Prospect Custodian Trustees Ltd reported the breach to the authorities following a cyber incident in June this year.
Yesterday, the Guernsey Office of the Data Protection Authority announced the three-way joint investigation would be taking place.
‘The opening of this investigation should not be taken to mean that we have reached a conclusion that Prospect has, or continues to, infringe data protection law,’ said the ODPA.
This is the first time that the data protection authorities of the four jurisdictions had worked together, said the authority.
‘By pooling resources and expertise, they will deliver a focused, efficient and expedient inquiry.’
Prospect has 160,000 members employed as scientists, engineers, technology experts and in other specialist roles, many of them public servants.
It also has an Association of Guernsey Civil Servants branch, and branches for members working at Guernsey Electricity and Sure.
It said that the investigation will be looking into the scope of the data breach and its potential harm.
The union holds data such as financial information and trade union membership, ethnic origin, sexual orientation, disability and religious believe, the data regulator said.
The investigation will also examine if the union had adequate measures in place to protect the information, if it took appropriate steps in its response to the breach to mitigate any identified risks that might have been posed to affected subjects, and if it upheld its breach notification obligations.
Each regulator will investigate compliance with the law that it oversees.
‘Cyber attacks are increasingly impacting organisations holding data across borders and jurisdictions,’ said Guernsey data protection commissioner Brent Homan.
‘International threats demand an international response.
‘By joining forces with our partners in the UK and British Isles we will ensure an elevated level of protection for our collective citizens’ data rights.’
A Prospect spokesman said that it took immediate action to secure its systems when the incident occurred and was able to prevent any impact on its services to members.
‘We take our responsibilities to our members incredibly seriously and are deeply sorry for any impact on them,’ he said.
‘We have offered a package of support, including credit monitoring, to those who have been affected.
‘These kinds of incidents are sadly becoming more common, and we encourage members to utilise the support we have offered if they have not yet done so.’
It notified the Information Commissioner’s Office and has since provided further information, he added.
‘We will continue to co-operate fully with their investigation as it continues.’
You need to be logged in to comment. If you had an account on our previous site, you can migrate your old account and comment profile to this site by visiting this page and entering the email address for your old account. We'll then send you an email with a link to follow to complete the process.