The Data Protection (Bailiwick of Guernsey) Law, 2017
Public Statement
Issued: 2pm Friday 6 October 2023
Controller: The States of Guernsey’s Policy & Resources Committee
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
3. The Office of the Data Protection Authority (ODPA) has begun an inquiry in relation to data room service outages that affected the States of Guernsey’s IT systems between November 2022 – January 2023.
4. The decision to initiate this Inquiry under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017, has been made following consideration of the full text of PWC’s ‘Major Incident Review’; the public summary of which was issued on 19 June 2023. The report was requested from the Policy & Resources Committee as part of the initial assessment of this matter and using the Authority’s powers to require a controller or processor to provide information. The Inquiry seeks to establish the manner and extent to which the Controller has complied with the requirements of the Law including those aspects relating to data availability and resilience.
5. Section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017 gives the Authority powers to launch an inquiry at its own discretion. The Authority can launch a formal inquiry where there are concerns about a controller’s activities or their compliance with the Law. It is not necessary for there to have been a complaint about a controller or processor’s activities for this type of inquiry to be undertaken.
6. The outcome of the ODPA’s inquiry should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time.
7. The Authority invites anyone with evidence of the specific impact the outages had to contact the ODPA Investigation Team by e-mail at casework@odpa.gg.
Legal Framework
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017.
2. The Authority may conduct an inquiry (under section 69 of the Law) where there are concerns about a controller’s activities or their compliance under the Law.
3. In this case, the controller is The States of Guernsey’s Policy & Resources Committee.