Jersey’s Data Protection Authority (JDPA) have issued a serious reprimand to Jersey Government’s Customer and Local Services (CLS) department.
The Data Protection Law states that everyone has a right to know what information is held about them by an organisation (including public authorities like CLS) and individuals can ask those entities (known as data controllers) to provide them with a copy of their personal information.
The individual also needs to be given other information such as where their information is held, who has access to it, why, how long it is going to be kept for, etc. This right is commonly known as a ‘subject access request’ or DSAR.
In this case, an individual asked CLS to provide them with copies of their personal data on two separate occasions. The individual was not happy with the response provided by CLS and so made a complaint to the JDPA and asked them to investigate CLS’ response to those requests. At the end of that investigation the JDPA concluded that CLS:
- was dismissive to the person asking for information;
- took too long to respond to both the requests;
- was unable to locate all the individual’s personal information (it did not have appropriate systems in place to allow it to respond to this type of request and the person who carried out the initial searches was a junior member of staff without sufficient training); and
- redacted (withheld) information incorrectly.
A Public Statement issued by the JDPA is significant and it will do so where it considers that it would be in the public interest because of the gravity of the matter or in other exceptional circumstances.
Only four have been issued in the last three years – three of which have been against the Jersey Government.
This particular Government department (CLS) has a ‘touch point’ in every islander’s life and holds personal information (including sensitive information) about all islander’s lives (from a health perspective, education, business, tax and so on)
If this had been an investigation against a private entity, the JDPA would have considered the imposition of a significant fine. However, the Data Protection Authority (Jersey) Law 2018 says that the JDPA cannot issue administrative fines against public authorities, and so could not issue a fine against CLS in this case. It did, however, issue CLS with a formal reprimand and make certain other orders requiring the improving of internal data protection compliance within a defined timeframe.
This incident draws attention of the importance of data protection training (in dealing with personal information of islanders) and is a reminder that anyone holding personal information (data) require appropriate systems, policies and appropriately trained staff to properly respond to requests that are made to them by islanders in accordance with the Data Protection Law.
This incident also highlights the duty of every Data Controller and Processor including Government departments, to handle islanders’ personal information respectfully within the boundaries of, and in accordance with the law.
Click here to read the full Public Statement.
The Data Protection Law refers to The Data Protection (Jersey) Law 2018.