Data authority imposed sanctions on 11 firms for breaches last year
GUERNSEY’S Office of the Data Protection Authority conducted 24 investigations into breaches last year, and ended up imposing sanctions on 11 of the companies involved.
The investigations followed it receiving 38 complaints, according to its 2020 report.
Two companies were fined for breaches – Sure and Trinity Chambers.
Sure was fined £80,000 for publishing personal information in the 2020 phone book which contained inaccuracies and which in some cases went against subscribers’ wishes, plus a lack of transparency in how the personal data was to be processed.
Law firm Trinity Chambers was fined £10,000 for unauthorised disclosure of private and sensitive information about an individual and their family.
Reports on both of these cases were made public by the authority, and data protection commissioner Emma Martins said it appreciated that this would probably have been uncomfortable for both organisations.
‘But the principle of openness in dealing with breaches of the law is an important one because an environment of transparency and accountability encourages trust and confidence in us by those that make complaints,’ she said in her introduction.
ODPA chairman Richard Thomas added: 'With so many statutory duties and powers, it is vital that Guernsey’s Data Protection Authority is – and is seen to be – effective.'
The report includes three case studies. One of these involved a parent discovering several pictures of their child published online by ‘an organisation’ after the parent had not given consent when asked.
Following a formal complaint it nonetheless took several days for the pictures to be removed.
The ODPA said this showed the need for ensuring that a ‘lawful processing condition’ was applied before processing began, ‘the processing in this case being the posting of photographs on a social media site.’
Another incident involved an employee of a company accidentally sending an email with a private client’s details to several other clients by mistake while the third was a case in which private information was inadvertently sent to the wrong email address.
The office also started a major IT project in March last year and despite a lockdown in the middle of it, this was completed on time and under budget by December and saw a new website created in time for the opening of registrations.
The site also contains information which, it is hoped, will help individuals who are disputing a local organisation’s use of their personal data.
‘In addition, individuals are encouraged to make reasonable attempts to resolve the issue with the relevant organisation before making a formal complaint to the ODPA,’ said the report.
Mr Thomas said the report highlighted the ODPA’s effectiveness, particularly against the backdrop of last year’s extraordinary events.
‘It also highlights the need for the Bailiwick to see the protection of people and their data as a cultural activity, not a box-ticking exercise,’ he said.