Our behaviours must change to protect people’s data

Published: 8 November 2021

The Office of the Data Protection Authority has published the latest breach statistics with twenty-six personal data breaches reported during September and October 2021. This is the second lowest figure since statutory breach reporting was introduced.

More than half of the reported breaches (14 incidents) were due to personal data being sent to the incorrect recipient either by post or email. This category is consistently responsible for the highest number of reported breaches, highlighting again the role that we can all play in preventing a data breach.

Cyber incidents resulted in five reported breaches, four breaches were due to the inappropriate or unauthorised disclosure of information, two were unspecified and one breach resulted from a system error.

The 26 breaches were spread across a number of different sectors. The most, six incidents, were reported from the health sector, then fiduciary with four breaches.

Emma Martins, the Bailiwick’s Data Protection Commissioner, again thanked the regulated community of the Bailiwick for continuing to engage with their legal duties by reporting data breaches but also commented on how they continue to evidence the important role of human behaviour in this context,

‘As we approach six-months since the launch of our social initiative, Project Bijou, it’s clear again that there are real opportunities to reduce the incidents of data breaches and the harms that often result. Understanding better how there is always a human at the heart of a breach means we become more invested in caring for personal data properly, not just because it is our legal duty, but because it is right and ethical to do so. It is people that can be harmed when things go wrong but it is also people who have the opportunity to prevent those things from happening in the first place. If we genuinely engage with the significant responsibility we shoulder when handling other people’s data, we are much more likely to take care.

It’s pleasing to see that the level of breaches has dropped from the number seen for the previous reporting period, but each breach matters and we must continue to put every effort into reducing them as much as possible. While it’s true that not every email or piece of post sent to the wrong recipient represents a breach, every time a mistake like this is made, the potential is there for real harm to be done to an individual.’

For more information on Project Bijou or to become involved in efforts to bring about cultural change in the handling of personal information please visit

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. 

Number of breaches reported (1 September – 31 October 2021) by category: 

Breach category

Number of reported breaches

Percentage of total

Cyber Incidents



Data sent to incorrect recipient – E-mail



Data sent to incorrect recipient – Fax



Data sent to incorrect recipient – Post



Inappropriate/Unauthorised Access



Inappropriate/Unauthorised Disclosure



Loss of data/paperwork/device






System Error





Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.