Failing to securely process personal data resulted in a formal warning for Isle of Sark Shipping
ISLE of Sark Shipping Company has been issued with a formal warning after breaching data protection rules.
An investigation by the Guernsey Office of the Data Protection Authority found that the company had breached three parts of the law.
They were the requirement for personal data to be processed lawfully, fairly and transparently, the requirement to keep personal data accurate and up to date and the requirement for personal data to be processed in a manner that ensures appropriate security.
The problems came to light when the authority raised some queries with the company.
'The authority had concerns that the [company] controller may have been unable to demonstrate sufficient awareness, understanding and compliance with their data protection obligations under the law and as a result failed to maintain appropriate standards and controls in their processing of personal data,' the ODPA report stated.
'The area of concern to the authority related to the processing of personal data concerning the financial status of a data subject. At the conclusion of the inquiry the authority found that the controller did not process the subject’s personal data in a manner which ensured that the data was processed fairly, lawfully, accurately or securely, in breach of three of the data protection principles under the law.'
When it came to punishing the failings, the authority noted there were mitigating factors in the case.
The controller maintained open and candid correspondence with the authority and took action prior to the ODPA's ruling to no longer process personal data in the manner highlighted by the inquiry.
The company has not been the subject of previous investigation or inquiry.
'However, the authority also took into account that the controller showed insufficient appreciation of the significance of some of the problems arising from the processing of personal data which were the subject of the inquiry,' the report stated.
In this case it was noted the breaches were at the lower end of the scale of seriousness, and it was decided the appropriate sanction was to impose a formal reprimand in relation to the breaches and also a formal warning to prevent future breaches of a similar nature.