Planning escapes fine for publishing details about vulnerable child

Monday 19 October 2020

Jersey's Planning department has escaped a fine for twice breaking the data protection law by sharing sensitive health information online about a vulnerable child, because it is a government body.

The Jersey Data Protection Authority has issued its first ‘Public Statement’ against a government department - or ‘Public Authority’, as they are officially called in this context.

An investigation by the JDPA concluded that Planning and Building Services had failed to adequately redact personal data, which resulted in the information about the child being published on the online registry of planning applications.

JDPA Chair Jacob Kohnstamm said: "The JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, and had the JDPA not been prevented by law from imposing a fine due to the Controller being a Public Authority, the JDPA would have considered a fine in these circumstances."

Pictured: JDPA Chair Jacob Kohnstamm.

Deputy Information Commissioner Paul Vane added: "All data controllers and processors have significant obligations in law to be accountable and provide appropriate security for the personal data they are entrusted with.

"This is particularly important when the organisation concerned is a Public Authority, as building the trust and confidence of the Jersey public in Government data handling activities is paramount."

The JDPA said that it considered the department’s cooperation and early recognition of the problem as mitigating factors, along with its prompt updating of systems and processes and training updates for staff. 

However, it added that it had also taken into account the department’s lack of appreciation of the significance of some of the problems arising from the processing of personal data, which had led to the investigation, and which “had tended to minimise the significant effect the processing had on a vulnerable minor."

It said that while the department had cooperated with the authority and removed the data relating to the first breach at the JDPA’s request, the information was then uploaded to the department’s online public registry again on two further occasions while still containing insufficient redaction.

Jersey’s Data Protection Law, which came into force in 2018, prohibits the JDPA from fining publicly funded organisations, which means that an official statement is the highest sanction it can award in this instance.