The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 12pm 1 February 2022
Controller: States of Alderney
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of
The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to “…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…", and the Authority is the independent regulatory body responsible for overseeing it.
3. Following an investigation under section 68 of the Law, the Authority determined that the States of Alderney (the Controller) breached one of the Law’s operative provisions, namely section 13 relating to “Right to Information for indirectly collected personal data”.
4. On 5th March 2021, the Controller published an official external government document, in which the Complainant’s employment status was discussed, specifically, proposals to terminate the post. Whilst not identifying the Complainant by name, due to the unique nature of the position, their identity was immediately apparent.
5. Having been made aware of this publication, the Complainant lodged a formal complaint under section 67 of the Law, with the Authority.
6. Upon realising the error, the Controller reported a personal data breach with the Authority and corresponded directly with the Complainant, acknowledging the breach.
7. Over the following few weeks, the matter was reported in various Bailiwick media publications.
8. Following the formal complaint being made, the Authority sought clarification as to the exact nature of the breach and the circumstances surrounding it, and this investigation concluded that the Law had been breached.
9. As a result of the above, the Authority determined that the States of Alderney failed to comply with section 13 of the Law in relation to “Right to Information for indirectly collected personal data”.
10. The States of Alderney had the right to appeal this determination but chose not to.
11. Following the Authority’s determination that the Controller had breached one of the Law’s operative provisions it proceeded to consider whether to impose sanctions for the breach and, if sanctions were to be imposed, what the most appropriate sanctions would be.
12. In this case, the Authority identified the following factors –
Mitigating factors;
• The Controller immediately acknowledged the breach.
• The Controller engaged positively with the Complainant, and accepted that an error had been made.
• The Controller carried out an internal Code of Conduct enquiry and the person responsible for the processing on behalf of the Controller, was disciplined.
• The Controller’s staff have received guidance to mitigate future recurrences.
Aggravating factors;
• The breach had an adverse impact on the Complainant.
• This is the second investigation carried out by the Authority in relation to the Controller.
• It is important that the public, particularly on a small island such as Alderney, see that the Government are being held to account for their actions.
• The Controller must be held fully accountable, particularly when their actions directly affect an identified, or identifiable, individual.
13. Considering the aforementioned failures, the Authority has made the decision to impose a formal reprimand.
14. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:
“The way in which information about individuals is handled has the potential for significant impact and harm, especially in a small jurisdiction. We are grateful for the open and honest way in which the Controller in this case responded to and acknowledged the error and hope it prompts a broader review of data governance standards to prevent further incidents.”.
Legal Framework
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
3. In this case, the controller is the States of Alderney.
4. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
6. Having considered the details of this case, the Authority has imposed a formal reprimand for contravention of section 13 of the Law.
7. Section 84 of the Law provides for an appeal by a controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days, the Controller chose not to appeal the determination.
&
Indulge