The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Issued: 10:10 20 October 2020
Controller: Guernsey Police
1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that Guernsey Police has breached section 6(2)(a) of the Law.
2. The Authority finds that Guernsey Police did not process special category personal data relating to an individual in a lawful, fair and transparent manner. In particular, the individual’s personal information was processed without the demonstrable consent that was needed in this case.
3. This led to the individual lodging a formal complaint to the Authority regarding the processing of personal data by Guernsey Police under section 67 of the Law.
4. The Authority finds that Guernsey Police was unclear as to how the processing was compliant with the requirements of the Law, section 6(2)(a) in particular, and the procedures around the sharing of data in these circumstances evidenced a lack of compliance.
5. The Authority is therefore satisfied that Guernsey Police failed to comply with section 6(2)(a), the principle relating to “Lawfulness, Fairness and Transparency”.
6. The Authority is clear that where organisations do not ensure that personal data is processed in a lawful, fair and transparent manner, consideration will be given to the appropriate sanction including the issuing of a fine.
7. In this case, the Authority has identified the following mitigating factors –
• The complaint and investigation focused on the sharing of personal data (including special category data) in relation to a single data subject;
• The Authority is not aware of any other complaints having been made about Guernsey Police in relation to such processing;
• Data was shared with two professional teams who the Police believed would be able to assist the data subject.
• When made aware of the complaint, Guernsey Police sought the destruction of the shared information and confirmation of destruction was provided by the parties with whom the data had been shared.
• It is recognised that Guernsey Police has commenced a review into the existing procedures to support those people they deem vulnerable following an admission that the procedure was not compliant with the requirements of the Law; and
• Guernsey Police has cooperated with the Authority.
8. Considering the above factors, the Authority has, by written notice to Guernsey Police imposed a formal enforcement order to bring specified processing operations into compliance and a reprimand for the lack of compliance.
• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• No detailed information will be provided to protect the identity of the individual and the circumstances of the case.
• Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
• In this case, the controller is Guernsey Police.
• The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
• Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed an enforcement order and reprimand against the controller.
• Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days. In this case the appeals period has now passed.
• If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –
a) a reprimand,
b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
c) an order under subsection (2) including an administrative fine.