A law firm’s decision to leave a bundle of legal documents containing sensitive health information on a man’s home doorstep amounted to a breach of Guernsey’s data protection law, the Royal Court has decided in a landmark ruling.
AFR Advocates had already been slapped by the Office of the Data Protection Authority back in 2023 over the document dump, but challenged the ruling in the Royal Court in what was the first instance of a data controller exercising their right of appeal against an enforcement action taken by the watchdog.
However, in a judgment handed down on 23 December and shared for the first time by the ODPA today, Judge Fionnuala Connolly sided with the ODPA and upheld their determination.
Express explores what happened…
The 200-page bundle
The case revolved around an incident in 2022, when AFR Advocates hand-delivered a bundle of more than 200 pages to the home address of an individual involved in a private legal claim. The documents, which were left on the doorstep while the individual was at the beach with his wife, included information relating to his health – categorised as “special category data”, a type of information which receives greater protection under the law.
The court heard that the bundle was delivered in an ordinary ring-binder folder, without any envelope, box or protective covering, and was left in full view rather than in a safe or concealed location. The individual later complained that this had placed their private and sensitive personal data at risk.
Both sides presented conflicting accounts about the exact content of the bundle and the circumstances in which it was delivered.
The complainant told the ODPA in 2023 that the bundle contained “a fully detailed list of my full medical records from both my GP, the MSG and the Hospital covering all conditions from birth”, adding that his records alone amounted to around 40 pages.
AFR Advocates’ was that this statement was untrue and that the complainant knew the bundle did not contain his full medical records.
The court also heard detailed evidence from the complainant about how and where the bundle was delivered.
In his evidence, the complainant said: “The Bundle was not left in a sealed envelope, nor was it marked ‘private and confidential’ or with any words to that effect. It was clear from the front cover however that the Bundle related to Court proceedings relating to me.”
He told the court that his porch was located close to what he described as “a busy footpath”, and said the bundle “would have been seen clearly by any passers-by”.
Complainant “would have been distraught” if others saw medical information
As a result, he felt there was a “very real risk” of the bundle being “looked at, or even being taken”, and said he was also worried that, due to Guernsey being a windy place, that his file could have opened up.
Had AFR contacted him in advance, the complainant said that he would have directed them to a designated safe place – a shed located some distance from the house – and said he was “a very private person” who would have been “distraught” had his sensitive medical information been viewed by unauthorised third parties.
He said the situation caused him “great concern” and led directly to him lodging the complaint with the ODPA.
The ODPA concluded in February 2023 that AFR Advocatres had breached the Data Protection (Bailiwick of Guernsey) Law, 2017. They said the law firm had failed to ensure the “integrity and confidentiality” of the data and had not taken reasonable steps to ensure its security, leading to it issuing a formal reprimand.
Claim data watchdog was unreasonable
AFR Advocates appealed the reprimand on several grounds, including that the Authority had erred in law, acted unreasonably, and failed to act proportionately.
The firm argued that the documents related to legal proceedings that had been heard in open court, and that this context should have reduced the weight given to data protection concerns.
But the Royal Court rejected that argument, and accepted the ODPA’s view that “the fact the documents were lodged with the Court for a pending judicial matter, does not diminish the sensitivity, integrity or confidentiality attached to the personal data. Neither does it relieve the Controller of its obligations when collecting and processing personal data, and in particular Special Category Data”.
Even where proceedings are public, that “does not allow ANY person to gain access to the documents”, the ODPA had previously told the law firm in a letter.
The court also dismissed claims that the Authority had applied the wrong legal test or acted outside its powers. While it accepted that the Authority had mistakenly used the word “inadequate” in parts of its determination, the judge said this was an “inadvertent error” and not fatal to the decision.
“I am satisfied that the Respondent properly referred to and applied the salient applicable provisions of the DP Law,” the judgment said, concluding there was “no basis” to overturn the finding of a breach.
Ultimately, the court held that an informed and reasonable observer would not consider the Authority’s decision to be unreasonable. The reprimand was therefore upheld.
“Important lessons”
The case was the first appeal brought under Guernsey’s current data protection legislation.
In confirming the Authority’s approach, the court emphasised that controllers handling sensitive personal data must take active and appropriate steps to protect it – including when delivering documents in the physical world, not just online.
Reacting to the judgment in a statement issued this morning, Commissioner Brent Homan said: “We welcome the court’s judgment that upholds our determination while confirming our proportionate approach to investigation. We further appreciate the awarding of costs, as our preferred approach continues to involve constructive engagement with organisations to help them ‘get it right’ rather than to be brought into costly and lengthy litigation.”
The Commissioner added that there were “important lessons” to be taken from the the determination upheld by the Court.
“The Law requires anyone working with people’s data to take appropriate safeguard measures ensuring the security of personal data at all times. Special category data such as health data, requires additional measures to ensure confidentiality.”
