THE government’s Customer and Local Services Department has been reprimanded for serious breaches of the Island’s Data Protection Law, after being ‘dismissive’ of an individual, too slow in responding and unable to locate all their personal information.
Upholding a complaint from one Islander about two requests for information, the Data Protection Authority said it would have considered imposing a ‘significant fine’ had the breaches been committed by a private entity.
Under current legislation, the authority cannot impose administrative fines on the government.
Three of the authority’s four public statements issued in the last three years were about the government.
The authority’s investigation into the complaints – details of which were published yesterday [Friday] – also concluded that CLS ‘did not have appropriate systems in place to allow it to respond to this type of request’ and had allocated an insufficiently trained junior member of staff to the task.
A spokesperson for the authority said: ‘A public statement issued by the authority is significant and it will do so where it considers that it would be in the public interest because of the gravity of the matter or in other exceptional circumstances. Only four have been issued in the last three years (three have been against government).’
They noted that the CLS department had a ‘touch point’ in every Islander’s life, holding sensitive information about Islanders’ lives, including data relating to health, education, business and tax.
The complaint related to two subject access requests – formal approaches to the government to obtain details of information it holds about an individual. In the first instance, the government should have provided a full response by 19 June 2020 but was almost a year late, and it failed to provide all the information to which they were entitled. A second request was 11 months late and again did not contain all the information held by the department.
According to the Authority’s findings, the department ‘failed to process the complainant’s data, lawfully, fairly and in a transparent manner, in contravention of the first data protection principle’.
Responding to the public rebuke, Ian Burns, chief officer of Customer and Local Services said: ‘We take our data protection responsibilities seriously and it is very disappointing that we have not handled this customer’s subject access requests correctly.
‘I have apologised to the customer personally. We have co-operated fully with the Jersey Office of the Information Commissioner regarding this complaint and have taken immediate action to improve our service for subject access requests in accordance with their recommendations.’