Data Protection Case Studies

Case 1 - Closure of a bank account

Background

A customer of a Jersey-based bank made a DSAR after their current account was suddenly frozen and then closed. The customer asked the bank to explain the reason for the closure and to provide all information held about them, including any internal reports or correspondence that led to the decision.

The bank provided standard account information (statements, contact records, and onboarding documents) but refused to disclose any material explaining why the account had been closed. The response letter simply stated that “For more information about how we process your personal data including how we respond to subject access requests, please see our Privacy Notice on our website”. The customer was dissatisfied and complained to us saying the bank had not been transparent and had not explained why the account had been closed and the reasons for it.

Investigation and Findings

We found no breach of the DPJL 2018.

Lessons Learned

• Art.45 of the DPJL 2018 allows a controller to restrict or refuse access if providing the information would likely prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. This would include circumstances where disclosure might reveal that a suspicious activity report has been made or might identify the person(s) involved in that report.
• Under Art.35 of the Proceeds of Crime (Jersey) Law 1999, it is a criminal offence to “tip off” a person that a suspicious activity report has been filed about them.
• Banks and financial institutions must therefore take extreme care when responding to access requests in this context.
• Controllers should still disclose any non-sensitive personal data (for example, standard account information) while withholding or redacting anything that could reveal a SAR or related investigation.
• It is good practice to have clear internal guidance and template wording for these scenarios, ensuring staff know how to respond lawfully and consistently.
• Always document the decision to rely on Art.45 and record the rationale internally, even if it cannot be shared with the requester.
• Data subjects should be aware that there is some information they may not lawfully have access to. Privacy notices should clearly describe, even in broad terms, the types of processing that may take place for Anti-Money Laundering (AML), counter-terrorist-financing or related compliance checks. Providing these broad indications of intent will inevitably assist individuals in their understanding of how their information may be used in the financial services sector and would not likely prejudice law-enforcement or regulatory processes.

Case 1 - Access request with excessive redactions

Background

A carer who had recently left employment with a private healthcare provider in Jersey submitted a Data Subject Access Request (DSAR) asking for all personal data the organisation held about her. The request covered emails, internal HR correspondence, meeting minutes and notes made by senior staff about her performance.

Four weeks later, the employer sent a large bundle of documents (mostly internal emails and HR records) but much of the text had been heavily redacted. Whole paragraphs, pages and even entire emails were blacked out. The employer said that this was to “protect the privacy of other employees”. The employee was unable to read or understand the context of many of the records, and she complained to us about the response. She did not think that the employer had provided her with everything she was entitled to under the law.

Investigation and Findings

Under Art.28(3) of the DPJL 2018, individuals have the right to obtain access to their personal data unless a specific exemption applies.

During the investigation, we found that the employer had simply applied redactions across entire threads or documents whenever another person’s name appeared including to emails that had passed between the nurse and that third party.

o There had been no case-by-case review of what could safely be disclosed.
o The HR team simply highlighted whole sections in black and recorded “third-party data” as the reason for withholding.
o No internal guidance, redaction policy or training materials existed.
o The provider also failed to explain to the requester which legal exemptions had been used, or why.

Whilst the employer had properly withheld some third-party information, there was some information that they should not have withheld and the employer had breached Art.28(3) of the DPJL 2018 because they had failed to disclose information the individual was entitled to. We also found that the person who was given the task of responding to the DSAR had not been given proper training about how to perform that role and we also found that the employer was in breach of Art.6(1)(d) because the systems that they had in place did not allow for proper compliance with data subject rights.

Outcome
We required the employer to:

• Re-issue the DSAR response
• Create a written redaction policy that explains when and how third-party data can be withheld;
• Keep a redaction log for each access request, recording what was removed and the legal reason for doing so; and
• Provide training to the staff member with responsibility for data protection matters.

