The security of personal data was compromised when the States IT infrastructure suffered a widespread outage in November 2022.
The Office of the Data Protection Authority has found that the States – namely Policy and Resources – did not take reasonable steps to ensure the security of all of the personal data held on the affected systems.
That includes failing to maintain the air conditioning system within a data room at Sir Charles Frossard House, which itself failed causing the States’ servers to shut down.
The original outage was followed by other less widespread outages over the following few months.
The ODPA said those outages meant people were unable to use the systems and access the personal data held on them.
The ODPA has now confirmed the findings of its own Inquiry which was informed by Scrutiny’s review.
The Data Protection Authority’s Inquiry similarly found that “P&R had failed to take reasonable steps to maintain the air conditioning system within a data room, leading to its failure”.
P&R has today re-iterated that no data was lost during the outages.
It has also questioned the relevance of the ODPA’s review, coming so long after the incident when all of the issues it raised have already been addressed.
Under Guernsey’s Data Protection Law, organisations are required to “take reasonable steps to ensure they have the ability to secure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.
PwC carried out the initial inquiry into the cause of the outages, and found that they would not have occurred had the then-P&R Committee heeded previous warnings about how vulnerable the equipment was.
The ODPA says that lack of regard for the warnings issued about the air-conditioning system showed that P&R had not taken reasonable steps to ensure there was an ongoing resilience of States of Guernsey processing systems and services.
The ODPA also found that the lack of an IT disaster recovery plan constituted a breach in data protection regulations because the outage time was not limited and access to personal data was interrupted for many hours, and even days in some cases.
“This incident demonstrates the importance of organisations identifying and addressing potential risks posed to the security of personal data,” said a spokesperson for the ODPA.
“Organisations that do not regularly assess and mitigate their vulnerabilities are more likely to face system failures.
“When a risk area is identified that warning should be heeded. Too often incidents occur in areas of known risks that could have been mitigated if swift action had been taken.
“Investing in preventive measures is crucial to avoid such disruptions.
“Another critical takeaway is the need to prioritise system resilience and recovery. If organisations do not have robust plans to restore data and services quickly after an incident, outages can last longer, causing significant operational and reputational damage.
“Organisations should recognise that underinvesting in security often leads to greater costs down the road. Balancing security costs against risk is vital.
“Ensuring the confidentiality, integrity, and availability of personal data is not just about avoiding breaches; it is about maintaining operations and protecting all stakeholders.
“Security safeguards are a dynamic rather than static responsibility, requiring continuous monitoring, enhancements, training, and vigilance to prevent incidents and system failures.”
In response to the ODPA’s report, P&R has said that the issues raised have all been addressed and as such the committee questioned the relevance of the judgement.
“As is widely known, the outages referred to by the ODPA occurred in late 2022/early 2023.
“While we accept the ODPA’s findings from its investigation, it’s important to highlight the significant length of time and the fact that the issues it references have long since been addressed.
“In 2023 we migrated servers throughout the estate to purpose-built data centres, significantly improving system resilience. As such we’d question the value of an ODPA judgement on an issue that occurred more than two years ago and was addressed by the States shortly thereafter.”