Following a review into several incidents that took down certain States of Guernsey’s IT systems between November 2022 – January 2023, Guernsey’s Data Protection Authority (DPA) initiated an Inquiry.
These outages meant people were unable to use the systems and access the personal data held on them.
The DPA’s Inquiry found that the Policy & Resources Committee (P&R) had failed to take reasonable steps to maintain the air conditioning system within a data room, leading to its failure. This failure was one of multiple failures involving other technical and monitoring controls, resulting in the loss of IT services.
The Inquiry also found that prior to the incidents, P&R had failed to implement an IT disaster recovery plan as is necessary to be able to effectively respond to critical incidents such as those encountered between November 2022 and January 2023.
For these reasons, the DPA concluded that P&R did not take reasonable steps to ensure the security of personal data.
These findings, which relate to P&R’s data protection obligations, align with the findings of the recently released report of the Scrutiny Management Committee focussed on the ‘Review of the Future Digital Services Contract with Agilisys (Guernsey) Limited’.
Why was that a problem?
The Data Protection Law requires that organisations take reasonable steps to ensure they have the ability to secure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The data room services outages would not have occurred had P&R heeded previous warnings regarding the vulnerability of the air conditioning unit at Sir Charles Frossard House.
The lack of regard paid to warnings concerning the air-conditioning system demonstrated that reasonable steps were not taken to ensure there was an ongoing resilience of States of Guernsey processing systems and services, which resulted in the loss of access to personal data.
It was discovered that there was no IT disaster recovery plan in place
During the Inquiry it was also discovered that there was no IT disaster recovery plan in place at the time of the data room service outages.
The purpose of an IT disaster recovery plan is to reduce the downtime, costs, and business impact of incidents by putting effective, standardised processes in place for when those incidents do occur. It ensures the resilience and continuity of IT services and that if systems go down unexpectedly that they are brought back up again promptly.
The lack of an IT disaster recovery plan during the data room service outages limited the ability to maintain and restore the availability of servers, and therefore the personal data stored thereon.
What has happened as a result?
PWC’s ‘Major Incident Review’ included an action plan containing recommendations which were intended to reduce the risks to mission-critical IT services provided by the States of Guernsey.
During its Inquiry, the DPA required P&R to report on its progress in implementing the action plan’s recommendations.
The DPA is pleased that the Policy & Resources Committee has confirmed that all the recommendations in the proposed action plan have now been completed and is encouraged by their commitment to ensuring adequate safeguards on a going forward basis.
Based on this confirmation and commitment, the DPA issued a sanction in the form of a Reprimand.
Had the action plan not been completed, the DPA would have issued P&R with an order requiring them to take the actions identified in that action plan, holding P&R accountable for putting right the problems identified.
As P&R have already provided confirmation that they have implemented all recommendations, the reprimand issued recognises those actions, and accountability for their successful implementation rests with P&R.
What can be learned from this?
This incident demonstrates the importance of organisations identifying and addressing potential risks posed to the security of personal data.
Organisations that do not regularly assess and mitigate their vulnerabilities are more likely to face system failures.
When a risk area is identified that warning should be heeded. Too often incidents occur in areas of known risks that could have been mitigated if swift action had been taken. Investing in preventive measures is crucial to avoid such disruptions.
Another critical takeaway is the need to prioritise system resilience and recovery. If organisations do not have robust plans to restore data and services quickly after an incident, outages can last longer, causing significant operational and reputational damage.
Organisations should recognise that underinvesting in security often leads to greater costs down the road. Balancing security costs against risk is vital.
Ensuring the confidentiality, integrity, and availability of personal data is not just about avoiding breaches; it is about maintaining operations and protecting all stakeholders.
Security safeguards are a dynamic rather than static responsibility, requiring continuous monitoring, enhancements, training, and vigilance to prevent incidents and system failures.