Lessons Learned

• Controllers need to carefully balance the rights of access of the individual to their personal data, against any identified risk to a third party that could be brought about by disclosure.
• Before deciding to withhold information that includes details about another person, a controller must first assess whether the information truly relates to that third party. The mere mention of someone’s name, or the fact that they appear in an email or document, does not automatically make that information the third party’s personal data. Controllers should consider whether the information actually tells you something about that person, or whether it primarily relates to the requester.
• If, after that assessment, the information does include third-party personal data, the organisation should then consider whether it can reasonably seek that person’s consent to the disclosure.
• If consent is not given or cannot reasonably be sought, the organisation must decide whether it would still be reasonable to disclose the information in all the circumstances. This involves balancing the individual’s right of access to their own personal data against any potential risk or harm to the third party if the information were shared.
• When making this assessment, the controller must take into account the factors set out in Art.28(f) of the DPJL 2018, including:
  o any duty of confidentiality owed to the other person;
  o any steps taken to obtain that person’s consent;
  o whether the other person is capable of giving consent; and
  o any express refusal of consent by the other person.
• Redactions must be proportionate. Withhold only what is strictly necessary to protect other individuals.
• The right of access should result in a meaningful disclosure. A document covered in black boxes is unlikely to meet that standard.
• Keep a clear audit trail explaining what was redacted and why.
• Staff should be trained to distinguish between genuine third-party data and information the requester is entitled to see.
• Having a clear redaction policy and template response and effective redaction tools reduces risk and improves transparency.

Case 2 – Incomplete organisational searches in response to a DSAR

Background

A resident of Jersey contacted a property-management company overseeing a large multi-unit complex of flats, requesting “all personal data you hold about me, electronically or in manual form” (i.e. they made a DSAR). The request followed a dispute over service-charges and maintenance records about a lift which had been going on for many years. The company responded two weeks later by supplying maintenance logs and correspondence referring to the resident, but omitted several email threads between property-management staff and contractors which the resident believed were relevant. The resident then filed a complaint with us alleging the company had failed to locate all the data.

Investigation and Findings

Under Art.28 of the DPJL 2018, the resident has a right of access and the controller had accountability obligations (Art.6). We found that the property-management company had not searched all relevant systems: several older contractor emails were stored in an archive folder that was excluded from the search; staff confirmed informal off-system note-making had taken place in shared folders but these were not reviewed either.

As a result, the resident potentially did not receive all the data to which they were entitled. This amounted to a breach of Art.28 (right of access) because the request was not answered in full, and of Art.6 because the controller lacked adequate search procedures.

Outcome

We required the controller to:

• Perform a retrospective review to locate and, if appropriate, disclose any omitted data;
• Introduce a formal DSAR-search procedure (which set out how to conduct searches and which systems should be covered;
• Provide staff training on DSAR obligations (including to the member of staff responsible for data protection matters);
• Report back to us on completion of the remedial actions and show us what had been done (so we could be satisfied that our orders were complied with).

Lessons Learned

• Organisations in Jersey must ensure that all systems in which personal data might be held are included in a DSAR search-strategy (including archives, shared folders, contractors, backups).
• Even if data seems peripheral (e.g. it’s in an old archive) it may still fall within a valid access request.
• Controllers should maintain search-logs showing how each request was searched and what was found/omitted. This should include details of the search terms used and number of results generated (screenshots are often helpful)
• Staff handling DSARs should understand they are required to locate “all personal data” about the requester, not just data from a front-line system.
• A well-documented DSAR workflow supports accountability and reduces the risk of enforcement action.

Case 3 – Failure to respond at all to a DSAR

Background

A patient who had attended a healthcare provider in Jersey submitted a DSAR asking for copies of their full medical records. The patient sent the request by email to the email address advertised as the healthcare provider’s data protection officer’s email address, and received an automatic acknowledgement, but no substantive response.

After six weeks with no further communication, the patient wrote again to chase the request. The provider did not reply. After three months, the patient complained to us.

Investigation and Findings

When contacted by us, the provider admitted that the request had been received but explained that it had “fallen down the list” because staff were very busy and they had a backlog of requests that they were working through and other general workload issues. The person with responsibility for managing DSAR requests said they “hadn’t got round to it yet” but intended to reply “when things quietened down”. No thought was given by the controller about why the individual had asked for their records and the fact that they needed them in order to access care from another provider.

Under Art.27(1) of the DPJL 2018, individuals have the right to obtain a copy of their personal data within four (4) weeks of a valid request. Under Art.6, controllers must take appropriate organisational measures to ensure compliance with that obligation. Whilst controllers can extend the initial four (4) week time period in certain circumstances, none of those circumstances applied in this case.

We found that the provider had failed to respond entirely within the statutory timeframe and had not even communicated with the patient to acknowledge the delay or provide an explanation. This amounted to a clear breach of Art.28 (failure to provide access) and Art.27(1) (failure to respond within the required timeframe).

As soon as the JOIC became involved, the provider responded appropriately to the DSAR without any further delay.

Outcome

A formal finding was made that the provider had contravened the law because it had not responded to the DSAR in the time required under the law, and a reprimand was issued.

