05
DAYS LEFT

Registration window open (1 Jan - end of Feb)

If you use personal data in your work you are legally obliged to register during January and February each year.
NEW REGISTRATION? View guidance and create new registration here
EXISTING REGISTRATION? Sign-in to Registrations Portal here
 

Public Statement:

Reprimand and warning issued to The States of Alderney

Published: 24 June 2021

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law) 
Public Statement 
Issued: 10:00 24 June 2021
Controller: The States of Alderney


1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law). The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.

2. Following a complaint made under section 67 of the Law, an investigation was conducted under section 68 of the Law. The Complaint raised concerns about whether the States of Alderney (the Controller) had lawfully processed the Complainant’s personal data in relation to the revised Public Service Licence annual renewal process. The investigation was complex, but in summary it was found that the States of Alderney had collected and intended to further process ‘special category data’ (particularly sensitive data about a person) without a valid legal reason. The complexities of this investigation arose due to differences in legislation within the Bailiwick, and how that legislation was being incorrectly interpreted as a legal mechanism for processing of special category data in this context.

3. Following the investigation, the Authority determined that the States of Alderney breached two aspects of the Law (‘operative provisions’), namely section 6 (“Duty to comply with data protection principles”) and section 12 (“Right to information for personal data collected from data subject”). The Authority also determined that the States of Alderney’s intended processing was likely to breach operative provisions of the Law, namely section 6 (“Duty to comply with data protection principles”) and section 7 (“Lawfulness of processing”).

4. The data protection principles sit at the core of the Law’s compliance requirements. The Lawfulness, Fairness and Transparency principle requires a controller to process personal data lawfully, fairly and in a transparent manner. Section 7 of the Law sets out the conditions that a controller must satisfy to process personal data lawfully. Section 12 of the Law sets out the information a data subject (the person the data is about, or related to) has a right to be given where a controller collects personal data from them.

5. When collecting personal data, controllers must satisfy a condition for lawful processing detailed in Schedule 2 of the Law. More specifically, when collecting Special Category Data, that condition must be from Part II or Part III of Schedule 2 of the Law.

6. Public Service Licences are required for a person to operate a vehicle for hire or reward. The States of Alderney sought to revise its Public Service Licence renewal process. In doing so, it required the applicant to provide personal information of a sensitive nature (“Special Category Data”).

7. During the investigation, the Authority found that information required by section 12 of the Law was not provided to the Complainant at the time their personal data were collected. Because of the lack of transparency at the time of collection, this was also considered to be a contravention of section 6.

8. When the Complainant raised concerns about this, the States of Alderney ceased the Complainant’s renewal application.

9. Had the States of Alderney not ceased the Public Vehicle Licence application, there would have been further definitive breaches of the Law, namely section 6 (“Duty to comply with data protection principles”) and 7 (“Lawfulness of processing”). This was due to the States of Alderney not satisfying at least one condition in Parts II or III of Schedule 2 of the Law (Conditions for processing to be lawful), in order for the processing of the Complainant’s personal data to be considered lawful.

10. In conclusion, the Authority determined that the States of Alderney did not comply with section 6 (“Duty to comply with data protection principles”) and section 12 (“Right to information for personal data collected from data subject”). The Authority also determined that the States of Alderney was likely to breach operative provisions of the Law, namely section 6 (“Duty to comply with data protection principles”) and section 7 (“Lawfulness of processing”).

11. The States of Alderney had the right to appeal this determination but chose not to.

12. Where organisations process personal data in a manner which breaches operative provisions of the Law the Authority will consider taking action to address those breaches and the imposition of appropriate sanction(s), which can include the issuance of an administrative fine.

13. Following the determination by the Authority that the States of Alderney had breached operative provisions of the Law, it proceeded to consider whether to impose sanctions under the Law for the breaches and, if sanctions were to be imposed, what the most appropriate sanctions would be.

14. In this case, the Authority identified the following factors – 

Mitigating Factors;
• It is acknowledged that the proposed changes to policy and procedures by the Controller were all done with the best intentions, but the application of the processes and the implementation was flawed.
• The Controller fully engaged and complied with the investigation, complying with all deadlines set.
• This is the first such case requiring the Authority to investigate the Controller.
• The appointed Data Protection Officer (DPO) for the Controller engaged proactively with the Authority during the course of the investigation and concedes that lessons have been learnt as a result of the process.

Aggravating factors;
• The Controller in this case is the Government of Alderney and the processing of personal data in all areas of public service carries with it additional responsibility. It is imperative that where all personal data, but especially special category data are processed, there is absolute clarity on the legal basis for processing and all associated compliance requirements.
• There was a personal impact of this matter on the Complainant. As they were unable to work whilst the renewal process was being resolved, there was a direct negative impact on their income.

15. The Authority, decided to impose a formal reprimand in relation to the breaches of section 6 (“Duty to comply with data protection principles”) and section 12 (“Right to information for personal data collected from data subject”). Additionally, the Authority has decided to issue a cautionary warning in respect of the breaches of section 6 (“Duty to comply with data protection principles”) and section 7 of the Law (“Lawfulness of processing”) that were likely to occur had the processing continued.

16. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“This matter highlights the importance of ensuring due process around the handling of all personal data, especially where these data are afforded greater legal protections, as in this case. We are grateful to the controller for their full cooperation throughout this case and for the positive steps they have already taken to prevent future breaches.”

Legal Framework
  • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  • The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
  • In this case, the controller is the States of Alderney.
  • Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
  • Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
  • Having considered the details of this case, the Authority has imposed a reprimand and a warning under section 73 of the Law.
  • Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The States of Alderney chose not to appeal the determination.