Public Statement - October 2021

The Jersey Data Protection Authority (JDPA) has issued a public statement regarding the outcome of an investigation into a breach of the Data Protection (Jersey) Law 2018 by the Children’s Services of the Government of Jersey.

The JDPA found that Children’s Services (the Department) had failed to comply with the integrity and confidentiality principle and ensure that it had appropriate technological and organisational measures in place to ensure the security of the data it processes.

Following an investigation commenced in early 2020, the Authority has determined that the Controller was responsible for the relevant contravention in that a member of its staff disclosed the Complainant’s extremely sensitive special category information within the context of a written report known as a Child and Family Assessment (the “Assessment”) in circumstances where it was unnecessary to do so, the Complainant having nothing at all to do with the Assessment that had been carried out and the information being of no relevance at all to that Assessment.

In addition, the severity of the breach was further compounded by the fact that the Assessment was provided to a family member of the Complainant who was previously unaware of the information contained within the Assessment. The investigation found that this caused significant distress to the Complainant.

JDPA Chair, Jacob Kohnstamm commented that ‘The JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, and had the JDPA not been prevented by law from imposing a fine due to the Controller being a Public Authority, the JDPA would have considered a fine in these circumstances.’

‘All data controllers and processors have significant obligations in law to be accountable and provide appropriate security for the personal data they are entrusted with’ said Paul Vane, Information Commissioner. ‘This is particularly important when the organisation concerned is a Public Authority working with and for children and their families and dealing with the most sensitive forms of information, as building the trust and confidence of the Jersey public in Government data handling activities is paramount.’

The updated data protection laws implemented in 2018 provide the JDPA with enhanced enforcement powers. These include provisions to enable the JDPA to investigate and collect necessary evidence and to impose a range of sanctions escalating in severity. These sanctions can include one or more of the following: Issuing a reprimand; Issuing a warning; requiring a Controller or Processor to bring their processing into compliance; Issuing a public statement about the outcome of an investigation: and, ultimately, imposing a financial penalty.

21 October 2021.