Select a region
Guernsey's data protection authority has 'reprimanded' the Revenue Service after the personal data of multiple people was shared with the wrong recipient.
The data breach occurred when an email containing the personal data was mistakenly sent to the wrong address.This involved the personal information of people who owed money to the Committee for Health & Social Care.
The Office of the Data Protection Authority found that the Revenue Service failed to ensure adequate security measures were in place to protect personal data.
Despite having a policy requiring the use of a specialised secure platform for sending emails containing personal data, the policy was not followed in this case.
The ODPA also noted that this was not an isolated incident, and that similar breaches had occurred in the past.
The Revenue Service had been aware of these previous breaches and had committed to implementing measures to prevent future occurrences, but the ODPA says these measures were not fully implemented in this case.
“Had the Revenue Service acted upon what was revealed from earlier breaches, that some staff were failing to comply with this policy, there would have been additional measures in place to mitigate the impact of this personal data breach,” said the ODPA.
The Authority went on to emphasise the importance of effective security measures, including the use of technical safeguards to minimize human error. They also highlighted the need for ongoing monitoring and evaluation of security practices to identify and address potential vulnerabilities.
In response to the breach, the Revenue Service has implemented additional measures to improve its security practices, including ensuring that all employees have access to the enhanced version of the secure platform and mandating the use of the platform for all emails containing personal data.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.