Sunday 14 August 2022
Select a region
News

Top CI retailer scolded by data watchdog

Top CI retailer scolded by data watchdog

Thursday 19 August 2021

Top CI retailer scolded by data watchdog

Thursday 19 August 2021


The Channel Islands' largest retailer has been scolded by Guernsey's data watchdog for failing to properly comply with an individual's request for the data held about them by the company.

Individuals are legally entitled to make requests for a copy of all personal data held by a company or entity - known as a 'right of access request'.

Sandpiper CI received one such request on 30 June 2020, which Guernsey's Data Protection Authority ruled yesterday was not properly handled in line with the law.

An investigation by the authority confirmed that Sandpiper CI failed to:

  • respond to the request within the designated one-month period,
  • did not notify the requester of their reasons for not complying with the request,
  • and did not advise them that there was a right to complain to the authority, and right to take civil action.

Screenshot_2021-08-18_at_12.58.15.png

Screenshot_2021-08-18_at_12.58.27.png

Pictured: Section 27(4) of the Law provides for the application of a two-month extension on the condition, as long as that decision is communicated to the requester along with the reasons for the extension within the designated period.

The nature of the request required Sandpiper CI to access archived information, the retrieval of which was not straightforward.

The authority's formal judgment elaborated: “The reason for the delay in the request was that the Controller had not searched in archived material in its initial response to the request. Upon being notified that the response was incomplete, this became apparent and further searches were required to fulfil that request.

“Had the Controller had a more robust data governance structure in place, allowing it to easily recognise the fact that archived material fell within the scope of the request, it is likely a breach of this nature could have been either avoided or mitigated.”

The Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “This case highlights the importance of controllers knowing exactly where the personal data they are legally responsible for are located.

“Archived data has as much capacity for harm as other forms of data and needs to be part of the overall data governance framework of any organisation. We are grateful for the full cooperation of the Controller in this case and hope it serves to remind us all to be prepared to respond to rights requests from individuals.

“The right of access, as exercised in this case, is a very important part of the data protection law and individuals seeking access to information about themselves have the right to expect timely and complete responses.” 

Sign up to newsletter

 

Comments

Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.

Once your comment has been submitted, it won’t appear immediately. There is no need to submit it more than once. Comments are published at the discretion of Bailiwick Publishing, and will include your username.

To place a comment please login

You have landed on the Bailiwick Express website, however it appears you are based in . Would you like to stay on the site, or visit the site?