The Data Protection (Guernsey) Law, 2017 (the Law)
Issued: 11am 22/08/2019
Controller: Policy and Resources Committee
1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Policy and Resources Committee (the controller) has breached section 6(2)(a) of the Law.
2. The Authority finds that an employee of the Policy and Resources Committee, in the position of manager, made reference to the health status of a managed member of staff in an email sent to several recipients.
3. The disclosure of the complainant’s personal data in this context caused them considerable distress and they have ongoing concerns about the possibility of the disclosure negatively impacting future employment.
4. This led to the complainant lodging a formal complaint about the Policy and Resources Committee to the Authority under section 67 of the Law.
5. The Authority finds that the Policy and Resources Committee had no legal basis for disclosing this information.
6. The Authority is therefore satisfied that the Policy and Resources Committee failed to comply with the lawfulness, fairness and transparency principle [s.6(2)(a)].
7. Special category data (including health data) are afforded higher levels of protection in the Law, reflecting the harm and distress that can result from a breach. The Authority is clear that where organisations do not take their legal responsibilities to protect such data seriously, consideration will be given to the appropriate sanction including the issuing of a fine.
8. In this case, the Authority has identified the following mitigating factors –
– Early engagement and cooperation by the Policy and Resources Committee data protection officer
– Early admission of the breach by the Policy and Resources Committee
– Updated advice and support provided by the Policy and Resources Committee for employees handling personal data
9. Considering the above factors, the Authority has, by written notice to the Policy and Resources Committee, imposed a reprimand.
• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
• In this case, the controller is the Policy and Resources Committee and liability for their employee’s action rests with them.
• The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
• Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
• Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.