ODPA takes ‘realistic’ approach to regulatory activity during Bailiwick ‘lockdown’

The Office of the Data Protection Authority (ODPA) is reassuring local organisations that it is taking a realistic and pragmatic approach to its regulatory activities during the Bailiwick’s ‘lockdown’.

The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. This law places a number of legal obligations on local organisations who handle personal data, and gives 10 rights to Bailiwick citizens around how their data is used.

Whilst the ODPA cannot extend timescales that are defined in law, they would like to reassure local regulated organisations that it is taking a realistic approach to its regulatory activities during the Bailiwick’s lockdown period, which started on Wednesday 25 March.

Bailiwick Data Protection Commissioner, Emma Martins, emphasised this,

‘These are not normal times and I want to make it clear that we will not take enforcement action against any organisation who is trying to do the right thing. We know that everyone’s focus is understandably diverted to dealing with new ways of working and the associated challenges for us all, as employers, employees and citizens. We also understand and are realistic about the impact the current disruption will have on compliance and governance, especially in sectors which are now instrumental in the Bailiwick’s response to the unfolding public health situation. Members of the public will also, we hope, understand that organisations may not be able to respond as quickly as usual to requests relating to their personal data. We are part of a community that is pulling together at an extraordinary time and want to ensure we carry out our duties in a responsible and practical manner in the interests of that whole community.’

The ODPA’s premises on Le Bordage shut on Monday 23 March and its nine staff members are now working remotely. Staff are available during normal office hours to answer any queries about data resulting from the evolving public health situation, or otherwise, and can be contacted via enquiries@odpa.gg.

In common with other organisations, all ODPA public events and drop-ins are suspended until further notice. Efforts are underway to support local organisations via online platforms to ensure continued focus on improving compliance and preventing people being harmed by misuse of their data.

Protecting personal data in extraordinary circumstances

With an increased number of the Bailiwick’s workforce working remotely, it’s a good opportunity to explore how best to ensure that your organisation’s protection of personal data is maintained.

Remember: the object of data protection legislation is to protect people’s rights in relation to how their data is treated.

All organisations, from sole-traders to multinational companies, charities to governments handle personal data of their staff/clients/suppliers/citizens. Doing this well enables trust and good relationships to be maintained, and prevents people being harmed by misuse of their data.

With this in mind, all local organisations need to consider the fact that remote working may pose an increased risk to personal data. It is possible to take positive and effective steps to mitigate this risk by considering these common-sense steps:

  1. Make sure staff are aware of, and able to implement, your existing policies surrounding remote-working.
  2. Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.
  3. If you identify a potentially high-risk processing activity involving personal data you need your staff to perform remotely, seek advice from your Data Protection Officer (if you have one), or visit odpa.gg/advice-guidance.
  4. Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures.
  5. Take extra care when transporting any paperwork or devices that may contain personal data: where appropriate use additional security measures such as two-factor authentication for devices, or use physical locks for storing paperwork.
  6. Be extra vigilant to social engineering (e.g. criminals impersonating your staff/suppliers/clients) in all its forms, as criminals are actively trying to take advantage of the current disruption.
  7. Inevitably people’s attention-to-detail, focus and vigilance may suffer from not being in their usual workplace. This is especially true if their attention is being demanded by other household members, such as small children who are in their care. So be realistic with your staff about what level of productivity you are expecting from them and think about limiting them to performing only low-risk, business-critical tasks.
  8. Think about the accountability principle: is your organisation using personal data in a new (or different) way as a result of the current public health situation? If so, document the decision-making process that led to this and update any relevant policies.

Is the ODPA taking a more ‘relaxed’ approach to enforcement activities during the current public health situation?

We would like to reassure local organisations that we are taking a realistic and pragmatic approach to regulatory activities during the Bailiwick’s ‘lockdown’.

ODPA events programme update (20 March)

Please note the following changes to our 2020 Events Programme:

  1. We have postponed Data Protection in the Workplace (which was due to take place on 17 March) we haven’t set a new date. All registered attendees were informed via email on 12 March.
  2. We have postponed How to respond to ‘subject access requests’ (which was due to take place on 31 March) we haven’t set a new date. All registered attendees were informed via email on 20 March.
  3. We have postponed the ODPA Conference 2020 (which was due to take place on 20 May) until Wed 7 October. We have an active waiting list for this paid event which you can join and we will email you once bookings are open.
  4. For all other events (see our Events page for details) we will make a judgement call on in the days leading up to them depending on States of Guernsey advice. All events are sold out with active waiting lists.

