"Dismissive" Gov escapes fine after major data breach

Friday 14 April 2023

The government has been found guilty of serious data protection breaches - but is not facing a fine as the law does not allow it.

The Data Protection Authority has instead issued a formal reprimand after describing the Customer and Local Services Department as "dismissive" of an individual, too slow in responding and unable to locate all their personal information.

Upholding a complaint about two requests for information, the Authority said it would have considered imposing a significant fine had the breaches been committed by a private entity but under the law it cannot impose administrative fines on the government.

The Authority's investigation into the complaints also concluded that the CLS department 'did not have appropriate systems in place to allow it to respond to this type of request' and had allocated an insufficiently trained junior member of staff to the task. It added that the CLS department had a 'touch point' in every islander’s life and is responsible for holding sensitive information including data relating to health, education, business and tax.

The complaint related to two subject access requests, which are formal approaches to the government to obtain details of information it holds about an individual. In the first instance, the government should have provided a full response by 19 June 2020 but was almost a year late, and it failed to provide all the information to which they were entitled. A second request made by the same individual was 11 months late and again did not contain all the information held by the department.

A spokesperson for the Authority said: 'A public statement issued by the Authority is significant and it will do so where it considers that it would be in the public interest because of the gravity of the matter or in other exceptional circumstances. Only four have been issued in the last three years (three have been against government).'

According to the Authority's findings, the department 'failed to process the complainant’s data, lawfully, fairly and in a transparent manner, in contravention of the first data protection principle'.

Responding to the public rebuke, Ian Burns, chief officer of Customer and Local Services said: 'We take our data protection responsibilities seriously and it is very disappointing that we have not handled this customer's subject access requests correctly. I have apologised to the customer personally. We have co-operated fully with the Jersey Office of the Information Commissioner regarding this complaint and have taken immediate action to improve our service for subject access requests in accordance with their recommendations.'