The Jersey Data Protection Authority (JDPA) has issued a public statement regarding the outcome of an investigation into two breaches of the Data Protection (Jersey) Law 2018 (the Law) by the Planning and Building Services Department (formerly the Planning and Building Control Department) of the Government of Jersey.
This public statement is the first to be issued to a Public Authority.
The Information Commissioner found that Planning and Building Services (the Department) had failed to meet its legal obligations to protect personal data. The investigation found that the Department had failed to comply with the integrity and confidentiality principle of the Law, and ensure that it had appropriate technological and organisational measures in place to ensure the security of the data it processes.
JDPA was prevented by law from imposing a fine due to the Controller being a public authority
The nature of the breaches surrounded the insufficient redaction of personal data, which resulted in the public disclosure of sensitive health information of a vulnerable minor on the Department’s online registry of planning applications.
Special category data (including health data) are afforded higher levels of protection in the Law, reflecting the harm and distress that can result from a breach. The JDPA is clear that where organisations do not take their legal responsibilities to protect such data seriously or where they are negligent as to their responsibilities, consideration will be given to the appropriate sanction (including the issuing of a fine, where permissible).
The JDPA considered the Department’s cooperation and early admissions as mitigating factors, along with their prompt updating of systems and processes and training updates for staff. However, the JDPA also took into account the Department’s lack of appreciation of the significance of some of the problems arising from the processing of personal data which were the subject of the investigation, and which tended to minimise the significant effect the processing had on a vulnerable minor.
Furthermore, whilst the Department cooperated with the Authority and removed the data relating to the first breach at the JDPA’s request, the information was subsequently uploaded to the Department’s online public registry again on two further occasions whilst still containing insufficient redaction.
JDPA Chair, Jacob Kohnstamm commented that: “The JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, and had the JDPA not been prevented by law from imposing a fine due to the Controller being a public authority, the JDPA would have considered a fine in these circumstances.
“All data controllers and processors have significant obligations in law to be accountable and provide appropriate security for the personal data they are entrusted with’ said Paul Vane, Deputy Information Commissioner. ‘This is particularly important when the organisation concerned is a www.jerseyoic.org Public Authority, as building the trust and confidence of the Jersey public in Government data handling activities is paramount.”
The updated data protection laws implemented in 2018 provide the JDPA with enhanced enforcement powers. These include provisions to enable the Jersey Office of the Information Commissioner to investigate and collect necessary evidence and to impose a range of sanctions escalating in severity. These sanctions can include one or more of the following: Issuing a reprimand; Issuing a warning; requiring a Controller or Processor to bring their processing into compliance; Issuing a public statement about the outcome of an investigation: and, ultimately, imposing a financial penalty.