Jersey’s Data Protection Authority (JDPA) has published the outcome of a formal inquiry into three contraventions of the Data Protection law by the Children’s Services Department.
The department is a function of the Children, Young People, Education and Skills Department of the Government of Jersey.
In this case, the Information Commissioner found that on two occasions the Department had failed to comply with the Law in that it failed to ensure that it had appropriate technical and organisational measures in place to maintain the security of the data it processes. These failures led to two separate personal data breaches. The Department also failed to notify the JDPA of those breaches within the required timeframe, which in itself constitutes a breach of the Law.
The breaches related to the Department’s use of an online conferencing platform to hold a child protection meeting during which sensitive personal information about an individual was disclosed to other call participants, who should not have been present for that part of the call.
Secondly, a disclosure made by a family member who was present on the call, was then disclosed by the Department to an unintended recipient via email.
The Department failed to report the first two breaches to the JDPA within the timescales required by the Law.
Notwithstanding this was the second Public Statement the JDPA has issued to the Department in the last six months, the JDPA considered the Department’s early admissions, open and direct liaison with the affected parties and complete cooperation by the Department’s staff with the JDPA as mitigating factors. It also recognised the Department took appropriate steps following the breaches, including:
- Identifying areas for improvement such as bespoke data protection training for staff.
- Making recommendations to implement a training programme for the use of new technology in its day-to-day processes.
- New procedures for disclosing personal data on conference calls, updating processes for using online video conferencing software and a change of process around the sending sensitive information via email.
The JDPA also noted that following the incidents, staff were reminded of the importance of, when required, reporting any personal data breaches to the Jersey Office of the Information Commissioner and why it is imperative to do this within the required timeframe.
Had the JDPA not been prevented by Law from imposing a fine due to the Department being a Public Authority, a fine would have been considered
Accordingly, the JDPA issued a formal reprimand, made orders in respect of remedial steps to be taken by the Department, and determined that the circumstances of this case were of sufficient gravity that it was in the public interest to warrant a public statement. Had the JDPA not been prevented by Law from imposing a fine due to the Department being a public authority, the JDPA would have considered a fine in these circumstances.
Jersey Data Protection JDPA Chair, Jacob Kohnstamm (pictured), commented: “Special category personal information is afforded higher levels of protection under the Data Protection (Jersey) Law 2018, reflecting the harm and distress to individuals that can result from a breach.
“The JDPA is clear that where organisations do not take their legal responsibilities to protect such data seriously or where they are negligent as to their responsibilities, consideration will be given to the appropriate sanction (including the issuing of a fine, where permissible). All data controllers and processors have significant obligations in law and are accountable for the personal data they are entrusted with. This is particularly important when the organisation concerned is a public authority, as building the trust and confidence of the Jersey public in Government data handling activities is paramount.”
Information Commissioner Paul Vane commented: “The Law is there to protect individuals from the misuse of their personal information. This Inquiry highlights the importance of ensuring robust security measures are in place when processing personal information, especially when it is of a sensitive nature.
“The rise of online conferencing platforms during the Covid-19 pandemic has led to organisations implementing new ways of carrying out their day-to-day work, but it is important for organisations to ensure that all their staff are fully trained in the use of such platforms, including the risks of use and what they can do to mitigate such risks. It also highlights the impact a lack of basic awareness can have on the rights, freedoms and privacy of individuals and the distress that can occur when things go wrong.
“In line with the ‘Data Security, Integrity and Confidentiality’ Principle of the Law, Data Controllers must ensure the appropriate measures are taken to protect people’s personal information and ensure staff remain vigilant and are appropriately trained.”