The Data Protection (Bailiwick of Guernsey) Law, 2017 ('the Law')
Public Statement
Issued: 11am 22 November 2024
Controller: The Committee for Health and Social Care (‘HSC’)
What happened?
A person made a data subject access request to the Committee for Health and Social Care (HSC), requesting a copy of their personal data. HSC provided some personal data in response to the request, however, the person had concerns that they had not been given everything that they were entitled to receive and raised a complaint with the Data Protection Authority.
The Authority’s investigation found that HSC had failed to consider all relevant filing systems and electronic databases when it searched for the individual’s personal information. This resulted in information that the complainant was entitled to, not being provided in response to the request. Additionally, the records created by HSC of the searches for personal data were inadequate. This meant that HSC was unable to demonstrate that reasonable steps had been taken to comply with the request.
Separately, HSC failed to comply with an Information Notice issued by the Authority within the required time period. This was a legally binding notice which required HSC to provide information to the Authority to assist in this investigation.
This is the second public statement by the Authority relating to a matter where information was missed by HSC in a subject access request, and deadlines were not met. An
investigation carried out in 2022 resulted in an order to improve such search processes.
Why was that a problem?
The aim of the right of access is to provide individuals with sufficient, transparent and easily accessible information about the use of their personal data. This empowers them to be aware of and verify the lawfulness of its use, and its accuracy. This also facilitates the individual’s ability to exercise other rights such as the right to erasure or rectification.
By not searching all relevant filing systems and electronic databases for the person’s data, HSC failed to provide the person with all information that they were entitled to receive in response to their subject access request. This meant that they were unable to understand the full extent of their personal data that was being used by HSC.
This issue was further compounded by inadequate records of searches being created by HSC. That meant that it could not demonstrate to the Authority that the steps that it had taken to carry out the request were reasonable.
In respect of HSC’s late response to an Information Notice, this results in delays to investigations, which could negatively impact the significant interests of complainants.
What has happened as a result?
The Authority has imposed an Order against HSC, requiring that it carry out further searches for the person’s personal data, and provide them with a copy of everything that they are entitled to receive.
Additionally, the Order requires that HSC implement measures to identify all the relevant filing systems and electronic databases which may need to be considered when conducting a search for personal data. The Order also requires that within three months HSC should implement improved processes to ensure compliance with future data subject access requests and confirm to the Authority that this has been done.
A Reprimand has also been imposed against HSC in respect of its failure to comply with an Information Notice within the required timeframe. The Authority has concerns that this is the second Order against HSC requiring improvements in processes relating to data subject access requests. As a result, we are calling upon HSC to elevate their efforts to ensure that implemented measures are effective.
What can be learned from this?
When a data subject access request is made of an organisation it must take reasonable steps to comply. This includes identifying all relevant filing systems and databases, as well as using appropriate search parameters that are considered reasonably likely to find information relating to the person.
Organisations must be able to demonstrate why they consider the search parameters used to be reasonable and must also be able to explain why any filing systems or electronic databases have not been searched.
Technical Background
1. This is a public statement made by the Data Protection Authority (‘the Authority’) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’).
2. In this case, the Controller is the Committee for Health & Social Care (‘HSC’).
3. Where a complaint is made under section 67 of the Law, the Authority can investigate to determine if any operative provisions of the Law have been breached.
4. Section 15 of the Law provides individuals the right to be given information which includes a copy of their personal data that is being processed by a controller, which must be given by the controller upon request.
5. The Authority has determined that HSC breached section 15 of the Law by failing to give the complainant all information to which they were entitled to be given under section 15 of the Law.
6. Section 25 of the Law requires that controllers take reasonable steps to facilitate the exercise of data subject rights.
7. The Authority has determined that HSC breached section 25 of the Law by failing to consider all relevant filing systems and electronic databases when conducting searches for the complainant’s personal data. Additionally, the records created by HSC of searches conducted for personal data were inadequate. This meant that HSC was unable to demonstrate that the steps it had taken to comply with the request were reasonable.
8. Section 37 of the Law requires that controllers cooperate with the Authority in the exercise or performance of any of the Authority’s functions under the Law, including complying with any information notice issued under paragraph 1 of Schedule 7 of the Law.
9. The Authority has determined that HSC breached section 37 of the Law by failing to comply within the compliance period of an information notice issued under paragraph 1 of Schedule 7 of the Law. HSC subsequently provided the requested information following the expiry of the compliance period.
10. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
11. In this case, the Authority imposed an Order upon HSC, requiring that it undertake further searches for the complainant’s personal data, and provide them with a copy of all personal data that they are entitled to receive.
12. Additionally, the Order requires that HSC implement measures to identify all the relevant filing systems and electronic databases which may need to be considered when conducting a search for personal data. The Order also requires that within three months HSC should implement improved processes to ensure compliance with future data subject access requests and confirm to the Authority that this has been done.
13. A Reprimand has also been imposed against HSC in respect of its failure to comply with an Information Notice within the compliance period.
14. Section 84 of the Law provides for an appeal by a controller to the Court against a determination made or sanction issued by the Authority. Any such appeal must be made within 28 days of the issuance of the determination.