Registered attendees
If you are registered to attend an event with us you will be emailed directly with any changes.

Waiting lists
If you are on a waiting list for an event you will only be contacted if a space becomes available.

Please visit our events page for more details. 

If you have any questions about our events programme please email communications@odpa.gg.


Our events programme should be considered in the context of section 61 of The Data Protection (Bailiwick of Guernsey) Law, 2017 which outlines our duty to raise public awareness of citizens’ rights and to promote awareness of controllers/processors’ legal duties.

Our events programme is a key aspect of our Communications Strategy, and we intend to use our events to effect positive cultural change by:

• being accessible to local organisations and citizens of all ages
• improving compliance by building awareness of topical issues in data protection
• encouraging innovation and excellence in data protection practices
• exploring official guidance with the regulated community
• gathering feedback from local industry and individuals

Coronavirus (COVID-19) statement

Our commissioner, Emma Martins, made the following statement on 17 March 2020:

“The current public health situation presents our community and the world at large with extraordinary and fast evolving challenges which are increasingly affecting every aspect our lives both from a personal and professional perspective.

In recent weeks at the ODPA, we have been working hard to ensure our business continuity plans are updated and strengthened in response to developments. The safety and wellbeing of our staff is a priority. We are part of the community we serve and owe it to ourselves and the wider community to conduct ourselves responsibly. We are also committed to delivering on our statutory duties as best we can but recognise that, as a small team, this may become more challenging if staff need to self-isolate or become unwell.

It is impossible to predict what the next few weeks and months will bring but we will continue to work hard to fulfil our responsibilities, as an employer and a regulator, as best we can. If this means we are more difficult to contact or take more time to respond to communications, I want to offer my personal apologies in advance whilst reassuring everyone that we are doing everything we can to minimise possible disruption.

Situations like this will inevitably bring out the best in people, but it will also bring out the worst. You will likely come across ‘fake news’ and you may well be targeted by scammers as they seek to exploit the current uncertainty and fear. Choose your news and information sources carefully and don’t click on links unless you know they are legitimate.

For updated information about the Bailiwick of Guernsey please see –https://www.gov.gg/covid19resources

The word ‘community’ comes from the Latin ‘communis’ meaning ‘common, public, shared by all or many’. We are all part of a global as well as local community and share the challenges and concerns. We also share the commitment to get through this difficult time by working together in a responsible and practical way.”

– Emma Martins
Data Protection Commissioner (Bailiwick of Guernsey)

Lowest number of breaches in more than a year

Twenty-eight personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 29 February 2020, the lowest figure in more than a year and the majority were accidental.

Since the last report the ODPA has enhanced the categories to allow greater detail to be drawn from them which results in breaches falling into one of eleven possible groups. Overall, in the latest statistics, 19 breaches were deemed accidental, three deliberate and six not specified.

Data sent to the wrong recipient is the most common error which has now been separated into three groups to specify whether by post, email or fax. In the latest reporting period, 9 breaches fell into this category, three were from email errors and three postal. Inappropriate disclosure of data led to six breaches whilst other self-reported breaches included three each of inappropriate access, unauthorised disclosure and cyber incidents.

The 28 breaches in total were from a range of sectors, including five from public authorities, four from healthcare organisations, three from fiduciary entities and the remaining 16 spread across 10 other sectors.

The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that the obligation to report data breaches is still a relatively new requirement and that all parties have something to learn.

‘We publish the self-reported figures so that everyone can benefit from a better understanding of how and why breaches happen and therefore, how we can avoid them in future. We hope the new categories will deepen understanding of this.’

The ODPA’s Strategic Plan focuses on predicting, preventing and detecting data harms along with enforcing the local data protection law.

Mrs Martins commented on how the breach statistics help these activities.