Lessons Learned

• Being busy or understaffed is not a valid reason for ignoring an individual’s data-protection rights. The right of access is fundamental, and controllers must have systems and resources in place to deal with requests promptly, even during periods of operational pressure.
• Communication is key. Controllers must acknowledge DSARs promptly and communicate if a delay is unavoidable. In this case silence made matters worse than they might otherwise have been had the controller simply communicated about the problems they were experiencing.
• Delayed provision of information could have had serious implications for the data subject. Controllers must bear in mind that failure to respond to requests in a timely manner has the potential to have a detrimental impact on the data subject as the information could be urgent due to the health needs of the individual. (It did not in this particular case.)
• A clear internal process (tracking log, reminders, responsibility assignment) is essential.
• Failure to engage at all may result in formal enforcement action or reputational damage.
• Organisations should not wait for contact from us to respond to lawfully made requests from individuals.

Case 4 – Non-resident parent’s request for a child’s medical records

Background

A GP surgery received a DSAR from a non-resident parent asking for a copy of their child’s full medical records. The parent explained that they had parental responsibility and therefore believed they were entitled to access all information held by the practice about their child.

When the practice manager reviewed the request, staff noted that the parent had not expressed any concern about the child’s care, treatment, or wellbeing. Instead, the parent made clear (both in writing and during a phone conversation) that they wanted to see “what the child might have said about me” and “what the other parent has told the GP” to help them in ongoing contested residence proceedings before the Family Court.

The GP practice was concerned that releasing the records for this purpose could damage the child’s trust in their doctor, and might also disclose information provided in confidence by the other parent or by the child themselves. The practice therefore refused to release the records and wrote to the parent explaining that disclosure was not appropriate outside of the Family Court process.

The non-resident parent complained to us claiming the GP surgery had breached their rights under the DPJL 2018 by refusing access.

Investigation and Findings

We examined whether the GP practice had acted lawfully under the DPJL 2018. Under Art.28, a person with parental responsibility normally has the right to seek access to their child’s personal data. However, that right is not absolute and must always be considered in light of the child’s best interests. The practice had to balance the parent’s access rights against the child’s privacy and confidentiality, and any potential harm that disclosure might cause.

Before relying on the third-party exemption, the GP surgery appropriately assessed whether the information genuinely related to others. It found that much of the data contained statements and observations made by the child about family life, and notes of what the resident parent had shared during consultations. These were therefore also the personal data of those individuals.

The practice then considered whether it could reasonably seek consent from those individuals for disclosure. In line with Art.28(f) of the DPJL 2018, it considered:

• The duty of confidentiality owed to both the child and the other parent;
• Whether it was appropriate to seek consent in the context of ongoing family proceedings and challenging family dynamics;
• The child’s ability to give consent and express a view; and
• The likelihood that disclosure would cause distress or damage trust in medical care.

After this assessment, the GP surgery concluded that seeking consent was not appropriate and that disclosure would not be reasonable in the circumstances. It therefore refused the DSAR.

We found that the practice’s reasoning was sound and proportionate in these circumstances.

Outcome

We found no breach of the DPJL 2018. The GP surgery had carefully assessed the request, documented its reasoning, and acted in line with both data-protection and medical-confidentiality principles. The complaint was not upheld.

Lessons Learned

• Parental responsibility does not automatically grant full access to a child’s health (or other) records.
• Controllers must always consider the child’s best interests and potential harm or distress that could be caused by disclosure (including any third parties who may be impacted by the disclosure).
• Controllers must keep a clear record of the decision-making process, showing how confidentiality, consent, and reasonableness were considered when reaching their decision.

Case 5 – Beneficiary of a trust seeking access to trustee deliberations

Background

A beneficiary of a Jersey-based discretionary trust wrote to the trustees requesting access to the internal deliberations held by the trustees about a decision not to award funding to them. The beneficiary was dissatisfied with the outcome and believed they were entitled to see the evaluation paperwork and the trustees’ reasoning. The trustees responded by refusing to disclose those specific documents, explaining that the decision was within their discretion and that the deliberative material was “confidential trustee business”. It did otherwise not specifically cite any exemption of the DPJL 2018 the trustee was relying on.

