The battle over the future of Guernsey’s tax system has turned into a scrap over a spreadsheet.
Specifically, the spreadsheet – or spreadsheets – used to model the impact of the latest tax proposals.
Policy and Resources (P&R) says the numbers cannot be released because they contain ‘personally identifiable data’ (PID).
In fact, P&R goes further, with Vice President Yvonne Burford claiming it would actually be illegal for them to release the data.
Critics say that argument doesn’t add up, claiming P&R is using privacy rules to prevent scrutiny.
But, what actually is ‘personal data’?
And what would need to be true to justify P&R’s decision to block the release of the numbers?
What is personal data?
The first thing to understand is that ‘personal data’ does not simply mean information that is private.
Under European data protection law, including the General Data Protection Regulation (GDPR), personal data means:
“Any information relating to an identified or identifiable natural person.”
In simple terms, it is information that can identify a living person.
Sometimes that is obvious – names, addresses, bank details or medical records would clearly qualify.

But information can also become personal data when combined with other details.
Someone’s age might not identify them. But their age, occupation, employer, postcode and household circumstances might.
The key question is not whether a name appears in a dataset.
It is whether someone could reasonably be identified from the information available.
What do we know about the spreadsheet?
Express spoke to two deputies who have seen a screenshot of part of the spreadsheet.
They said it contained rows of figures linked to unique ID codes, with around 66,000 rows of data.
They said there were no names, addresses or other obvious identifiers, and that the information appeared to relate to household spending based on a 2019 household expenditure survey used in the tax modelling.
The deputies said they could not identify their own household from the information they saw.

P&R’s argument is that the underlying model contains detailed individual and household information protected by confidentiality rules.
Deputy Burford told Express:
“We cannot publish the model that calculates the aggregate numbers, because it contains very detailed and extensive individual and household data which is protected by Census and Income Tax legislation.”
The States economist has also argued that someone with access to the data could potentially identify their own household.
The deputies who saw the spreadsheet disagree.
Their argument is that recognising your own figures would not mean someone else could identify you.
A person would need additional knowledge about a household’s finances before they could work backwards from the data.
The dispute therefore comes down to one question:
Can someone identify a person or household from the information itself – or would they need outside knowledge to make that connection?
So do P&R’s models contain personal data?
The answer depends on what is actually in the modelling.
The fact that figures are based on households or taxpayers does not automatically mean the final analysis contains personal data.
For P&R’s position to be justified, the information would need to contain enough detail that someone could reasonably work out who a person or household was.
Data protection experts distinguish between:
- Directly identifiable personal data – where an individual can be identified immediately, such as through a name, address or other direct identifier
- Pseudonymised data – where identifying details have been replaced with codes or other identifiers, but a person could potentially be re-identified using additional information
- Anonymised data – where individuals can no longer reasonably be identified
The spreadsheet doesn’t appear to directly name anyone, so it does not appear to contain any ‘directly identifiable personal data’.
So, whether P&R is in the right hinges on one key question: Can you work out whose data it is using what’s called ‘jigsaw identification’?
In other words, the issue is not whether the data came from people – it is whether you could still work out which people it’s about.
The small island problem
One complication is Guernsey’s size.
Data that appears anonymous in a country like the UK can sometimes become identifying in a small community through what is known as ‘jigsaw identification’.
A combination of age, occupation, location and household details might match thousands of people in Britain.
On a small island, there may be far fewer possibilities.

Guernsey is not Sark, where a population of only a few hundred means unusual details can quickly point to one person.
But it is also not the UK, where the same information may apply to tens of thousands of households.
That creates a particular challenge: the smaller the population, the easier it can become to join together separate pieces of information.
Critics argue that risk can be managed.
They say figures could be rounded, grouped into bands, or released only as aggregated totals – protecting privacy while still allowing scrutiny.
The question is not whether identification is theoretically possible.
It is whether the data can be transformed enough to prevent it.
But, why can’t deputies see the numbers?
Even if P&R’s argument that the data is too sensitive to release to journalists or the public is valid, that still leaves the question of why current deputies haven’t been allowed access to it, when civil servants – and presumably members of P&R – have.
After being elected, deputies undertake mandatory training, including in data protection and handling confidential information.
Yet several backbenchers say they have not been allowed to inspect the underlying modelling used to produce the GST figures.

Deputy Haley Camp shared her frustration about the issue at Sunday’s anti-GST demo, telling the crowd: “We haven’t [been allowed to see the data] – we are allowed to see snippets”.
“We are told to look at appendices in a policy letter that does not contain the information we need to be able to make the biggest decision in a generation for this island.”.
The anti-GST deputies argue that if they’re trusted to run the island, they should be trusted to see the models.
Express does not have data on how many deputies have completed their mandatory data protection training.
However, arguing that the majority of Guernsey’s elected representatives can’t be trusted to see the data – when civil servants and P&R have seen it – would seem to throw up some pretty serious constitutional questions.
Where is the rest of the modelling?
There is another question hanging over the debate: is the spreadsheet the whole model?
The household spending data is only one part of a tax model.
A model of this kind would normally also involve assumptions about behaviour, economic impacts, revenues and how different groups are affected.
P&R has described the model as “large and complex”.
However, the committee has not disclosed whether economists have done any other modelling – such as higher-level examination of things like how GST will affect inflation or civil service staffing levels.
Likewise, it is unclear what modelling has been done on other aspects of the tax package, like a £7m Transport Tax.

Critics argue that even if some underlying data cannot be released, that does not necessarily mean all of the analysis and workings behind it must remain hidden.
So, the question is broader than whether one spreadsheet contains personal data.
It is whether enough of the workings behind one of the biggest changes to Guernsey’s tax system can be made available for others to test the assumptions and conclusions.
And if there is only one spreadsheet, can the modelling really be called “large and complex”?
The bigger question: trust and transparency
For critics, the PID argument has become about much more than a spreadsheet.
They say it raises a much bigger question: Can we trust our government?
The argument is not about whether personal information should be protected – almost everyone agrees that it should.
It’s about what happens when confidentiality and transparency collide.
The question backbenchers and the public are asking is this: Is P&R protecting genuinely sensitive information – or are privacy rules being used to prevent scrutiny?
Some deputies argue they are being asked to make one of the most significant decisions in a generation without being able to fully examine the workings behind the numbers they are expected to approve.
Their frustration is not simply that the public – and journalists – cannot see the figures.
It is that elected representatives themselves are being asked to rely on assurances about a model they cannot independently test – and will not have time to do so before the vote.
P&R says it has a legal and ethical responsibility to protect confidential information.
Critics argue that transparency does not mean publishing every piece of raw data.
It means providing enough evidence for decisions to be properly challenged and tested.
The challenge facing P&R is therefore not simply whether personal data exists – it is whether protecting that data requires protecting everything built from it.
Because ultimately, this dispute is not just about what is inside a spreadsheet.
It is about whether people have confidence in the decisions being made in their name.
