Case Studies - Learning from Experience

1. Every day, organisations in Jersey process personal data (personal information). They manage customer information, handle employee records and operate CCTV for security. Most of the time this happens without incident. Occasionally, however, mistakes occur. Data may be sent to the wrong person, an access request might be ignored, or a system may fail to protect the very information it has been designed to protect.

2. We regularly receive complaints and breach reports that reveal how easily good intentions can go wrong. We also uncover issues through our audits and inquiries (including through our “Tell Us In Confidence” scheme). These experiences provide useful lessons for all organisations, whether large or small, public or private.

3. This guidance note brings together a series of case studies showing how the principles of the Data Protection (Jersey) Law 2018 (DPJL 2018) apply in practice. Some of the examples are cases that have been anonymised and others have been adapted/amalgamated from a combination of similar cases we have dealt with, but they are real situations that have come to our attention since 2018. They illustrate the types of issues that commonly arise, how we interpret and enforce the law and what you can do to avoid similar problems.

4. In addition to these anonymised case studies, we also publish Public Statements where a matter reaches a certain level of seriousness or wider public interest. These statements identify the organisation involved and set out more detail about what happened, our findings and the lessons learned. They are available on our website in our Action Taken section.

5. The purpose of publicising these case studies is not to criticise individual organisations but to help others learn from experience. Where we can, each case explains what happened, what went wrong under the DPJL 2018, how we assessed the situation, and what practical lessons you can learn from those mistakes.

6. By reflecting on these examples, you can identify whether similar risks exist in your own organisation and take steps to improve compliance, accountability and public trust.

How to Use This Document

7. The case studies are organised by topic so that you can focus on the areas most relevant to your work:

1. Transparency
2. Data subject access requests (DSARs)
3. Accuracy and Rectification Requests
4. Erasure
5. Security and Data Breaches
6. CCTV (household)
7. Workplace Privacy and Monitoring

Case Studies

Click here to access the case studies

8. Each case study includes:

1. Background – an account of what happened and how the issue arose.
2. Investigation and Findings – how we assessed the situation under the DPJL 2018.
3. Outcome – any enforcement or remedial action.
4. Lessons Learned – practical guidance for controllers and processors in Jersey.
5. Where relevant, you will find links to our guidance and other supporting resources.

9. We encourage you to share this document with staff, data protection officers and management teams as part of your training and compliance activities. Learning from others’ mistakes remains one of the most effective ways to prevent your own.