BLOG: World Children’s Day – 20 November 2020

Our commissioner, Emma Martins, has written this blog to mark World Children’s Day (20 November 2020) to ensure a focus on: children’s legal rights; ethical treatment of children; and how empowered children educate their communities.   

World Children’s Day is celebrated on 20 November each year. It commemorates the Declaration of the Rights of the Child by the UN Assembly on 20 November 1959. This declaration is an international document which promotes a broad range of child rights. On 20 November 1989 the UN General Assembly adopted the Convention on the Rights of the Child, so 2020 is the convention’s 30th anniversary.

As with declarations and days of this nature, it is in many ways sad that society needs to be reminded of the importance of equal and inalienable rights for certain members of our global community (in this case: children). At the same time, we must embrace every opportunity we are presented with to ensure those who may not have the voice or power that others enjoy are heard and listened to.

The declaration sets out a number of articles which chime with human rights more generally (hardly surprising given the UN’s role in both). The scars inflicted by World War II prompted much reflection of the importance of individual rights and we owe it to ourselves and each other to remember the birthplace of many of the things in our lives which we now take for granted.

In addition to many other key rights, the declaration specifically includes the following:

  • Article 16 (right to privacy)
    Every child has the right to privacy. The law should protect the child’s private, family and home life, including protecting children from unlawful attacks that harm their reputation.
  • Article 17 (access to information from the media)
    Every child has the right to reliable information from a variety of sources, and governments should encourage the media to provide information that children can understand. Governments must help protect children from materials that could harm them.

Whilst these are only two of many articles contained in the declaration, they are relevant for the work we are doing here at this office.

We want to highlight importance of recognising that privacy and data protection rights apply as much to children as to adults. The younger generation are growing up as ‘digital natives’ meaning, for many of them, that almost every minutia of their existence is being documented in a way that no previous generation has experienced. This ‘datafication’ of their lives has consequences both for their present and their future. Some of these consequences will be obvious but others will be less so because they may not manifest themselves for many years to come.

Building fundamental rights into our society, recognising that in some cases we need to double down on efforts to ensure appropriate protection for individuals must be something we commit to and nurture.

The Law which we are tasked with regulating, the Data Protection (Bailiwick of Guernsey) Law, 2017, builds in additional safeguards for children. Where young people are asked to consent to their personal data being used, there is clearly a danger of that consent being given without full appreciation or understanding of the consequences or risks. That is not being patronising, it is simply being realistic. The complexity of data collection practices in this digital era are a challenge for adults, so it is entirely unfair to expect a child to read and understand complex legal terms and conditions and to engage with what that might mean to them in the future.

Ensuring our local regulated community have due regard for the age of the child whose data they are processing is a start. Organisations who are specifically targeting young people in respect of products or services need to act responsibly which means acting in accordance with the law as well as acting ethically. As a society we must not tolerate anything less.

Beyond that, we need also to ensure that children and their families and carers have access to relevant and useful information about data and their rights. In this way, we seek to engage and empower them as they grow up in this data driven era.

It is my firm view that digital literacy is now as essential to our young people as other, more ‘traditional’ skills are. So, we have now embarked on a schools outreach programme to do just that.

Our schools programme was developed by our outreach officer (a trained teacher) who worked with local teachers to develop a bespoke set of activities for key year groups linked to the Bailiwick’s ‘Big Picture Curriculum’. The programme engages children in games that explain key concepts under the Personal, Social, Health and Economic area of the curriculum such as:

  • Understanding what privacy is
  • Rules, rights, responsibilities and laws
  • Sharing data
  • Online presence and communication
  • Keeping personal information safe

Children and young people are powerful drivers of cultural change. We want our schools programme to harness that power to enhance our local population’s understanding, awareness, and appreciation of their rights under the local data protection law.

If children’s awareness of data protection is enhanced, everyone benefits:

  1. A well-informed young person is less likely to fall victim to harms that may arise from misuse of their personal data.
  2. A well-informed young person may share their new awareness with adults in their lives, so the message is spread wider.
  3. When these engaged and informed individuals enter the workforce their awareness, attitudes, and actions could serve to strengthen overall compliance.

This is not about segregating different sections of our community and treating them differently, this is about recognising that the precious rights enshrined in law apply equally to us all. For some, those rights are easy to navigate, for others; less so. Our job is to do all we can to educate, support and empower in ways that are relevant and appropriate for everybody.”

SEE ALSO: odpa.gg/schools

ODPA confirms data breaches still at low levels, mostly accidental

Number of personal data breaches reported to ODPA by category. Date range: 1 Sep – 31 Oct 2020 (CLICK TO ENLARGE)

THIRTY-FOUR personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 31 October 2020, the vast majority of which were classified as accidental.