‘As the regulator we can ensure our advice and guidance is relevant and helpful. By learning more about the origin of these breaches we can better educate organisations and in turn they can put in place practices that should ultimately reduce future breaches. Our overall goal is to protect people from the harms that data breaches can cause, as they often cannot be undone.’

 


Notes

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

New breach categories explained
The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.

1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate

  

 Number of personal data breaches reported to ODPA:

 

2 months to 29 February 2020 (details above)  28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
Increase in local data breaches (2 months to 18 Dec 2018) 28
ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

 

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Public statement: reprimand issued to Channel Islands Financial Ombudsman

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)

Public Statement

 Issued: 14:00 on 11 March 2020

 Controller: Channel Islands Financial Ombudsman

1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Channel Islands Financial Ombudsman (the controller) has breached section 6(f) of the Law.

2. The Authority finds that the Channel Islands Financial Ombudsman sent an email containing personal data, including special category data, intended for the complainant to an erroneous email address.

3. This led to the complainant lodging a formal complaint about the Channel Islands Financial Ombudsman to the Authority under section 67 of the Law.

4. The Authority finds that the Channel Islands Financial Ombudsman, did not process the complainant’s personal data in a manner that ensured its security appropriately.

5. The Authority is therefore satisfied that the Channel Islands Financial Ombudsman failed to comply with section 6(f) relating to “Integrity and confidentiality”.

6. The Authority is clear that where organisations do not ensure that personal data is processed in a manner which ensures its security, consideration will be given to the appropriate sanction including the issuing of a fine.

7. In this case, the Authority has identified the following mitigating factor –

– An early admission was made by the Channel Islands Financial Ombudsman as to the error and immediate action was taken to attempt to redress the situation.

8. In this case, the Authority has not identified any aggravating factors.

9. Considering the above factors, the Authority has, by written notice to the Channel Islands Financial Ombudsman, imposed a formal Reprimand.

Legal Framework

  • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  • Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
  • In this case, the controller is the Channel Islands Financial Ombudsman.
  • The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
  • In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
  • Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
  • Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.
  • If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –

(a) a reprimand,

(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and

(c) an order under subsection (2) including an administrative fine.

Global Privacy Sweep emphasises importance of positive engagement with community

We have released the local results of the seventh Global Privacy Enforcement Network‘s (GPEN) annual Privacy Sweep.

During September and October 2019, the ODPA contacted 62 Bailiwick healthcare providers, requesting information about:

  • how they were prepared for handling data breaches
  • their internal procedures and framework
  • the processes in place for preventing future breaches.

Both large and small organisations indicated a desire to operate effective procedures, understood how to report breaches and found the ODPA’s web-based guidance on breach reporting helpful. Around one in eight providers contacted supplied feedback to the Privacy Sweep.

Bailiwick Data Protection Commissioner, Emma Martins, emphasised the importance of effective engagement.

“We welcome every opportunity to connect with our regulated community and although uptake was a little disappointing, the Privacy Sweep enabled us to gauge the level of understanding of breach reporting and was a useful intelligence gathering exercise, rather than part of any enforcement activities. Our office continues to support all local organisations with their data privacy activities, ensuring they are clear about expectations and understand how to prevent breaches as well as respond to them if they occur.”

Guernsey was one of 16 jurisdictions that took part and the sweep provided an opportunity to gather useful information and help guide future education and outreach. Globally, out of 1,145 entities that were approached, 258 provided meaningful responses.

Commenting on the local results gathered, Mrs Martins added,

“We are very grateful to the organisations that responded to the sweep. They trusted us with their information and took the time to reply, enabling us to form a view of the local landscape with respect to breach reporting and responses.

“Looking ahead, we hope to be involved in other international initiatives as there is much to learn from cooperation with data protection authorities around the globe. Hopefully these activities that aim to improve how we all engage and interact with personal data will be received more positively in the future both locally and worldwide.”


  • About the GPEN Privacy Sweep
    The GPEN Privacy Sweep is an international initiative that aims to increase awareness of privacy rights and responsibilities, to encourage active compliance with privacy legislation and enhance cooperation between privacy authorities worldwide. Participating authorities asked organisations, from a sector of their choice, questions about current systems for recording, reporting and preventing data breaches.
  • 2019 was the first time the ODPA contributed to this international intelligence-gathering exercise and out of the 16 jurisdictions that took part in the sweep the Bailiwick of Guernsey is one of 12 with mandatory breach reporting. Although taking part in the sweep was voluntary, a common reason given globally for not contributing was concern over follow-up enforcement action where mandatory reporting is in place.

