The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Controller: The Isle of Sark Shipping Company Ltd
- Following an inquiry under the Law the Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that The Isle of Sark Shipping Company Ltd (the controller) breached three operative provisions of the Law, namely section 6(2)(a) requiring personal data to be processed lawfully, fairly and transparently, section 6(2)(d) requiring personal data to be accurate and up to date, and section 6(2)(f) requiring personal data to be processed in a manner that ensures appropriate security. As a result of the Authority’s findings it has imposed sanctions on the controller under the provisions of the Law, as is set out in greater detail within this statement.
- The inquiry undertaken by the Authority leading to the breach determination and imposition of the sanctions commenced as a result of matters being drawn to its attention and certain responses provided by the controller following questions raised by the Authority. The Authority had concerns that the controller may have been unable to demonstrate sufficient awareness, understanding and compliance with their data protection obligations under the Law and as a result failed to maintain appropriate standards and controls in their processing of personal data.
- The area of concern to the Authority related to the processing of personal data concerning the financial status of a data subject. At the conclusion of the inquiry the Authority found that the controller did not process the subject’s personal data in a manner which ensured that the data was processed fairly, lawfully, accurately or securely, in breach of three of the data protection principles under the Law.
- Where organisations process personal data in a manner which breaches operative provisions of the Law the Authority will consider taking action to address those breaches and the imposition of appropriate sanction(s), which can include the issuance of a fine.
- Following the determination by the Authority that the controller had breached operative provisions of the Law it proceeded to consider whether or not to impose sanctions under the Law for the breaches and, if sanctions were to be imposed, what the most appropriate sanctions would be.
- In this case, the Authority identified the following mitigating factors –
- The controller maintained open and candid correspondence with the Authority whilst enquiries took place and made early admissions.
- The controller took action prior to the Breach Determination being made to no longer process personal data in the manner highlighted by the inquiry.
- The controller has not been subject of previous investigation or inquiry.
- However, the Authority also took into account that the controller showed insufficient appreciation of the significance of some of the problems arising from the processing of personal data which were the subject of the inquiry.
- The Authority considered it was appropriate to impose sanctions for the breaches of the operative provisions of the Law by the controller. Considering all of the relevant factors arising from the inquiry the Authority considered that the breaches of the operative provisions of the Law were toward the lower end of the scale of seriousness. Accordingly, the Authority imposed a formal Reprimand (under s73(1)(a) of the Law) in relation to the breaches which had been discovered and it also issued a formal Warning (under s73(1)(b) of the Law) to seek to prevent future breaches of a similar nature.
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
- Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
- In this case, the controller is The Isle of Sark Shipping Company Ltd.
- The Authority may investigate a complaint in accordance with section 68 of the Law or conduct an inquiry in accordance with section 69. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
- In accordance with section 72, the Authority, having made the breach determination, will consider whether to impose a sanction(s) against the controller and, if so, which sanction(s) are the most appropriate to impose.
- Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand and a warning against the controller.
- Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.
- If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –
(a) a reprimand,
(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
(c) an order under subsection (2) including an administrative fine.