Overall, from the latest statistics, 26, or 75% of the breaches related either to data sent to the incorrect recipient by email or post and the total is consistent with previous reporting periods. Of the 11 possible categories devised by the ODPA, the remaining eight were classified as cyber incidents, inappropriate access or inappropriate disclosure.

The 34 were from a range of sectors, including six from retail/wholesale, a similar number from fiduciary entities, three from charities/not for profit and the remaining 19 spread across 11 other sectors.

The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that although the number of errors remains relatively low, all parties still have something to learn.

‘The publication of information relating to the number and nature of personal data breaches is important. It ensures that we are all part of an honest approach when things go wrong and it also helps us to better understand the areas of risk which in turn can help us focus on preventing them in the future. It continues to be the case that accidental sending of data to the wrong person is the most common type of breach reported to us. What we can take from that is the knowledge that it is absolutely something we can all play a positive and important role in reducing. We will never eliminate human error, but we should not underestimate the impact having robust systems and processes, together with comprehensive staff awareness and training programmes can have in mitigating those risks.’

Mrs Martins added:

‘It is also important to remember that for each of these breaches, the personal information of one or more individuals is likely to have been compromised. Our aim in raising awareness and encouraging a focus on making improvements is to ensure we all do as much as we can to protect people from those harms. I would take this opportunity to once again thank our local regulated community for their engagement in this breach reporting requirement; it continues to have a direct and meaningful impact on raising the standards of data governance for the Bailiwick.’

NOTES

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Breach reporting
One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law). Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

Why does the ODPA publish breach statistics?
The ODPA has published statistics of the number of breach reports it receives, every 2 months since October 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

 Number of personal data breaches reported to ODPA (2018 – present):

 

ODPA confirms data breaches still at low levels, mostly accidental
2 months to 31 October 2020 – details above 
34
Lowest number of data breaches: less data harms, or less engagement?
2 months to 31 August 2020 
21
Learning and improvement the route to a culture of compliance 
(2 months to 30 June 2020)
34
Commissioner ‘encouraged’ by consistent breach reporting trend
(2 months to 30 April 2020)
30
Lowest number of breaches in more than a year
(2 months to 29 February 2020)
28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed
(2 months to 27 Oct 2019)
44
Human behaviour remains key risk to protecting data
(2 months to 26 Aug 2019)
32
Data Protection Commissioner cautions against a ‘culture of blame’
(2 months to 25 Jun 2019)
50
Human error remains biggest risk in data protection locally
(2 months to 22 Apr 2019)
40
ODPA report further increase in local data breaches
(2 months to 22 Feb 2019)
45
Increase in local data breaches
(2 months to 18 Dec 2018)
28
ODPC offers advice after increase in local data breaches
(2 months to 18 Oct 2018)
26

 

How are personal data breaches categorised?
The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious. 

1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate

What is a personal data breach?
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

What is the threshold for reporting a data breach to the ODPA?
Organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident (see section 42 (5) of the Law). It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

What are a person’s ‘significant interests’?
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Elizabeth College suffers cyber-attack

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 19 November 2020

Controller: Elizabeth College


  1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
  3. The Authority can confirm that Elizabeth College has complied with the statutory reporting requirements contained within the Law and has provided the Authority with written notice of the personal data breach which affected Elizabeth College Foundation data.
  4. The Authority further notes that Elizabeth College has communicated directly to those individuals who may have been affected.

ODPA launches outreach programme to all Bailiwick schools

The Office of the Data Protection Authority (ODPA) is embarking on its outreach programme, aiming to raise young people’s awareness of their rights and the possible risks associated with the misuse of personal data.

The ODPA’s Outreach Officer Kirsty Bougourd is available to all Bailiwick schools that wish to take the opportunity for their students to learn more about personal data and how to protect it.

The sessions on offer have been developed following consultation with PSHCE professionals within Guernsey’s Committee for Education, Sport and Culture to ensure they fit with the curriculum and are targeting the most appropriate age group. The sessions are the result of focus groups held over the last 12 months with students in different years and schools and have been modified to best fit timetables and to engage the young people in a fun but informative way.

Each session is made up of activities designed to help children uncover different aspects of data protection through the process of directed discovery and discussion. The aim is to help them to understand their rights and responsibilities as well as how to protect themselves and their personal data.

Children are powerful communicators and will hopefully share these messages with any adults and other young people in their lives. It’s hoped that by elevating discussions around personal data and how to safeguard its use, more people will understand data protection’s true purpose and value.

