Guernsey’s Data Protection Authority has published its Annual Report for 2023.
The report details the Office of the Data Protection Authority’s (ODPA) activities under The Data Protection (Bailiwick of Guernsey) Law, 2017 which came into effect in May 2018.
As the Bailiwick of Guernsey’s independent data protection authority, the ODPA’s purpose is to protect people by driving responsible use of personal information, through: Helping organisations ‘get it right’; deterring harmful information handling; and taking enforcement action against significant non-compliance.
To achieve this purpose, and be an effective regulator, the ODPA balances strategic action across four areas in relation to protecting people from data harms:
- Predict: Intelligence gathered from external sources and internal regulatory actions helps predict where the potential for harm is.
- Prevent: Through education and outreach the ODPA raises organisations’ awareness of their data protection obligations and empowers citizens to help prevent harm from happening.
- Detect: When data harms occur individuals can make a formal complaint about an organisation, and controllers/processors can report data breaches.
- Enforce: Enforcement action is the last resort. In certain circumstances sanctions are made public so that the whole community can learn from what went wrong. All lessons learnt are fed back into the ODPA’s ‘predict’ activities.
Key highlights from 2023 include:
- 12 new guidance notes published to help organisations understand and comply with the law.
- 1,128 children/young people attended ODPA Schools Programme sessions (Project Bijou Seeds).
- 56 new data protection complaints received.
- 151 breaches reported.
- 16 new investigations opened.
- 7 new inquiries opened.
Two key investigations contained in the report involve:
- Investigation launched in October 2023 in relation to data room service outages that affected the States of Guernsey’s IT systems between November 2022 –January 2023.
- Investigation concluded in December 2023 which resulted in HSC releasing a safeguarding report to a vulnerable adult’s family following an ODPA Enforcement Order.
The Chairman of the Bailiwick’s Data Protection Authority, Richard Thomas CBE (pictured), commented: “2023 can be described as the year when the Guernsey Data Protection Authority came of age. We reached maturity. The year started with the adoption of a new Strategic Plan, for 2023-2026. During the year, as this report testifies, we clocked up a wide range of solid achievements. The year ended with the handover from one Commissioner to another. And it was just into the start of 2024 that the EU’s all-important ‘adequacy’ status was confirmed for the Bailiwick’s data protection regime.”
Data Protection Commissioner Brent Homan commented:“The Annual Report highlights the excellent achievements realized in 2023, as we progress towards a vision of Guernsey as a model for the global data protection community with a public and private sector that embraces compliance and elevates the level of trust and consumer confidence.”