“I know that this incident will cause frustration and distress and I want to unreservedly apologise for the lapse in security of customer data.  

“The States of Guernsey has strict internal training requirements specific to confidentiality and data safeguarding, with refresher training for the Corporate Debt Management Team occurring at least annually.  

“We take matters of data security extremely seriously and have taken immediate steps to strengthen our security measures, whilst we continue to carry out an investigation into the incident in order to capture the lessons learnt.” 

A Public Notification has now been published in accordance with the Data Protection Law (see excerpt below).

The information shared included the full names of customers and details of money owed to the States. 

It did not include medical records and the States say that “insufficient data was shared that would enable someone to utilise that data for the purposes of identity fraud”. 

The incident has been reported to the Office of the Data Protection Authority and the full Public Notification can be read ONLINE.

It has also published a statement on the breach: 

"The Data Protection Authority (‘the Authority’) has opened an inquiry into a data breach at the Director of the Revenue Service, alleged to involve a significant volume of personal information.

"The decision to initiate this inquiry under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017 has been made following consideration of a breach notification submitted to the Authority by the Director of the Revenue Service and seeks to establish whether the Director of the Revenue Service has breached an operative provision of the Law. Not all breach notifications result in investigations or inquiry. They are assessed on their particular fact and risk situations.

"The outcome of the Authority’s inquiry should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time."