In the British Isles, the Jersey Data Protection Authority (JDPA) has publicly criticised the way in which a Jersey government department handled an individual’s request for their personal data.
The data subject requested that Jersey’s Customer and Local Services department (CLS) provide them with full accounts of their personal data on two occasions.
The data subject was not satisfied with the CLS response, and issued a complaint to the JDPA which looked into the individual’s argument. The JDPA concluded that the CLS had been “dismissive” of the data subject’s requests, and had taken “too long” to respond to their demands for personal data. The data subject’s initial request was responded to after one year.
The JDPA also found that the junior staff member who had executed the early-stage searches for the data had not received the proper training for the job, and that crucial information had been withheld as a result.
The JDPA said:
“It may be interesting to note that if this had been an investigation against a private entity that the authority would have considered the imposition of a significant fine.”
Sitting to the west of the Cherbourg peninsula, northern France, Jersey is the largest of the Channel Islands located in the stretch of water between England and France. Under the Data Protection Authority (Jersey) Law 2018, public authorities cannot be hit with administrative fines.
The CLS has, instead, received a reprimand from the JDPA and been told to improve its data protection compliance standards “within a defined timeframe”.
The JDPA said its public stance “should act as a reminder that anyone holding personal information require appropriate systems, policies and appropriately trained staff to properly respond to requests that are made to them by islanders in accordance with the Data Protection Law”.
Commenting on the failings, the Jersey Office of the Information Commissioner (part of the JDPA), Anne King, said:
“This department has a “touch point” in every islander’s life and holds personal information about all islander’s lives - including health, education, business, and taxes”
She underlined how a “significant fine” would have been issued, had the breach taken place on the watch of a private business.
Ian Burns, the Chief Officer at Customer and Local Services said:
“We take our Data Protection responsibilities seriously and it is very disappointing that we have not handled this customer’s subject access requests correctly.
“I have apologised to the customer personally. We have co-operated fully with the Jersey Office of the Information Commissioner regarding this complaint and have taken immediate action to improve our service for subject access requests in accordance with their recommendations.”
PrivSec Global brings together leading experts from around the globe, for a 2-day livestream experience that ensures attendees have access to the latest information, guidance and advice on data protection, privacy and security.
PrivSec Global returns on 17th & 18th May 2023, and will once again deliver a carefully curated agenda that taps into the expertise of subject matter experts, industry leaders and academics.
→ Subject Access Requests: Respecting Data Rights While Saving Time and Resources
- Day 1: Wednesday 17th May 2023
- 12:30 - 13:15
- Adam Low, CTO, Zivver
- Rebecca Pringle, Data Protection Officer, Kaluza
- Jakub Kolasa, UK Data Protectin Officer, Opel Vauxhall Finance