Investigation & Findings

Under the DPJL 2018, data-subjects have a right of access to personal data held about them but there are exemptions that apply to this general right of access including a specific exemption for trustees under Art.47 of the DPJL 2018. That Article exempts personal data from access (and other rights) where disclosure would reveal the intentions of trustees regarding the exercise of their functions or discretions, or would otherwise prejudice the proper discharge of those functions. This is because in the context of trust law in Jersey (under Art.29(4) of the Trusts (Jersey) Law 1984), trustees have a recognised discretion to withhold certain materials, including records which reveal how decisions were arrived at or the reasoning behind them, unless ordered by a court.

We concluded that the information the data subject was seeking fell squarely within the Art.47 exemption. The information sought was about why the trustees has refused to exercise their discretion and the refusal was therefore lawful.

Outcome

The complaint was not upheld.

Lessons Learned

• A beneficiary’s right to see trust-records is not unlimited: internal deliberations and the reasoning behind trustee decisions may be excluded pursuant to Art.47 of the DPJL 2018.
• Even when refusing disclosure, it is good practice to provide some explanation of the decision (what can be shared) and keep a record of the reasoning and decision-making process as that would likely aid the data subject’s understanding about why the request was refused.

Case 1 - Disputed attendance notes

Background

A client of a local law firm raised concerns about the accuracy of meeting notes recorded by their lawyer following a case-strategy meeting. The notes included several statements attributed to the client about their position and next steps in ongoing negotiations.

When the client later obtained copies of their file following a subject access request, they felt that the notes did not fully capture the discussion and, in some places, misrepresented their views. The client believed the notes made them appear to have said certain things that they did not believe that they had said. The client also considered that the notes did not reflect the entirety of the conversation they’d had with their lawyer. The client asked for the notes to be corrected or rewritten.

The law firm reviewed the request and explained that the notes were a professional record of the meeting and, in their view, an accurate reflection of what was discussed. The firm declined to amend or remove the notes, but it offered to add a short statement from the client setting out their own perspective. The client did not accept this compromise and complained to us asking whether the firm’s refusal to change the notes breached the law.

Investigation and Findings

We considered whether the law firm had met its obligations under Art.8(1)(d) of the DPJL 2018 (accuracy of personal data) and Art.31 (right to rectification).

We found that:

• The attendance note did contain personal data about the client, as it recorded identifiable statements and opinions attributed to them.
• The notes constituted contemporaneous handwritten notes taken during the course of the meeting.
• There was no evidence that the solicitor had fabricated or deliberately misrepresented what had been said. The client’s objection related more to emphasis and interpretation than to factual inaccuracy.
• The firm had taken a reasonable approach by allowing the client to add their own statement to the file to reflect their differing view.

We concluded that the law firm had acted fairly and reasonably. The notes represented the lawyer’s professional understanding of the meeting, and differences of interpretation do not automatically make data “inaccurate” under the DPJL 2018. By recording the client’s disagreement on the file, the firm had ensured that both perspectives were captured.

Outcome

We found no breach of the DPJL 2018. The firm was entitled to retain its own professional record and had acted responsibly in allowing the client’s supplementary note to be added. This approach preserved the integrity of the firm’s records while respecting the client’s right to have their viewpoint acknowledged.

Lessons Learned

• Accuracy under the DPJL 2018 concerns factual correctness, not differences in opinion or emphasis.
• A controller is not required to rewrite or delete professional notes if they are a genuine and accurate record from the author’s perspective.
• Allowing an individual to add a supplementary note to explain their view is often an appropriate and fair solution.
• Controllers should keep clear procedures for managing accuracy or rectification requests and should record how they were handled.

Case 2 – Disputed opinion about performance on an employment record

Background

An employee contacted their HR department after reviewing a copy of their personnel file and finding a comment made by their line manager in a performance review which linked to the employee’s performance bonus for the year. The manager’s comments led to a lower grade being awarded than the employee was expecting meaning that they were not awarded a bonus for that year.

The employee strongly disagreed with their manager’s comments, saying they was unfair and inaccurate, and that they consistently met their targets. They asked for the comment to be deleted or amended to remove what they considered a false impression.

The employer reviewed the request but declined to remove the comment, explaining that it represented the manager’s professional opinion at the time and was part of the company’s formal performance documentation. The employer did, however, offer the employee the opportunity to add their own statement to the record setting out their disagreement.

The employee complained to us, claiming that the record was inaccurate and that the employer had failed to comply with their obligations under DPJL 2018.

Investigation and Findings

We considered whether the employer had breached Art.8(1)(d) of the DPJL 2018 (which requires personal data to be accurate and, where necessary, kept up to date) and Art.31 (the right to rectification).

