Public Statement:

Enforcement order issued to The Committee for Health and Social Care over data processing issues

Published: 19 December 2022

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) 
Public Statement
Issued: 12pm Monday 19 December 2022
Controller: The Committee for Health and Social Care (HSC)


What happened?
The Data Protection Authority initiated an Inquiry to review the processes for handling personal data within a specific service area of the Committee for Health and Social Care. This Inquiry was initiated some time ago following concerns raised by a member of the public that warranted consideration. In conclusion, the Authority determined that the Controller had not responded appropriately to a request for access to data and a request for data to be amended. The Controller also did not respond to a formal notice issued by the Authority in the way the Law required.

Why is this a problem?
The Controller processes large amounts of very sensitive personal data including special category data*. Whilst all controllers need to comply with the Law, the risk attached to processing increases when the data is special category data, as does the potential for harm when things go wrong. The issues found in the Inquiry relate to fairly basic errors in process which are concerning for any processing but particularly when the data is sensitive.

What has happened as a result?
The Authority has made a formal determination, in accordance with the Law, and has issued an enforcement order to the Committee for Health and Social Care. The enforcement order requires an improvement in processes within this service area.

What can be learned?
There are significant responsibilities on the shoulders of all controllers, especially when the processing involved special category data. The scale, volume and often mandatory nature of the processing undertaken by public authority controllers means they must take greater care to comply. This matter highlights the critical importance of appropriate processes and reminds us all of the increased likelihood of harm to individuals where processes fail.

Footnotes:
* “Special category data” is any information (facts, speculation, or opinion) that relates to a person’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetics, biometrics, health, sex life or sexual orientation, or any criminal matters. Special category data is a sub-set of 'personal data' which is considered more sensitive, and therefore needs greater protection.



Technical statement
1. The Authority conducted an Inquiry under section 69 of the Law, in relation to The Committee for Health and Social Care’s (“the Controller”) processing of personal data in a specific service area.
2. Section 27 of the Law sets out a Controller’s compliance obligations in response to a data subject exercising a data subject right. Section 37 of the Law sets out a number of duties of a Controller, among them is the duty to cooperate with the Authority. Section 30 of the Law provides the Controller with the requirements upon giving a person any information under the Law. Section 23 of the Law sets out the requirements of Controllers when carrying out rectification, erasures or restrictions of processing in accordance with data subject rights. 
3. As a result of the Inquiry, the Authority determined that the Controller breached section 27 of the Law (“Compliance with request to exercise data subject right”). In response to a right of access request, the Controller disclosed a tranche of a data subject’s personal data in response to the request, but failed to include a document containing personal data until after the designated period had ended (the period of one month following receipt of the request). 
4. As a result of the Inquiry, the Authority determined that the Controller breached section 37 of the Law (“Duties of controllers and processors to keep records, make returns and cooperate with the Authority”). The Authority gave the Controller written notice under Schedule 7 of the Law that required it to provide information within 28 days of issue. The Controller failed to provide its response until after the 28 days had expired.
5. As a result of the Inquiry, the Authority determined that the Controller breached section 30 of the Law (“Requirements to give information or take action under this Law”). By providing a notice of rectification via a telephone call, the Controller failed to comply with the requirements of Section 30 of the Law which stipulates that controllers must give such information in writing (unless the data subject requests the information to be given verbally).
6. As a result of the investigation, the Authority has determined that the Controller breached Section 23 of the Law (“Right to be notified of rectification, erasure and restrictions”). By providing the notice of rectification via a telephone call and not in writing, the Authority determined that in this instance, no lawful notice of rectification had taken place and therefore the inaccurate personal data that was previously shared with the third party, remained unrectified.
7. It is noted that the Controller did subsequently provide the notice of rectification as prescribed by Section 23 of the Law. 
8. In accordance with the powers contained in Section 73 of the Law, the Authority has issued an enforcement order to the Controller.
9. The Controller had the right to appeal this sanction but did not do so. 


Legal Framework
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law). 
2. The Authority may conduct an Inquiry (under section 69 of the Law) on its own initiative into the application of this Law, including into whether a controller or processor has breached or is likely to breach an operative provision of the Law. 
3. In this case, the Controller is The Committee for Health and Social Care.
4. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law following an Inquiry. 
5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made. 
6. Section 84 of the Law provides for an appeal by the Controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The controller has not made an appeal in this case.