Fine issued to Trinity Chambers LLP over data release issues

Print

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 9am 6 November 2020
Controller: Trinity Chambers
LLP


  1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.
  3. Following a complaint made to the Authority under section 67 of the Law, an investigation was conducted under section 68 of the Law. The complaint related to the alleged unauthorised disclosures of personal data as a result of repeated human error.
  4. It was shown that Trinity Chambers LLP sent files on email and in the post including highly confidential and sensitive personal details relating to the complainant and their family without appropriate security. This information was then unwittingly accessed by unconnected third parties who had no way of knowing the nature or sensitivity of the content.
  5. Whilst the personal data involved did not constitute special category data as defined in the Law, it was highly sensitive and private for the individuals involved.
  6. As a result of the investigation, the Authority determined that Trinity Chambers LLP breached the Law in relation to the unauthorised disclosure of personal data to a third party.
  7. The Authority has fined Trinity Chambers LLP £10,000 to reflect the serious nature and impact of failing to look after personal data. The fine also reflects the lack of engagement by the controller and concerns that there has been a lack of appreciation of the potential wider impact of the breach for the individuals affected.
  8. Trinity Chambers LLP had the right to appeal this fine but did not do so.
  9. The Authority confirmed that the Law requires all fine monies to be paid to the States of Guernsey’s general revenue account.
  10. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

“The data protection law has the protection of individuals at its heart. The Authority will not hesitate to take proportionate and effective action in cases where the law has not been complied with. We have been disappointed that there is little evidence that the controller in this case engaged in a timely manner with the complaint or appreciated the impact of the breach on the individuals concerned. This is especially relevant considering the role that trust and confidentiality plays in the legal sector. Individuals have a right to expect that those organisations who have their information will look after it properly. In a small community, such as ours, the impact can be significant if that information is compromised. This case further highlights the role of human error; something we have previously highlighted on a number of occasions. We understand that mistakes get made but when that happens, organisations must respond quickly, engage early and learn from what has happened.”

Legal Framework

  • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  • The Authority may conduct an investigation (under section 68 of the Law) following a complaint, into whether a controller or processor has breached or is likely to breach an operative provision of the Law.
  • In this case, the controller is Trinity Chambers LLP.
  • Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
  • Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.
  • Having considered the details of this case, the Authority has imposed an administrative fine order under section 73(2)(g) and 74 of the Law.
  • Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days. The controller has not made an appeal in this case.