The investigation confirmed that the performance review did contain personal data about the employee, as it related to identifiable information and expressed an opinion about their work. However, we noted that an expression of opinion is not automatically “inaccurate” simply because the individual disagrees with it. What matters is whether the record accurately reflects that the opinion was expressed.

The evidence showed that:

• The comment had been made by the employee’s manager during a documented review meeting;
• The record clearly identified the statement as the manager’s subjective assessment rather than an objective fact; and
• The employee had been given the opportunity to respond and have their disagreement recorded alongside it.

We found that the data was not inaccurate within the meaning of the DPJL 2018. It correctly recorded the fact that the manager held that opinion and made that assessment of the employee’s performance at the time. The accuracy principle does not require an employer to delete or alter opinions that are genuinely held and clearly identified as such.

Outcome

We found no breach of the DPJL 2018. The employer had acted appropriately by distinguishing between fact and opinion, keeping an accurate record of both, and allowing the employee to add their own response.

Lessons Learned

• Opinions are not necessarily inaccurate data. What matters is that the record accurately reflects that an opinion was given.
• The right to rectification under the DPJL 2018 does not extend to requiring the deletion or alteration of a genuinely held opinion, even if the individual disagrees with it.
• Employers should record the source and date of any opinion and ensure it is clearly presented as such.
• Employees should be allowed to add their own comment or response to provide context or disagreement.
• Regular training for managers on record-keeping, fair language, and data-protection principles will help reduce disputes about accuracy.

Case 1 - Historic online article

Background

An individual contacted an online news outlet in Jersey to request the removal of an article about a judgment taken in the Petty Debts Court that had been published many years earlier. The judgment had since been set aside, and the individual was concerned that the continued online availability of the article was misleading and potentially damaging because it suggested that the individual had owed money when it ultimately transpired they didn’t.

Although the article had been accurate at the time it was written, it continued to appear in online search results. The individual explained that this was causing ongoing embarrassment and asked the publisher either to remove the article or to prevent it from being searchable by name.

The news organisation initially declined, explaining that the article formed part of its online archive and reflected the position at the time of publication. The individual then complained to the us, citing their right to erasure under Art.32 of the DPJL 2018.

Investigation and Findings

We reviewed the matter and considered both the right to erasure and the journalistic exemption in Art.44 of the DPJL 2018, which safeguards freedom of expression and information where data is processed for journalistic purposes.

The investigation found that:

• The article was factually correct when published;
• The underlying judgment had later been set aside, meaning that the legal position had changed;
• Continued publication under the individual’s name risked giving a misleading impression about the current status of the case; and
• The information was still searchable through internet search engines, despite the limited ongoing public interest.

After discussion with us, the publisher agreed to de-list the article from search-engine results. This meant that the article remained on the newspaper’s website for archival purposes but would no longer appear in search results when the individual’s name was entered.

This solution allowed the publisher to retain the article for journalistic and historical integrity while addressing the individual’s privacy concerns.

Outcome

The JOIC found the publisher’s actions to be fair and proportionate. Full deletion was not necessary because the article retained some public value, but de-listing struck an appropriate balance between privacy and freedom of expression.

No further regulatory action was required.

Lessons Learned

• In journalistic cases, the right to erasure (Art.32) must always be balanced against freedom of expression and the public’s right to information.
• If the factual or legal position changes, publishers should review whether older material remains accurate and relevant.
• De-listing or de-indexing may provide a proportionate way to protect individual privacy while maintaining the public record.
• Controllers should be able to demonstrate how they considered competing rights under the DPJL 2018 and should document their reasoning.
• Transparent engagement with individuals who raise such concerns supports accountability and good practice.

Case 2 – Historical Regulatory Records

Background

An individual contacted their former professional regulatory body in Jersey asking for all personal data held about them to be deleted. The request covered historic correspondence, investigation files, and the outcome of a disciplinary process that had taken place over a decade earlier.

The individual explained that they were no longer practising in the profession and felt that retaining this information served no purpose. They also said the continued existence of the file caused them distress and could affect future employment prospects.

The regulatory body reviewed the request but declined to delete the information. It explained that the records related to a disciplinary decision that formed part of the organisation’s statutory and historical record-keeping obligations. The regulator considered that retaining such information was necessary to maintain an accurate account of its regulatory activities and to demonstrate how previous decisions had been made.

Dissatisfied, the individual complained to us, citing their right to erasure under Art.32.

