The Jersey Office of the Information Commissioner ('JOIC') published, on 22 February 2022, a public statement of the Jersey data protection authority ('JDPA'), as issued on the same day, in which the latter imposed a formal reprimand to the Children's Services Department, Government of Jersey, for violations of Articles 8(1)(f) and 20(1) of the Data Protection (Jersey) Law 2018 ('the Law'), following an inquiry initiated in November 2021 by the JDPA.

Background to the public statement

In particular, the JDPA stated that, during a Children's Services Department's child protection online conference meeting, certain family members had remained connected to the call, when they should not have, due to some technical issues in the functioning of the online video conferencing software in use. The JDPA noted that, as a result, certain sensitive information had been disclosed. Subsequently, the JDPA outlined that such information had been further shared with unconnected third parties and published on social media. In addition, the JDPA reported that a complaint regarding the child protection meeting had been made to the Children's Services Department, which was shared to an unintended recipient via email by the Children's Services Department. Moreover, the JDPA stated that, on both occasions, the Children's Services Department had belatedly reported the breaches to the JDPA.

Findings of the JDPA

Further to the above, the JDPA held that the Children's Services Department had violated the Law, in that it had failed to comply with the integrity and confidentiality principle and to ensure that it had appropriate technical and organisational measures in place to maintain the security of the data it processes. Additionally, the JDPA determined that the Children's Services Department's failure to notify the JDPA of these breaches within the required timeframe constituted, in itself, a breach of the Law.

In light of the violations occurred, the JDPA imposed a formal reprimand, and, notwithstanding the fact that the reprimand in question was the second one issued to the Children's Services Department in the previous six months, it considered favourably the Children's Services Department complete cooperation with the affected parties and the JDPA and the fact that it had promptly taken appropriate steps following the breaches.

In addition, the JDPA made a number of orders regarding updating of the Children's Services Department's internal processes regarding the use of its online video conferencing software and appropriate education for staff.

Outcomes

In conclusion, the JDPA issued the aforementioned reprimand and highlighted that the Children's Services Department had 28 days to lodge an appeal before the Royal Court of Jersey.

You can read the announcement here and the public statement here.