Guernsey Press

Reprimand for garden centre operator over data protection

GARDEN centre operator Blue Diamond has fallen foul of data protection laws.

Published
Last updated
Blue Diamond managing director Alan Roper said the data protection law breach needed to be considered in the light of the pandemic which saw it fighting for its very existence. (Picture by Adrian Miller, 29537903)

The Data Protection Authority has issued a reprimand to the company, which operates Le Friquet Garden Centre, for what the regulator said was a failure to respond to requests for information within a one-month time limit.

The DPA said Blue Diamond received two right of access requests on 15 May last year. These allow individuals to request, among other things, copies of personal data processed by the company, which in the context of the law is referred to as the data controller.

An investigation was carried out by the DPA after it received a complaint that Blue Diamond had failed to comply with the request within the time allowed.

While the company had sent an initial response to the requests, the DPA said this was not a complete one.

‘While it is recognised that this was the first such request made of Blue Diamond, it became apparent during the investigation that it did not have an appropriate understanding of the statutory obligations it had as a controller under the law,’ said the DPA.

The company contacted the authority early on for advice as to how to deal with the request. The DPA said that clear, unambiguous guidance was given, but was clearly not followed.

‘The controller in this case, while being a well-respected local company, is also a UK-wide organisation employing some 3,300 staff, and an organisation of that size should be fully aware of data protection issues relating to its business.’

Blue Diamond had accepted failures in processing and complying with the law and admitted that it had been a steep learning curve from which lessons have been learnt.

The company said part of the problem was having to deal with the impact of the Covid-19 pandemic, and the DPA accepted that this had impacted on operational matters. The company’s relationship with the complainants had also had a detrimental effect on the process and the company’s engagement with it.

Blue Diamond managing director Alan Roper said the company took the data protection rights of its employees seriously: ‘[But] this incident needs to be considered in the context of the worst crisis in living memory caused by Covid-19 when our focus was on survival and our very existence was under threat,’ he said.

Blue Diamond co-operated with the DPA at every stage of the investigation, kept it and the two individuals informed regularly of the status of their requests and provided the information shortly after the deadline expired.

‘Given the pandemic, it was very difficult to comply with the access requests, particularly in the context of the volume of information requested and the short time-frame.’

While the company respected and supported the data protection law, ‘we firmly believe that it needs to take more account of the rights of employers, particularly when disgruntled former employees can abuse the process’.

Data protection commissioner Emma Martins said the DPA recognised this was a challenging time for all organisations.

‘We must also be mindful that where individuals seek to exercise their legal rights, there is an expectation that those rights will be respected,’ she said.

‘Early and positive engagement with individuals and with the ODPA will always contribute to more positive outcomes.’

The DPA was pleased the company had reflected on the lessons learned to make sure it was better able to respond to similar requests in a timely manner in future.