Skip to main content
Subscriber Only

States struggling to cope with data protection demands

LOCAL organisations and States departments are struggling to cope with increasing data protection demands.

Local organisations and States departments are struggling to cope with increasing data protection demands.
Local organisations and States departments are struggling to cope with increasing data protection demands. / Guernsey Press

The issue has recently been brought to light by the Health & Social Care and Home Affairs Committees. Last month, HSC was sanctioned by the Data Protection Authority for its repeated failure to properly handle requests from islanders to see what data the committee was holding on them, which it blamed on a shortage of staff.

Committee president Deputy George Oswald said improvements would be made as a matter of priority but explained why his committee was failing.

‘The volume and complexity of data subject access requests has more than doubled in recent years,’ he said.

‘Many requests span an individual’s entire lifetime and require significant officer time to repair and, as necessary, redact the data required, before release. Health & Social Care has failed, as a result, to keep up with this demand.’

A freedom of information request has also revealed that HSC recorded 95 data breaches between 2022 and 2025, although only seven met the threshold for mandatory reporting to the Data Protection Authority.

In early June, Home Affairs president Marc Leadbeater said his committee was also struggling to cope after it received 35 subject access requests following online encouragement from Deputy Rob Curgenven.

‘The number received over such a short period is highly unusual and has created a significant additional workload for the officers responsible,’ he said.

He explained that it was not just a matter of producing a file or pressing a button as information might need to be searched for across many operational areas, then reviewed carefully and assessed to make sure that third parties’ rights and personal data were protected.

Data protection commissioner Brent Homan said having access to personal information was a fundamental right, but he recognised that such requests could place a burden on resources.

‘We understand that there has been an increase in DSARs for many organisations which we have also experienced through an increase in the volume of complaints and enquiries to our office,’ he said.

‘There are strategies and approaches that can help organisations manage such requests more efficiently.’

In order to help, the Data Protection Authority has developed a ‘DPO Zone’ with dedicated tools to manage requests more effectively and has launched a series of workshops.

‘We have also been engaging directly with organisations that are finding DSAR demands challenging, providing practical advice for their specific situations, with an eye to ensuring that individuals’ data rights are respected while not making fulfilment obligations unnecessarily complex or burdensome,’ he said.

‘DSARs are a fundamental data protection right that must be respected and prioritised appropriately, including when demands rise. We can help.’

Mr Homan said that a positive response to a DSAR included early engagement and communication with the individual to better understand the scope of the request, as well as knowing and exercising exemptions responsibly. He urged any organisations to reach out for specific support or advice.

This content is restricted to subscribers. Already a subscriber? Log in here.

Get the Press. Get Guernsey.

Subscribe online & save. Cancel anytime.