The Data Protection (Bailiwick of Guernsey) Law, 2017 ('the Law')
Public Statement
Issued: 16:00 Friday 8 December 2023
Controller: Guernsey Union D’Escrime LBG
What happened?
The Guernsey Union D’Escrime LBG (‘the GUE’) has been served with an Enforcement Order requiring it to improve its processes for dealing with data subject access requests.
The Data Protection Authority conducted an investigation following a complaint from a family that they hadn’t been provided with information being held about them.
A ‘data subject access request’ entitles an individual (known as the ‘data subject’) to, amongst other things, be provided with any information about or related to them (‘personal data’) that is held by an organisation (known as a ‘controller’). In this instance the data subject was a minor and the request was made by a parent on their behalf.
The family requested information about the GUE’s involvement with the minor, due to safeguarding concerns which have caused anxiety and distress to the data subject.
The GUE sought guidance from the Authority when it first received the request, in order to understand its responsibilities. However, when it became clear that these had not been properly fulfilled, the Authority was disappointed by the GUE’s apparent reluctance during the course of the investigation to accept advice.
The investigation was also protracted due to the repeated correspondence necessary to get relevant answers from the GUE.
Following the investigation, during which additional material was subsequently disclosed to the family by the GUE in response to their request, the GUE was unable to justify to the Authority their reasons for not doing so earlier.
It was only after the Authority intervened, some 237 days after the family’s request had been made, that the GUE provided the additional personal data. It was assessed that it was reasonable to assume that the additional data would not have been provided to the family had the Authority not intervened.
The Authority issued a determination that the GUE had breached section 15 of the Law, by not providing all relevant personal data within the required deadline outlined in section 27 of the Law.
Why is this a problem?
During its deliberations, the Authority took into account that the GUE was a not-for-profit organisation and therefore did not have access to the resources that other organisations often have for responding to such requests.
However, whenever personal data is being processed, and particularly when that relates to children and young people, organisations need to engage with the Law’s requirements to ensure compliance, whatever the size or structure of the organisation.
The Authority understands the third sector are unlikely to have specialist data protection knowledge and has always made efforts to support charities in fulfilling their data protection responsibilities.
What has happened as a result?
Where organisations breach the Law, the Authority considers taking action to address those breaches by issuing an appropriate sanction(s), which can include an administrative fine.
The Authority issued an enforcement order to the Guernsey Union D’Escrime LBG which requires them to take specified action to address shortcomings in compliance with the Law. This means that GUE will have to demonstrate, within three months, that it has improved those processes.
The GUE had the right to appeal the determination and the enforcement order but did not do so. However, in correspondence to the Authority, the GUE, whilst committing to comply with the enforcement order, stated that it felt the sanction imposed was ‘unfair’.
What can be learned?
People, processes and governance matters. The greater the potential harm, the more robust the process should be. It should be noted that even minor procedural missteps can have significant and sometimes entirely unexpected consequences. It is also important to cooperate with the Authority and take on board advice that is provided.
The Authority provides a number of resources to assist organisations with their data protection compliance. It also works closely with the Association of Guernsey Charities, running several bespoke awareness sessions this year to support the third sector, as well as attending the AGC’s 2023 Conference entitled Building an Effective Voluntary Sector. Planning for similar events in 2024 is already underway.
Legal Framework
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 ('the Law').
- In this case, the Controller is the Guernsey Union D’Escrime LBG.
- The Authority may conduct an investigation under section 68 of the Law upon receipt of a complaint from an individual where the individual considers that a controller or processor has breached or is likely to breach an operative provision of the Law. In this case, a complaint was made into the alleged non-provision of personal data in response to a data subject access request ('the Request').
- As a result of the investigations, the Authority determined that the Controller had breached Section 15 of the Law ('Right of access').
- In accordance with the powers contained in Section 73 of the Law, the Authority has issued an enforcement order to the Controller. This requires the Controller to take specified action to address shortcomings in particular areas of its data processing in accordance with the law.
- The Controller had the right to appeal this sanction but did not do so.