Public Statement - October 2021
Data Controller: Children’s Services
- The Data Protection Authority for the Bailiwick of Jersey (the “Authority”) has determined that the Children’s Services Department, Government of Jersey (the “Controller”) has contravened Art.8(1)(f) of the Data Protection (Jersey) Law 2018 (the “DPJL 2018”) in that it failed to comply with the integrity and confidentiality principle and ensure that it had appropriate technological and organisational measures in place to ensure the security of the data it processes.
- Following an investigation commenced in early 2020, the Authority has determined that the Controller was responsible for the relevant contravention in that a member of its staff disclosed the Complainant’s extremely sensitive special category information within the context of a written report known as a Child and Family Assessment (the “Assessment”) in circumstances where it was unnecessary to do so, the Complainant having nothing at all to do with the Assessment that had been carried out and the information being of no relevance at all to that Assessment.
- In addition, the severity of the breach was further compounded by the fact that the Assessment was provided to a family member of the Complainant who was previously unaware of the information contained within the Assessment. This caused significant distress to the Complainant.
- Special category data (including health data) are afforded higher levels of protection in the DPJL 2018, reflecting the harm and distress that can result from a breach. The Authority is clear that where organisations do not take their legal responsibilities to protect such data seriously or where they are negligent as to their responsibilities, consideration will be given to the appropriate sanction (including the issuing of a fine, where available). Had the Authority not been prevented by law from imposing a fine due to the Controller being a Public Authority, the Authority would have likely considered imposing a fine in these circumstances.
- The Controller processes a large quantity and range of personal data relating to the families they deal with including the most sensitive special category data (which may include information about abuse) and, on this occasion included such information in an Assessment unnecessarily and which was then shared without the Complainant’s knowledge. The Authority expects all the Controller’s staff to be cognisant of their obligations under data protection and to know what is and is not appropriate to include and share within their assessment and to have received training that is appropriate for the role they are carrying out. Indeed, the Head of Service acknowledged that “this practice does not fit with our standard of service delivery that we expect from all of our practitioners."
- In this case, the Authority has identified the following mitigating factors including:
a. The Controller maintained open and candid correspondence with the Authority whilst enquiries took place and made early admissions including to the Complainant;
b. Complete cooperation by the Controller’s staff with the Authority’s investigation;
c. It took appropriate remedial steps once alerted to the breach by the Complainant including retrieving the Assessment, removing the unnecessary information and reissuing it;
d. The Authority has also been advised the Children’s Service have made a referral to the Social Worker’s regulatory body in the U.K. regarding the Social Worker’s conduct in this matter.
- There are no aggravating factors.
- Considering the above factors, the Authority has, by written notice to the Controller, imposed a formal reprimand and made a number of orders pursuant to Art.25(3) of the Authority Law regarding the education for staff, which must be carried out within a stipulated timeframe and updates provided to the Authority.
- Given the formal breach determination, the Authority must consider whether it is appropriate to impose a formal sanction and, if so, decide what is the appropriate sanction in these particular circumstances. In other circumstances the Authority would have considered the imposition of a significant fine in a case of this gravity. However the Authority Law sets out that the Authority cannot issue administrative fines against public authorities and so the only sanctions available for consideration are the issuing of a formal reprimand and/or the making of certain orders designed to bring processing in-line with the DPJL 2018 and to ensure appropriate supervisory oversight by the Authority.
- This is a public statement made by the Authority pursuant to Art.14 of the Authority Law following an Investigation by the Authority and following receipt of a complaint regarding the Controller’s processing of certain personal data. Individuals can make a formal complaint under Art.19 of the Authority Law if they think that a controller has contravened the DPJL 2018 and it involves or affects their rights.
- The Authority may investigate a complaint and once an investigation has been completed, Art.23 of the Authority Law requires the Authority to make a Proposed Determination as to whether a data controller has contravened the DPJL 2018.
- If the Authority determines that there has been a contravention, it must then go on to consider what sanction should be imposed against the data controller, if any.
- Article 25 of the Authority Law sets out the various sanctions that are available to the Authority following a Proposed Determination and, having considered all relevant facts (including representations made by the Controller), the Authority has considered that this matter is most appropriately disposed of by way of a formal reprimand and the imposition of certain orders to ensure the Controller’s processing activities are compliant with the law. (Administrative fines may not be levied against public authorities and so this form of sanction was not available in this particular case.)
Article 32 of the Authority Law allows an affected party a right of appeal to the Royal Court of Jersey. Any such appeal must be made within 28 days.