The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
Issued: 14:00 on 11 March 2020
Controller: Channel Islands Financial Ombudsman
1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Channel Islands Financial Ombudsman (the controller) has breached section 6(f) of the Law.
2. The Authority finds that the Channel Islands Financial Ombudsman sent an email containing personal data, including special category data, intended for the complainant to an erroneous email address.
3. This led to the complainant lodging a formal complaint about the Channel Islands Financial Ombudsman to the Authority under section 67 of the Law.
4. The Authority finds that the Channel Islands Financial Ombudsman, did not process the complainant’s personal data in a manner that ensured its security appropriately.
5. The Authority is therefore satisfied that the Channel Islands Financial Ombudsman failed to comply with section 6(f) relating to “Integrity and confidentiality”.
6. The Authority is clear that where organisations do not ensure that personal data is processed in a manner which ensures its security, consideration will be given to the appropriate sanction including the issuing of a fine.
7. In this case, the Authority has identified the following mitigating factor –
– An early admission was made by the Channel Islands Financial Ombudsman as to the error and immediate action was taken to attempt to redress the situation.
8. In this case, the Authority has not identified any aggravating factors.
9. Considering the above factors, the Authority has, by written notice to the Channel Islands Financial Ombudsman, imposed a formal Reprimand.
- This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
- Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
- In this case, the controller is the Channel Islands Financial Ombudsman.
- The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
- In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
- Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
- Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.
- If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –
(a) a reprimand,
(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
(c) an order under subsection (2) including an administrative fine.