The programme forms part of the Authority’s commitment and statutory obligation to “promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children”. But as the Bailiwick’s Data Protection Commissioner Emma Martins explains, this is about more than fulfilling legal duties, it’s about ethics.

‘This programme is an important pillar of the work we are doing. Ensuring young people have data rights incorporated into their broader education has many benefits. A well-informed young person is less likely to fall victim to the harms that can arise from misuse of their personal data, and is more likely to become a responsible and enlightened adult. When they enter the workforce they will hopefully already have an understanding of what the Law says they must do but also why ethically, looking after personal data is the right thing to do. As well as empowering people though education, we also want to encourage an exploring of the fascinating world of data and how it impacts our personal lives and our economy.’

Outreach Officer Kirsty Bougourd explained the importance of the schools programme.

‘There are so many good reasons for starting this programme and I’m very proud and excited to be part of it. Young people are among the most vulnerable members of our community and deserve the greatest protection. Yet they are often the most prolific sharers of their personal data through online games and activities. Helping them understand how to look after themselves and their data in such a digitally connected world is vital. But I have also tried very hard to show how data isn’t just shared online but throughout our general daily activities. Ultimately, I want them to learn how to be safe but have fun at the same time.’

Deputy Andrea Dudley-Owen, President of the Committee for Education, Sport and Culture, commented.

‘The safety of our children is paramount and prevention of harm and abuse extends into digital and online environments. We know that the use of social media can impact negatively the wellbeing, mental health and resilience of our young people, where data can be shared easily and widely in one screen swipe and privacy often counts for little. Working with agencies like the Office of the Data Protection Authority is really important because it helps us to raise awareness in schools and amongst the wider community, using their legal voice to emphasise that a child has rights, and how essential it is to manage personal data and privacy even from a young age.

I am delighted to see the ODPA being welcomed into our schools to deliver their Outreach Programme, which supports the work that many have done on the UNICEF Rights Respecting Schools Award. I hope that the students receiving the talks will help to spread the word not just in school, but also to their parents and families that privacy and data management really matters because it helps to protect and keep our youngsters safe and well.’

The outreach programme will run on a continuous basis and is currently aimed at students in Year 6 and Year 10. Any schools wanting to book an outreach sessions for their students can email communications@odpa.gg or call 01481 742074.

More information on the programme is available at odpa.gg/schools.

NOTES

  • Statutory function
    Under Section 61 of The Data Protection (Bailiwick of Guernsey) Law, 2017 the ODPA has a statutory function to promote a better understanding of data protection within the young people of the Bailiwick. Specifically: “to promote public awareness of risks, rules, safeguards and rights in relation to processing, especially in relation to children”.
  • UN Convention on the Rights of the Child
    The ODPA outreach activities also complement the UN Convention on the Rights of the Child, particularly:
    Article 16 (right to privacy) – “Every child has the right to privacy. The law should protect the child’s private, family and home life, including protecting children from unlawful attacks that harm their reputation.”
    Many Bailiwick schools are actively engaged in achieving the UNICEF Rights Respecting Schools award in accordance with this convention.

Ensuring free-flow of personal data post Brexit

On Monday 9 November 2020, the Committee for Home Affairs submitted proposals to the States of Guernsey designed to ensure the continued free-flow of personal data between the Bailiwick of Guernsey and the UK after the end of 2020.

Deputy Rob Prow, President of the Committee for Home Affairs, said:

‘While the UK is still expecting to receive an adequacy decision by the end of 2020, there is a real risk that this timeframe will not be achieved. If this were to be the case, the Bailiwick of Guernsey would be left in a position where the sharing of personal data with the UK would be unlawful and technically would have to stop.

‘In order to avoid this and to maintain the free flow of personal data to the UK, we must be prepared with alternate provisions. As such, we are asking the States to approve a new Ordinance in order to extend the “sunset clause” for data sharing with the United Kingdom.

‘If approved, this Ordinance would ensure that the UK continues to be designated as an “authorised jurisdiction” until 31st December 2021.’

