The Office of the Data Protection Authority (ODPA) released a public statement on July 4, 2024, announcing it reprimanded the Committee for Health and Social Care (HSC) for violations of the Data Protection (Bailiwick of Guernsey) Law (the Law), following a data breach.

Background to the decision

The ODPA stated that in December 2023, the HSC became aware of a data breach that affected the personal data of three individuals. The HSC then failed to notify the ODPA of the breach until 52 days after becoming aware. The ODPA further states that the HSC explained that the delayed notification resulted from a need to investigate the breach further and verify contact details for the affected individuals before providing written notification about the breach. The ODPA mentioned that the affected individuals received notification about the breach after 50 days for one individual and after 62 days for two individuals. The ODPA stated the breached personal data included information that related to substance misuse.

Findings of the ODPA

The ODPA stated that the HSC was required to notify the ODPA within 72 hours of becoming aware of a breach as required by Article 42(2) of the Law. The ODPA also stated that notification to the affected individuals should have occurred as soon as practicable as required by Article 43(1) of the Law where a personal data breach is deemed likely to result in a high risk of harm.

Outcomes

The ODPA reprimanded the HSC for failing to notify individuals and the authorities about the breach. The HSC may appeal the determination within 28 days otherwise the case will end on July 29, 2024.

You can read the press release here.