Following a complaint made to Guernsey’s Data Protection Authority (DPA) under section 67 of the Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)., an investigation was conducted. The complaint related to the alleged unauthorised disclosures of personal data as a result of repeated human error.
It was shown that Trinity Chambers sent files on email and in the post including highly confidential and sensitive personal details relating to the complainant and their family without appropriate security. This information was then unwittingly accessed by unconnected third parties who had no way of knowing the nature or sensitivity of the content.
Whilst the personal data involved did not constitute special category data as defined in the Law, it was highly sensitive and private for the individuals involved.
As a result of the investigation, the DPA determined that Trinity Chambers breached the Law in relation to the unauthorised disclosure of personal data to a third party.
The DPA has fined Trinity Chambers £10,000 to reflect the serious nature and impact of failing to look after personal data. The fine also reflects the lack of engagement by the controller and concerns that there has been a lack of appreciation of the potential wider impact of the breach for the individuals affected. Trinity Chambers had the right to appeal this fine but did not do so.
Guernsey Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “The data protection law has the protection of individuals at its heart. The DPA will not hesitate to take proportionate and effective action in cases where the law has not been complied with. We have been disappointed that there is little evidence that the controller in this case engaged in a timely manner with the complaint or appreciated the impact of the breach on the individuals concerned. This is especially relevant considering the role that trust and confidentiality plays in the legal sector.
“Individuals have a right to expect that those organisations who have their information will look after it properly. In a small community, such as ours, the impact can be significant if that information is compromised. This case further highlights the role of human error; something we have previously highlighted on a number of occasions. We understand that mistakes get made but when that happens, organisations must respond quickly, engage early and learn from what has happened.”
Image by Brett Jordan