Fine issued to Trinity Chambers LLP over data release issues

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 9am 6 November 2020
Controller: Trinity Chambers
LLP


  1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
  3. Following a complaint made to the Authority under section 67 of the Law, an investigation was conducted under section 68 of the Law. The complaint related to the alleged unauthorised disclosures of personal data as a result of repeated human error.
  4. It was shown that Trinity Chambers LLP sent files on email and in the post including highly confidential and sensitive personal details relating to the complainant and their family without appropriate security. This information was then unwittingly accessed by unconnected third parties who had no way of knowing the nature or sensitivity of the content.
  5. Whilst the personal data involved did not constitute special category data as defined in the Law, it was highly sensitive and private for the individuals involved.
  6. As a result of the investigation, the Authority determined that Trinity Chambers LLP breached the Law in relation to the unauthorised disclosure of personal data to a third party.
  7. The Authority has fined Trinity Chambers LLP £10,000 to reflect the serious nature and impact of failing to look after personal data. The fine also reflects the lack of engagement by the controller and concerns that there has been a lack of appreciation of the potential wider impact of the breach for the individuals affected.
  8. Trinity Chambers LLP had the right to appeal this fine but did not do so.
  9. The Authority confirmed that the Law requires all fine monies to be paid to the States of Guernsey’s general revenue account.
  10. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“The data protection law has the protection of individuals at its heart. The Authority will not hesitate to take proportionate and effective action in cases where the law has not been complied with. We have been disappointed that there is little evidence that the controller in this case engaged in a timely manner with the complaint or appreciated the impact of the breach on the individuals concerned. This is especially relevant considering the role that trust and confidentiality plays in the legal sector. Individuals have a right to expect that those organisations who have their information will look after it properly. In a small community, such as ours, the impact can be significant if that information is compromised. This case further highlights the role of human error; something we have previously highlighted on a number of occasions. We understand that mistakes get made but when that happens, organisations must respond quickly, engage early and learn from what has happened.”

Legal Framework

  • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  • The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
  • In this case, the controller is Trinity Chambers LLP.
  • Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
  • Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
  • Having considered the details of this case, the Authority has imposed an administrative fine order under section 73(2)(g) and 74 of the Law.
  • Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The controller has not made an appeal in this case.

ODPA responds to GFSC cyber security consultation

The ODPA has today responded to the GFSC consultation on cyber security issues and vulnerabilities.

The consultation highlights the importance of understanding and responding to technology risks, including data privacy, for the regulated community. It also illustrates the need to take an organisation-wide approach covering software, system updates, staff training and policies, all of which are vital in ensuring preparedness and mitigating risk.

Where organisations suffer a cyber incident, they may need to notify both the GFSC and the ODPA and we are keen to ensure our local business community is supported in delivering on their obligations. It is our hope that our two regulatory offices can continue to work effectively together to ensure as much clarity and assistance is provided where these reporting requirements apply.

All organisations need to engage with this issue and consider it a priority and we welcome the opportunity to comment and highlight this critical area of all business activity.

Enforcement order and reprimand issued to Guernsey Police

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 10:10 20 October 2020
Controller: Guernsey Police


1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that Guernsey Police has breached section 6(2)(a) of the Law.

2. The Authority finds that Guernsey Police did not process special category personal data relating to an individual in a lawful, fair and transparent manner. In particular, the individual’s personal information was processed without the demonstrable consent that was needed in this case.

3. This led to the individual lodging a formal complaint to the Authority regarding the processing of personal data by Guernsey Police under section 67 of the Law.

4. The Authority finds that Guernsey Police was unclear as to how the processing was compliant with the requirements of the Law, section 6(2)(a) in particular, and the procedures around the sharing of data in these circumstances evidenced a lack of compliance.

5. The Authority is therefore satisfied that Guernsey Police failed to comply with section 6(2)(a), the principle relating to “Lawfulness, Fairness and Transparency”.

6. The Authority is clear that where organisations do not ensure that personal data is processed in a lawful, fair and transparent manner, consideration will be given to the appropriate sanction including the issuing of a fine.

7. In this case, the Authority has identified the following mitigating factors –

• The complaint and investigation focused on the sharing of personal data (including special category data) in relation to a single data subject;
• The Authority is not aware of any other complaints having been made about Guernsey Police in relation to such processing;
• Data was shared with two professional teams who the Police believed would be able to assist the data subject.
• When made aware of the complaint, Guernsey Police sought the destruction of the shared information and confirmation of destruction was provided by the parties with whom the data had been shared.
• It is recognised that Guernsey Police has commenced a review into the existing procedures to support those people they deem vulnerable following an admission that the procedure was not compliant with the requirements of the Law; and
• Guernsey Police has cooperated with the Authority.

8. Considering the above factors, the Authority has, by written notice to Guernsey Police imposed a formal enforcement order to bring specified processing operations into compliance and a reprimand for the lack of compliance.

Legal Framework
• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• No detailed information will be provided to protect the identity of the individual and the circumstances of the case.
• Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
• In this case, the controller is Guernsey Police.
• The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
• Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed an enforcement order and reprimand against the controller.
• Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days. In this case the appeals period has now passed.
• If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –
a) a reprimand,
b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
c) an order under subsection (2) including an administrative fine.