Investigation and Findings

Under Art.32, individuals have the right to request deletion of their personal data, but this right is not absolute. A controller may refuse erasure if continued processing is necessary for compliance with a legal obligation, for the performance of a task carried out in the public interest, or for the establishment, exercise, or defence of legal claims.

We found that:

• The regulatory body’s statutory functions included maintaining records of disciplinary investigations and outcomes;
• Those records formed part of its public-interest responsibilities to ensure professional standards and accountability;
• Retaining accurate historical data was necessary to prevent inconsistent decisions and to respond to future queries or legal challenges; and
• The regulatory body had appropriate retention policies in place to ensure that such data would be reviewed and deleted after a defined period, once it was no longer required.

Outcome

We found no breach of the DPJL 2018. The regulatory body was entitled to retain the records because they were required for compliance with its legal duties and for reasons of public interest and accountability.

Lessons Learned

• The right to erasure is not absolute and does not apply where data must be retained to meet a legal or regulatory obligation.
• Regulatory and professional bodies often have a public-interest duty to preserve records of investigations and disciplinary actions.
• Controllers should have clear retention policies and be ready to explain why specific records cannot be deleted.
• Even when refusing erasure, organisations should treat individuals respectfully and provide clear, accessible explanations of their decision.
• Regular reviews of retained data help ensure information is not kept longer than necessary.

Case 1 - Phishing scam that led to loss of data

Background

An employee received an email from an email address they were unfamiliar with. The email contained a link, wich the employee clicked on despite having not verified the identity of the sender. This opened a gateway that allowed an unidentified third-party access to part of the company’s systems and extraction of information relating to clients of that company (including address, travel and family data). It took many months for the controller to realise that a breach had occurred and when they did become aware, they did not report it to us.

Investigation and Findings

We investigated how the breach occurred, including engaging external support from an information security specialist who was able to independently test and verify the company’s own investigations, their findings, and review the remedial measures that were put in place. Our investigation was focused on Art.8(1)(f) of the DPJL 2018 – whether the controller had appropriate technical and organisational measures in place to ensure the security of the personal information it held, and protect it from unauthorised access.

We concluded that the controller’s security arrangements were lacking given the sensitivity of the data it processed (it failed to have adequate firewalls in place and it had not applied an upgrade when it became available), staff were not appropriately trained in data protection or cyber security matters, and they had failed to conduct appropriate due diligence of its IT services provider.

Outcome

We concluded that there was a breach of Art.8(1)(f) and made a number of orders requiring the controller to update its IT systems, education of its staff in data protection and cyber security matters (including awareness of phishing) and we kept them under supervision for six (6) months until they had completed all remedial work to our satisfaction.

Lessons Learned

• Human error remains one of the biggest causes of data breaches. Even strong technical systems can fail if staff are not trained to recognise and respond to phishing or social-engineering attempts.
• Controllers must ensure that all staff receive regular, practical training on data protection, cyber security, and how to identify suspicious emails or links.
• Article 8(1)(f) of the DPJL 2018 requires controllers to have appropriate technical and organisational measures in place. This includes robust firewalls, access controls, and intrusion detection systems, as well as well-documented incident-response plans.
• Supplier and service-provider due diligence is essential. Controllers are responsible for ensuring that any IT or cloud providers they use are able to provide suitable services, including assisting when a breach has been discovered.
• Organisations should adopt a multi-layered approach to security - combining technical safeguards, user education, and clear reporting procedures for suspected phishing attempts.
• Regular testing and review of security systems (for example, through penetration testing or simulated phishing exercises) helps identify weaknesses before they are exploited.
• Incident handling should include prompt reporting to the JOIC (within 72 hours where required) and transparent communication with affected individuals when there is a risk to their rights and freedoms.

Case 2 – Occupational health report shared without consent

Background

An employee was referred by their employer to attend an occupational-health (OH) assessment to consider whether any reasonable adjustments might be needed due to a long-standing medical condition. Prior to the assessment, the OH provider sent the employee a form which stated that if the employee did not wish to allow the OH report to be seen by the employer, they should withhold their consent, and doing so would mean that the report would not be forwarded to the employer for consideration of adjustments. The employee raised some questions about the draft assessment scope, and explicitly withheld consent for the full report to be shared with the employer until those questions were resolved.

Despite this, once the assessment was completed the OH provider mistakenly forwarded the report to the employer, which included personal medical information and the provider’s occupational-health opinion about the employee’s ability to perform certain tasks. Upon receipt, the employer used the report’s contents in deciding not to implement certain proposed reasonable adjustments and placed the employee into a different role with fewer duties. Feeling that this decision was based on incorrect information and that they had not consented to sharing the details, the employee lodged a complaint with us about the sharing by the OH assessor with the employer.