 

  • Mandatory breach reporting 
  • READ: guidance for controllers on breach reporting and further information on the statutory requirements locally. 
  • According to section 42 of the Law, personal data breaches must be reported to the ODPA no later than 72 hours after the controller becomes aware of the breach. Controllers can report a breach here

 

  • Breach criteria
  • A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
  • However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

 

  • ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

 

Public statement: reprimand issued to Policy & Resources Committee

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
 Public Statement
 Issued: 14:00 26/02/2020
 Controller: The Policy and Resources Committee


1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that The Policy and Resources Committee (the controller) has breached section 12(3) of the Law.

2. The Authority finds that The Policy and Resources Committee, did not provide the data subjects participating in The Committee for Home Affairs Governance Review Report, titled ‘Meeting the challenge: towards better governance’, the schedule 3 information as required by the Law.

3. This led to four individuals lodging formal complaints about The Policy and Resources Committee to the Authority under section 67 of the Law.

4. The Authority finds that The Policy and Resources Committee did not provide the complainants with the information they had a right to be given, before or at the time, their personal data was collected as part of a review of committee governance.

5. The Authority is therefore satisfied that The Policy and Resources Committee failed to comply with section 12(3) relating to “Right to information for personal data collected from data subject”.

6. The Authority is clear that where organisations do not take their legal responsibilities to provide data subjects with such information as required by the Law, consideration will be given to the appropriate sanction including the issuing of a fine.

7. In this case, the Authority has identified the following mitigating factor –

– An early admission was made by The Policy and Resources Committee that they had failed to provide the data subjects with the schedule 3 information as required by the Law.

8. In this case, the Authority has also identified the following aggravating factor –

– A lack of co-operation by The Policy and Resources Committee as evidenced by its repeated failure to answer a question posed, leading to a significant delay in drawing the investigation to a conclusion.

9. Considering the above factors, the Authority has, by written notice to The Policy and Resources Committee, imposed a formal Reprimand.

Legal Framework

  • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  • Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
  • In this case, the controller is The Policy and Resources Committee.
  • The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
  • In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
  • Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
  • Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days. In this case the appeals period has now passed.
  • If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –

(a) a reprimand,

(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and

(c) an order under subsection (2) including an administrative fine.

Jersey and Guernsey regulators sign MoU

The Jersey and Guernsey data protection regulators are pleased to announce that they have signed a new Memorandum of Understanding (MoU).

The MoU sets out how the two offices will work collaboratively in a number of key areas, further strengthening the cooperation requirements that are contained within the data protection legislation.

Emma Martins, the Data Protection Commissioner for the Bailiwick of Guernsey, welcomed the move.

‘Data processing has now become borderless, so it is more important than ever for regulators to work together. We recognise that many organisations have a pan-Island presence and want to ensure as much consistency and clarity as possible when we are providing information and guidance as well as when we are investigating alleged breaches.’

Dr. Jay Fedorak, Jersey’s Information Commissioner endorses the spirit of cooperation and partnership manifest in the MoU.

 ‘While data protection authorities across the globe are working more closely together than ever before, there are few jurisdictions that have as much in common as Jersey and Guernsey. The people and businesses of the Channel Islands have a right to expect the same high standards of data protection and this includes regulators who take a coordinated approach to achieving those standards.’

READ: MoU between JOIC and ODPA 

 


NOTES 

About the Office of the Data Protection Authority (ODPA)
The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. These include recording data breaches, investigating complaints, running education programmes and examining proposed legislation and how it may affect individual privacy. The ODPA strives to empower individuals to exercise their rights as well as to support organisations to meet their compliance requirements and take action where they fall short.

About the Jersey Office of the Information Commissioner (JOIC)
The Office of the Information Commissioner is part of the Jersey Data Protection Authority. JOIC is the independent office responsible for overseeing the Data Protection (Jersey) Law 2018 and the Freedom of Information (Jersey) Law 2011. https://jerseyoic.org