The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Issued: 09:30 21 May 2021
Controller: The Committee for Health & Social Care
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
3. Following a complaint made under section 67 of the Law, an investigation was conducted under section 68 of the Law. The Complaint related to alleged failures to provide personal data, as required by section 15 of the Law, within statutory timeframes set out in section 27 of the Law.
4. Following an investigation under section 68 of the Law, the Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Committee for Health & Social Care (the Controller) breached an operative provision of the Law, namely section 27 relating to “Compliance with request to exercise data subject right”.
5. The Controller received a right of access request made under section 15 of the Law on 30 June 2020 (“the request”) from the Complainant. This request entitles an individual to, amongst other things, copies of the personal data a controller processes about them.
6. In most cases, controllers must comply with these requests within one month of receiving the request. If a controller cannot fulfil a request within one month, section 27(2) and (3) dictate that the controller must tell the person making the request why they cannot comply, and the controller must point to the person’s right to complain to the Authority under section 67 and their rights of appeal under sections 82 and 83 of the Law. If a controller thinks that the person’s request is complex they can apply a 2-month extension under section 27(4) as long as they tell the person that they’re using the extension and why. They must do this within one month of the initial request.
7. The designated period in relation to a request means the period of one month following the relevant day. In this case, the relevant day was the day that the subject access request was received by Committee for Health & Social Care and the identity of the complainant confirmed.
8. At the conclusion of the investigation, the Authority found that:
a. the request was not responded to within the designated period;
b. the Committee for Health & Social Care did not tell the Complainant why it had not complied within the designated period, or inform them of their right to complain to the Authority and their respective rights of appeal within the designated period;
c. the Committee for Health & Social Care did not advise the Complainant that it was applying a response time extension, along with their reasoning, within the designated period.
9. As a result of the above, the Authority determined that The Committee for Health & Social Care failed to comply with section 27 of the Law in relation to “Compliance with request to exercise data subject right” insofar as the individual was advised of the extension after the initial statutory deadline had passed.
10. The Committee for Health & Social Care had the right to appeal this determination but did not do so.
11. Following the Authority’s determination that the Committee for Health & Social Care had breached an operative provision of the Law, the Authority considered whether to impose sanctions and, if so what the most appropriate sanctions would be.
12. In this case, the Authority noted that the Committee for Health & Social Care cooperated with the Authority throughout the investigation.
13. The Authority also noted that the Complainant received the requested data within the revised deadline available under law (following application of the extension).
14. Where controllers use personal data in a way that breaches any of the Law’s requirements (known as ‘operative provisions’) the Authority can take action to address those breaches and can impose appropriate sanction(s), which can include an administrative fine.
15. The Authority concluded that a formal reprimand
would be an appropriate sanction in this case.
16. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:
“This case highlights how important it is for organisations who receive requests of this nature to respond to and update the requestor in a timely and proactive manner. That is as much about respect and courtesy as it is legal duty. Administrative processes can be considered as burdensome, but they are nearly always an extremely important element of ensuring broader compliance. We are grateful for the full cooperation of the Committee for Health and Social Care in this matter, recognising the additional pressures they were under at the time and welcome their commitments to improve.”
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
- The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
- In this case, the controller is the Committee for Health & Social Care.
- Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
- Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
- Having considered the details of this case, the Authority has imposed a formal reprimand under section 73(1)(a) of the Law.
- Section 84 of the Law provides for an appeal by a controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The Controller chose not to appeal the determination.