Investigation and Findings

We investigated the circumstances under which the OH report was processed and shared, focusing on several key provisions of the DPJL 2018:

• Art.6 (general duties and accountability of the controller);
• Art.8(1)(a) (fair and transparent processing); and
• Art.9 (lawful basis for processing)

The OH provider’s initial form clearly indicated that sharing with the employer required the employee’s consent; the employee withheld consent.

The provider forwarded the full report nonetheless, meaning the employer received personal health data and an opinion about the employee’s fitness and capacity despite the employee indicating that there were errors in the report and that it should not be shared. The employer used the health data and opinion for making role-change decisions.

We concluded this represented a breach of the DPJL 2018. The employee’s personal data (health data) was shared without valid consent and the processing was not carried out in a transparent, documented way. The employer’s reliance on the report for role-reassignment actions amplified the impact on the employee’s rights.

Outcome

We found a breach of the DPJL 2018 and required remedial actions:

• The OH provider was instructed to update its consent process (if that was the basis to be relied upon going forward), ensuring that separate, explicit written consent is obtained before forwarding reports to employers, especially where the employee has been given an option to withhold.
• The employer was directed to erase the copy of the report they had received.

Lessons Learned

• Employers should ensure that employment decisions - such as determining reasonable adjustments - are not made using data obtained or shared unlawfully.
• Occupational health reports contain health information which is categorised as special-category data and this must be handled with particular care, especially where that information can be used to make significant decisions about the individual which can impact them in negative ways.
• Valid consent is critical when it is the chosen lawful basis for sharing with an employer. If consent is withheld, sharing must not take place.
• However, explicit consent is not the only lawful basis available for processing special-category data. In some cases, other bases under the DPJL 2018 (for example, processing necessary for carrying out obligations in the field of employment, social security, or because of another legal obligation) may be more appropriate and sustainable than relying on consent.
• Employers and occupational-health providers should identify the correct lawful basis for each stage of processing and document this in privacy notices and data-sharing agreements.
• Controllers must maintain a clear audit trail of lawful bases, consent records (where used), and data-sharing decisions to meet the accountability requirements.
• Privacy notices and internal policies should clearly explain how occupational-health information may be used, the lawful basis relied upon, and the safeguards in place.

Case 1 - Use of doorbell cameras by neighbours

Background

A homeowner in Jersey installed a video doorbell camera to improve home security and to monitor visitors when they were not at home. The device recorded short video clips and audio only when the doorbell was pressed or when someone stood directly in front of it.

A neighbour became concerned that the doorbell camera might be recording their driveway and garden, and that it could be running continuously. They believed the system was capturing footage outside the homeowner’s boundary and might therefore be operating unlawfully. The neighbour contacted the homeowner to raise their concerns but was not reassured by the response. They then made a complaint to us, alleging that the homeowner’s use of the doorbell camera breached the DPJL 2018.

Investigation and Findings

We investigated whether the homeowner’s use of the device fell within the domestic purposes exemption or whether it was subject to the DPJL 2018.

Technical checks showed that:

• The camera’s field of view was limited to the homeowner’s doorway and immediate front step; it did not capture images beyond the property boundary.
• The device was motion-activated only when someone stood in front of it or pressed the doorbell; it did not record continuously.
• No footage was being collected of the neighbour’s property, shared access path, or any public areas.
• The homeowner was using the system for a clear, legitimate purpose (to monitor visitors and deliveries at their front door) and footage was retained for a very short period before automatic deletion.

Outcome

We found no evidence that the homeowner had breached the law. The processing was limited, proportionate, and fell within what would generally be regarded as personal and domestic use (Art.4 of the DPJL 2018).

However, we noted that misunderstandings about such devices are common and can cause tension between neighbours. Simple steps to explain how the system works can help reassure others and avoid unnecessary complaints.

We encouraged the homeowner to consider adding a small notice explaining that the doorbell records only when pressed, and to keep settings under review to ensure the device remains compliant.

