Public Statement:

Reprimand and Order issued to the Constables of St Peter Port resulting from a personal data breach

Published: 8 July 2022

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 13:30 8 July 2022 
Controller: Constables of St Peter Port

1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
3. Following an investigation under section 68 of the Law, the Authority has determined that the Constables of St Peter Port (the Controller) breached operative provisions* of the Law, namely:
- section 7 relating to lawfulness of processing
- section 8 relating to fairness of processing
- section 12 relating to right to information for personal data collected from the data subject; and
- section 31 relating to duty to take reasonable steps for compliance
4. The circumstances of the processing in question are that personal data, including special category data**, relating to the Complainant was disclosed in an email in March 2021 to other members of the Douzaine and to two parties outside the Douzaine. The Complainant was unaware that this would happen and suffered distress as a result of the disclosure.
5. The Complainant subsequently lodged a formal complaint under section 67 of the Law, with the Authority and an investigation of that complaint commenced.
6. During the early part of the investigation, it was apparent that the Controller was unaware of the relevant requirements of the Law and, as such, answers to questions posed lacked the necessary clarity. This improved towards the end of the investigation when the Controller demonstrated a clearer recognition of the matters of concern and the standards that were expected.
7. After conducting its investigation, the Authority found that the Controller did not, and could not, identify an appropriate condition under the Law for disclosing the Complainant’s special category data. Further, the Complainant had been unaware that the email would be shared, or that it had been shared, until after the event. In addition, there was found to be a lack of relevant policies and procedures to govern how personal data, especially higher risk special category data, should be handled and shared.
8. These findings led the Authority to determine that the Controller had failed to comply with section 7 relating to “lawfulness of processing”, section 8 relating to “fairness of processing”, section 12 relating to “right to information for personal data collected from data subject” and section 31 relating to “duty to take reasonable steps for compliance”.
9. Following the determination by the Authority that the Controller had breached operative provisions of the Law, it considered whether to impose sanctions under the Law for the breach and, if sanctions were to be imposed, what the most appropriate sanctions would be.
10. The Authority, in consideration of the aforementioned determination has decided to impose a formal reprimand and an enforcement order which requires the Controller
to meet its compliance requirements under the Law within a given timeframe.
11. The Controller had the right to appeal the determination and the issuance of an enforcement order but chose not to.
12. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“There is necessarily a greater responsibility for those working in all areas of the public sector to ensure they handle people’s private information appropriately. Citizens rarely have a choice but to provide their data and breaches can have a very real impact on trust and confidence. It is important for the Complainant, who suffered as a result of this breach, and the wider population that the Controller recognises where mistakes have been made and takes the necessary steps to prevent any reoccurrence. I am pleased that the Controller has now publicly committed to taking data protection seriously and to making the necessary improvements required by our order.”

*‘Operative provisions’ are anything in the Law that require a controller and/or processor to take action in order to comply.
** ‘Special category data’ is personal data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or orientation, criminal data.

Legal Framework
1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
2. The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
3. In this case, the controller is The Constables of St Peter Port.
4. Sections 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
6. Having considered the details of this case, the Authority has imposed an enforcement order and a reprimand under section 73 of the Law.
7. Section 84 of the Law provides for an appeal by a controller to the Court against a determination made by the Authority or the issuance of an enforcement order. Any such appeal must be made within 28 days. The Controller did not appeal either the determination or the enforcement order.