The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Channel Islands Financial Ombudsman (the controller) has breached section 6(f) of the Law.
The Authority found that the Channel Islands Financial Ombudsman sent an email containing personal data, including special category data, intended for the complainant to an erroneous email address.
This led to the complainant lodging a formal complaint about the Channel Islands Financial Ombudsman to the Authority under section 67 of the Law.
The Authority found that the Channel Islands Financial Ombudsman, did not process the complainant’s personal data in a manner that ensured its security appropriately.
The Authority is therefore satisfied that the Channel Islands Financial Ombudsman failed to comply with section 6(f) relating to “Integrity and confidentiality”.
The Authority is clear that where organisations do not ensure that personal data is processed in a manner which ensures its security, consideration will be given to the appropriate sanction including the issuing of a fine.
In this case, the Authority has identified the following mitigating factor –
An early admission was made by the Channel Islands Financial Ombudsman as to the error and immediate action was taken to attempt to redress the situation.
In this case, the Authority has not identified any aggravating factors.
Considering the above factors, the Authority has, by written notice to the Channel Islands Financial Ombudsman, imposed a formal Reprimand.