Wednesday 25 December 2024
Select a region
News

P&R breaks Data Protection law

P&R breaks Data Protection law

Thursday 22 August 2019

P&R breaks Data Protection law

Thursday 22 August 2019


Guernsey's most senior political committee has been found responsible for a breach of the island's Data Protection law after an email sent to several people revealed details of another person's health.

The Data Protection Authority for the Bailiwick of Guernsey (known as the Authority) says it has determined that means the Policy and Resources Committee as the controller breached section 6(2)(a) of the Law, which was introduced amid much public awareness in May 2018.

The email was sent by an employee of the Committee, who is described as a manager. In that email, which was sent to 'several recipients' they made reference to the health status of a managed member of staff, which caused that individual distress.

The Office of the Data Protection Authority, led by Emma Martins, has issued a statement saying:

"The disclosure of the complainant’s personal data in this context caused them considerable distress and they have ongoing concerns about the possibility of the disclosure negatively impacting future employment.

"This led to the complainant lodging a formal complaint about the Policy and Resources Committee to the Authority under section 67 of the Law.

"The Authority finds that the Policy and Resources Committee had no legal basis for disclosing this information.

"The Authority is therefore satisfied that the Policy and Resources Committee failed to comply with the lawfulness, fairness and transparency principle [s.6(2)(a)]."

Policy and resources

Pictured: The Policy and Resources Committee, headed up by the politicians pictured above, has been found culpable of the data breach but it has not been disclosed which employee described as a manager, sent the email.

The data breach is being taken seriously because some personal data, including information relation to a person's health, is afforded a higher level of protection under the Law. The ODPA says that is to reflect 'the harm and distress that can result from a breach'.

"The Authority is clear that where organisations do not take their legal responsibilities to protect such data seriously, consideration will be given to the appropriate sanction including the issuing of a fine."

In this case, the Authority says it has identified the following mitigating factors:

  • Early engagement and cooperation by the Policy and Resources Committee data protection officer
  • Early admission of the breach by the Policy and Resources Committee
  • Updated advice and support provided by the Policy and Resources Committee for employees handling personal data

Considering the above factors, the Authority says it has, 'by written notice to the Policy and Resources Committee, imposed a reprimand'.

No further details are being given at this time. An appeal can be made by P&R within 28 days of the reprimand being issued. 

 

Sign up to newsletter

 

Comments

Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.

You have landed on the Bailiwick Express website, however it appears you are based in . Would you like to stay on the site, or visit the site?