Public Statement - February 2022

The Jersey Data Protection Authority (the Authority) has issued a Public Statement regarding the outcome of a formal Inquiry into three contraventions of the Data Protection (Jersey) Law 2018 (the Law) by the Children’s Services Department (the Department), a function of the Children, Young People, Education and Skills Department of the Government of Jersey.

The Jersey Office of the Information Commissioner (the JOIC) is the office responsible for overseeing the Law. Organisations of all sizes in Jersey that process people’s personal information (including charities, clubs, associations and Government departments) are reminded that the Law is based around six key principles of good information handling and they have statutory obligations under the Law to comply with these principles.

In this case, the Information Commissioner found that on two occasions the Department had failed to comply with the Law in that it failed to ensure that it had appropriate technical and organisational measures in place to maintain the security of the data it processes. These failures led to two separate personal data breaches. The Department also failed to notify the Authority of those breaches within the required timeframe, which in itself constitutes a breach of the Law.

The breaches related to the Department’s use of an online conferencing platform to hold a child protection meeting during which sensitive personal information about an individual was disclosed to other call participants, who should not have been present for that part of the call.

Secondly, a disclosure made by a family member who was present on the call, was then disclosed by the Department to an unintended recipient via email.

The Department failed to report the first two breaches to the Authority within the timescales required by the Law.

Notwithstanding this was the second Public Statement the Authority has issued to the Department in the last six months, the Authority considered the Department’s early admissions, open and direct liaison with the affected parties and complete cooperation by the Department’s staff with the Authority as mitigating factors. It also recognised the Department took appropriate steps following the breaches, including:

● Identifying areas for improvement such as bespoke data protection training for staff.
● Making recommendations to implement a training programme for the use of new technology in its day-to-day processes.
● New procedures for disclosing personal data on conference calls, updating processes for using online video conferencing software and a change of process around the sending sensitive information via email.

The Authority also noted that following the incidents, staff were reminded of the importance of, when required, reporting any personal data breaches to the Jersey Office of the Information Commissioner and why it is imperative to do this within the required timeframe.

Accordingly, the Authority issued a formal reprimand, made orders in respect of remedial steps to be taken by the Department, and determined that the circumstances of this case were of sufficient gravity that it was in the public interest to warrant a public statement. Had the Authority not been prevented by Law from imposing a fine due to the Department being a Public Authority, the Authority would have considered a fine in these circumstances.

Jersey Data Protection Authority Chair, Jacob Kohnstamm, commented: ‘Special category personal information is afforded higher levels of protection under the Data Protection (Jersey) Law 2018, reflecting the harm and distress to individuals that can result from a breach. The Authority is clear that where organisations do not take their legal responsibilities to protect such data seriously or where they are negligent as to their responsibilities, consideration will be given to the appropriate sanction (including the issuing of a fine, where permissible).

All data controllers and processors have significant obligations in law and are accountable for the personal data they are entrusted with. This is particularly important when the organisation concerned is a Public Authority, as building the trust and confidence of the Jersey public in Government data handling activities is paramount.’

Information Commissioner Paul Vane commented: ‘The Law is there to protect individuals from the misuse of their personal information. This Inquiry highlights the importance of ensuring robust security measures are in place when processing personal information, especially when it is of a sensitive nature. The rise of online conferencing platforms during the Covid-19 pandemic has led to organisations implementing new ways of carrying out their day-to-day work, but it is important for organisations to ensure that all their staff are fully trained in the use of such platforms, including the risks of use and what they can do to mitigate such risks. It also highlights the impact a lack of basic awareness can have on the rights, freedoms and privacy of individuals and the distress that can occur when things go wrong. In line with the ‘Data Security, Integrity and Confidentiality’ Principle of the Law, Data Controllers must ensure the appropriate measures are taken to protect people’s personal information and ensure staff remain vigilant and are appropriately trained.’

The JOIC has issued the following tips to help organisations protect people’s personal information when using online conferencing platforms.

‘Data Protection and Online Conferencing – Tips for Organisations’

1 – Make sure that clear, understandable and up-to-date organisational policies and guidelines are provided to those using online conferencing platforms.

2 - Ensure staff are trained to know what rules to follow and steps to take to minimise data protection risks.

3 - Employees should be using your organisation’s contracted service providers only, for work related communications. Ensure you are happy with the privacy and security features of the services you ask them to use.

4 - Ensure employees only use work accounts, email addresses and phone numbers for work-related online-conferencing, to avoid the unnecessary collection of their personal contact or social media details.

5 - Implement appropriate security controls (such as multi-factor authentication and strong, unique passwords) and limit use and data sharing to what is necessary.

The Data Protection Principles are at the core of the responsibilities placed upon controllers and processors. They are:

• FAIR, LAWFUL and TRANSPARENT PROCESSING: Personal data are to be processed lawfully, fairly and in a transparent manner in relation to the data.
• PURPOSE LIMITATION: Personal data must be collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner incompatible with those purposes.
• EXCESSIVE DATA COLLECTION: Personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• ACCURACY OF DATA: Personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
• STORAGE LIMITATION: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
• DATA SECURITY, INTEGRITY AND CONFIDENTIALITY: Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Does your organisation need advice about good personal information handling? You can call our office, the Jersey Office of the Information Commissioner on 01534 716530 or visit www.jerseyoic.org.