A LASER hair removal business has been fined £500 by the Island’s data authority after a company director shared a former employee’s private information.
A director of JRSY Laser Ltd shared information about a former employee leaving the company’s employment – which included information about a dispute – to other members of staff.
In the email, the director also made “insulting comments” about the former employee.
In addition, the director threatened to share the former employee’s personal data with an “unconnected third party” – although did not follow through with this.
The Jersey Office of the Information Commissioner, which imposed the fine, said: “While it was acceptable for the other members of staff to have been told that the employee was no longer working for JRSY Laser, there was no reason to share any other information about their departure and circumstances surrounding it.”
The authority concluded that this data breach was “excessive”, and there was “no lawful basis” for sharing the information.
As part of the investigation, the JRSY Laser director was asked why they thought it was appropriate to share the email with other members of staff.
They said that they considered their small team to be like “a family”, and felt that the rest of the staff had a right to be included in the email.
A victim impact statement from the former employee said that “very real distress” had been cause by the director’s actions.
The data protection authority said: “They explained that they had suffered from emotional distress, anxiety and low self-esteem, which had impacted on their confidence to carry out their work.
“They also reported feeling threatened, embarrassed and hurt by the content of the email shared with the JRSY Laser staff because it was very negative about the employee’s character.”
During the investigation, it also came to light that JRSY Laser was not in compliance with certain other aspects of the Data Protection Law – despite previously being subject to an “almost identical complaint”.
A formal reprimand was issued and the company was fined £500.
The actions come less than 18 months after JRSY Laser was reprimanded for “deliberately” sharing a customer’s information with their boss during a row over an unpaid bill.
The data protection authority took this previous incident – which involved the same director – into account when deciding to issue the fine.
In 2023, the authority gave JRSY Laser a “specific warning that vindictive behaviour and threats to release personal data would not be tolerated and that any similar future behaviour would likely result in the issuing of an administrative fine”.
The authority also deemed it to be a “significant aggravating factor” that the director threatened the former employee.
“It is unacceptable to threaten individuals with disclosure of their personal information to try and settle disputes that may have arisen between the parties,” they said. “Proper avenues are open to businesses to pursue employment-related matters, eg the Employment and Discrimination Tribunal or Royal Court of Jersey.”
They added that it “will not hesitate increasing the severity of its sanction” if an organisation has already been subject of an investigation, and then repeats that behaviour.
