The States of Alderney have been served with an ‘enforcement notice’ after breaching the Bailiwick’s data protection laws.
The island’s government was legally bound to answer a Data Subject Access Request made by its former Chief Executive – who left his role with the States at the end of last year.
Theo Leisjer made his data request immediately after leaving his role and although the States did respond to the Data Subject Access Request, he felt that documents had been left out and other parts were redacted where they didn’t need to be. He reported this to the Office of the Data Protection Authority and it has agreed.
The ODPA said the States of Alderney breached section 15 of the data protection Law, which relates to a data subject’s rights of access to their own personal data.
Specifically, the Authority found that there were inconsistent and excessive redactions of a letter. While some redaction was appropriate because the information related solely to someone else, but some other information should have been provided in unredacted form, it said.
The ODPA said this means the “volume and application of redaction had a detrimental impact” on Mr Leisjer, “preventing a fair and transparent process and his ability to fully understand the grounds for the Controller’s decisions”.
An Enforcement Order was imposed on the States of Alderney, requiring it to give Mr Leisjer “an appropriately redacted document”.
It is understood that process is underway.
The ODPA said other data controllers can learn from the States of Alderney’s mistake.
“A fair and balanced test must be applied to the release and redaction of documents when dealing with data subject access requests, taking into account the impact on all parties, whilst recognising the rights of the individual and complying with the Law,” it said.