Guernsey Police reprimand after data protection breach

They found that Guernsey Police did not process special category personal data relating to an individual in a lawful, fair and transparent manner. In particular, the individual’s personal information was processed without the demonstrable consent that was needed in this case. This led to the individual lodging a formal complaint to the Authority regarding the processing of personal data by Guernsey Police under section 67 of the Law.

Furthermore, Guernsey Police were unclear as to how the processing was compliant with the requirements of the Law, section 6(2)(a) in particular, and the procedures around the sharing of data in these circumstances evidenced a lack of compliance. Therefore, the Authority concluded that Guernsey Police have failed to comply with section 6(2)(a), the principle relating to “Lawfulness, Fairness and Transparency”.

The Authority is clear that where organisations do not ensure that personal data is processed in a lawful, fair and transparent manner, consideration will be given to the appropriate sanction including the issuing of a fine.

In this case, the Authority identified the following mitigating factors:

• The complaint and investigation focused on the sharing of personal data (including special category data) in relation to a single data subject;
• The Authority is not aware of any other complaints having been made about Guernsey Police in relation to such processing;
• Data was shared with two professional teams who the Police believed would be able to assist the data subject.
• When made aware of the complaint, Guernsey Police sought the destruction of the shared information and confirmation of destruction was provided by the parties with whom the data had been shared.
• It is recognised that Guernsey Police has commenced a review into the existing procedures to support those people they deem vulnerable following an admission that the procedure was not compliant with the requirements of the Law; and
• Guernsey Police has cooperated with the Authority.

Considering the above factors, the Authority have, by written notice to Guernsey Police imposed a formal enforcement order to bring specified processing operations into compliance and a reprimand for the lack of compliance.

In response, the Head of Law Enforcement, Ruari Hardy, said: “Guernsey Police takes the protection of personal data very seriously. We are here to serve the community so when members of the public come forward to seek our help, we hold ourselves to the highest standards to ensure they receive the support they need.

“In essence that is what led to the data protection breach the Office of the Data Protection Authority has confirmed today. Officers believed an individual needed help, acted in good faith and did what they considered to be in the best interests of the person by sharing their personal data with two professional health teams.

“Nevertheless, despite those best of intentions we accept the ruling of the ODPA and have sought to learn from it. As soon as we were made aware of the complaint we sought the destruction of the shared information and this was undertaken by the parties with whom the data had been shared.

“Prior to theses findings by the ODPA, Guernsey Police took action to reduce the risk of a similar breach occurring. Certain documentation was changed and internal procedures were varied to deal with similar circumstances. The current procedure requires officers to refer such matters to a supervisor to assess before any personal data is shared with other professional teams.

“I hope this reassures the public about how seriously we take the need to protect people’s personal data, notwithstanding the importance of police officers being able to lawfully share information with appropriate professional bodies if they believe there is an immediate threat to the safety of an individual”.