admission was made by the Channel Islands Financial Ombudsman as to the error and immediate action was taken to attempt to redress the situation.
- In this case, the Authority has not identified any aggravating factors.
- Considering the above factors, the Authority has, by written notice to the Channel Islands Financial Ombudsman, imposed a formal Reprimand.
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
- Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
- In this case, the controller is the Channel Islands Financial Ombudsman.
- The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
- In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
- Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
- Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.
- If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –
(a) a reprimand,
(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
(c) an order under subsection (2) including an administrative fine.