Lessons Learned

• The domestic purposes exemption can apply where recording is limited to a homeowner’s own property and is not capturing public footpaths or roadways or communal areas.
• If the domestic exemption applies to the operation of domestic CCTV cameras, including such devices as ring doorbells, the operators are not deemed to be data controllers for the purposes of the DPJL 2018 and in such circumstances we have no role to play. We encourage individuals with concerns about a neighbour’s CCTV system to engage directly with the neighbour themselves in the first instance, so that a satisfactory resolution can be achieved. Homeowners should be open with neighbours about what their devices record to avoid misunderstandings.
• Cameras should not be positioned so that they are viewing into the homes or gardens of neighbours.
• Users should regularly review device settings (for example, field of view, recording triggers, date and time settings) to ensure they remain proportionate.
• Imagery should only be kept for as long as it is needed and it should not be shared with anyone who does not need to see it (e.g. on social media).
• Even where the law is not breached, clear communication and consideration for neighbours’ privacy promotes trust and good community relations. Consult with those who may be affected by CCTV use, explain why it is needed and what will happen with the footage. Regular reviews should be carried out to see if CCTV is still needed.
• Where a domestic CCTV system is being operated in line with the household exemption we will not disclose details of that system to a complainant, as the DPJL 2018 would not be engaged and any such disclosure may compromise the security of the domestic CCTV operator.

Case 1 - Tracking vehicle use by an employee

Background

An employee of a local company drove a company vehicle as part of their job. The employer had fitted the car with a Global Positioning System (GPS) tracking device, telling staff it was used for insurance and operational purposes - specifically, to monitor mileage and fuel efficiency. Employees were assured the data would help reduce fuel costs and support fleet management and that it wouldn’t be used for anything else.

Several months later, the employee was called into a disciplinary meeting and told that tracking data showed the vehicle had been used outside working hours and for personal errands. The tracking logs were presented as evidence of alleged misuse of company property. The employee was surprised and upset, saying they had never been told that the data could be used to monitor personal use or as part of disciplinary action.

The employee lodged a complaint with us claiming that the company had not been transparent about how the tracking data would be used and that the use of location data for disciplinary purposes was not fair. They had no issues with the use of GPS being on the vehicle for the purposes they had been made aware of; their focus was on the fact that the GPS was actually being used for something else which they’d never been told about.

Investigation and Findings

We investigated whether the company had complied with the fairness and transparency principle in Art.8(1)(a) of the DPJL 2018, and whether employees had been properly informed of the purposes for which their data would be processed, as required under Art.12 (information to be provided to data subject).

The company explained that GPS tracking was installed primarily for insurance reasons and to help monitor fleet performance. However, it admitted that once the system was installed, the Managers realised that they could view real-time location data and that these logs had later been used in an HR investigation. The company had no written policy setting out how GPS data would be used, how long it would be retained, or under what circumstances it could be accessed for disciplinary purposes.

While staff had been told about the existence of the tracker, they had not been informed of all the purposes for which the data could be used and were not told that the data would be used for employee monitoring and, potentially, disciplinary purposes. The company’s privacy notice and employment handbook made no reference to monitoring of private use or disciplinary use of GPS data.

Using location data gathered for one purpose (fleet management) for another purpose (staff discipline) breached the principle of purpose limitation under Art.8(1)(b) of the DPJL 2018 and the lack of a clear policy and staff communication represented a breach of transparency and fairness obligations under Art.8(1)(a) and Art.12 of the DPJL 2018.

Outcome

The JOIC issued a formal reprimand to the company for failing to be transparent and fair in its processing of employee location data. The company was instructed to:

• Develop a vehicle-tracking and monitoring policy, clearly explaining what data is collected, why it is collected, who can access it, and for what purposes.
• Update its employee privacy notice to specify all potential uses of GPS data, including any monitoring or disciplinary purposes.
• Conduct a data-protection impact assessment (DPIA) to assess risks to employees’ privacy and identify appropriate safeguards.
• Provide staff training on data protection and monitoring to ensure all employees understand how their data may be used.
• Report back to us on completion of the remedial actions and show us what had been done.

Lessons Learned

• Transparency is fundamental: telling employees that GPS tracking exists is not enough - controllers must also explain clearly how and why the data will be used.
• Purpose limitation means data collected for one purpose (such as insurance or fleet management) must not be repurposed for another (such as disciplinary action) where such processing is incompatible with the original purposes and without a lawful basis and full transparency.
• Employers must ensure privacy notices and policies accurately describe all monitoring activities, including any potential HR or disciplinary use.
• Conducting a DPIA before using any new software/technology or when using such for a new purpose helps identify risks, justify the necessity of monitoring, and ensure safeguards are in place before any problems arise. (See our guidance note here.)
• Staff trust depends on openness: using data covertly or for undisclosed purposes undermines confidence and can amount to unfair processing