A failure to search through archived material has led to Sandpiper CI receiving a formal reprimand from the Bailiwick's Data Protection Authority for non-compliance with a data subject request.
Sandpiper CI received a right of access request on 30 June 2020 from the complainant. A request of this nature entitles an individual to, amongst other things, a copy of all personal data processed by the controller.
Following an investigation, the Data Protection Authority found the company to have breached the law.
It was shown during the investigation that Sandpiper CI had not responded to the request within the designated one-month response period, did not notify the complainant of their reasons for not complying, did not advise the complainant that there was a right to complain to the Authority, and did not advise the complainant of their right to take civil action.
Pictured: Section 27(4) of the Law provides for the application of a two-month extension on the condition, as long as that decision is communicated to the requestor along with the reasons for the extension within the designated period. It can be read in full HERE.
The nature of the request required Sandpiper to access archived information, the retrieval of which was not straightforward, and as such an extension could have been applied had the company requested one.
The Data Protection Authority’s formal judgment elaborated: “The reason for the delay in the request was that the controller had not searched in archived material in its initial response to the request. Upon being notified that the response was incomplete, this became apparent and further searches were required to fulfil that request.
“Had the controller had a more robust data governance structure in place, allowing it to easily recognise the fact that archived material fell within the scope of the request, it is likely a breach of this nature could have been either avoided or mitigated.”
The Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “This case highlights the importance of controllers knowing exactly where the personal data they are legally responsible for are located.
“Archived data has as much capacity for harm as other forms of data and needs to be part of the overall data governance framework of any organisation. We are grateful for the full cooperation of the Controller in this case and hope it serves to remind us all to be prepared to respond to rights requests from individuals.
“The right of access, as exercised in this case, is a very important part of the data protection law and individuals seeking access to information about themselves have the right to expect timely and complete responses.”
Once your comment has been submitted, it won’t appear immediately. There is no need to submit it more than once. Comments are published at the discretion of Bailiwick Publishing, and will include your username.
There are no comments for this article.