The Data Protection (Bailiwick of Guernsey) Law, 2017 ('the Law')
Public Statement
Issued: 12:00 Friday 15 December 2023
Controller: The Committee for Health and Social Care ('HSC')
The Data Protection Authority (the Authority) has served The Committee for Health and Social Care (HSC) with an Enforcement Order in relation to a data subject access request it failed to handle appropriately. This is the fourth public statement issued by the Authority in relation to HSC. However, it should be noted that HSC is a large organisation with a number of service areas, and this is the first for this particular service area.
What happened?
Concerns were raised about the treatment of a vulnerable adult living in HSC supported accommodation and a safeguarding review was carried out. The family of the vulnerable adult, although made aware of the concerns, were not provided with a copy of the final safeguarding report and as such, were unsure as to what, if anything, had happened to their family member and any action to be taken as a result.
The vulnerable adult’s appointed guardian made a data subject access request on their behalf asking for an HSC investigation report into the alleged physical and emotional abuse. HSC provided a heavily redacted version of the report and left out the report’s appendices. This made it very difficult for the family to understand what had happened and what would be done to protect their family member.
As a result, the guardian made a formal complaint to the Authority about HSC’s handling of their request. Following an investigation, the Authority determined that the redactions to the disclosed report were not appropriate under the Law and that the appendices should have been disclosed with the report. The Authority issued HSC with an Enforcement Order which compelled them to release the full report to the family, five months after their initial request, with only minimal redactions.
Why was that a problem?
Whenever someone asks an organisation for information about them (or in this case, on behalf of a vulnerable adult) the organisation must provide the information within the timeframe set out in the Law. This is usually one calendar month, but organisations can request more time if needed. The organisation providing the information must also provide all the information requested, unless there is a valid reason to withhold it. The Law provides exemptions on certain grounds, that organisations can seek to apply to relevant information they need to withhold. In this case HSC withheld an unreasonable amount of information from the family who were seeking to understand what had happened to their family member whilst in HSC’s care.
What has happened as a result?
Following the Authority’s investigation HSC were found to have breached two sections of the Law relating to data subject rights, because it unreasonably withheld information and resisted attempts by the family to obtain the full report. The Authority issued an Enforcement Order to HSC. This is one of the sanctions available under the Law and is an instruction that compels an organisation to take specific action to address shortcomings in specific areas of the Law.
Whilst a basic apology was provided by HSC initially and prior to the Authority’s involvement, the lack of the safeguarding report meant it was difficult for the family to be assured that what had happened would not happen again.
HSC have now released the report as required by the Enforcement Order but without any recognition of the prolonged distress caused by the approach they adopted.
What can be learned from this?
At the heart of this case is a vulnerable adult and the data relating to them in the context of a report into physical and emotional abuse. Any organisation that is responsible for the care of others should demonstrate compassion, transparency, accountability and the highest standards of information governance. These requirements are of particular importance where there are legitimate questions over someone’s treatment.
What this means in practice is giving people the information they ask for quickly, and not seeking to protect your organisation’s interests by withholding information by applying exemptions. This was a very stressful experience for the family who wanted to make sure that their loved one was safe. This case is a reminder to all organisations that the Authority can legally compel information to be disclosed in certain circumstances, and that this sanction will be deployed where appropriate.
Legal Framework
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
- In this case, the Controller is the Committee for Health and Social Care (HSC).
- The Authority may conduct an investigation under section 68 of the Law following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law. In this case, a complaint was made into the alleged non-provision of personal data in response to a data subject access request.
- Following an investigation, section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law. In this case, the Authority determined that HSC breached section 15 (Right of Access) and section 25 (Controller must facilitate of data subject requests) of the Law.
- Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made. In this case, the Authority issued an Enforcement Order requiring HSC to disclose the report as agreed by the Authority.
- Section 84 of the Law provides for an appeal by a controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. HSC has not appealed the determination or sanction and has complied with the Enforcement Order issued.