A Guernsey Advocate’s doorstep delivery of sensitive legal papers led to a data protection breach.

In a Judgment handed down on 23rd December 2025 (‘Judgment’), Guernsey’s Royal Court dismissed an appeal brought by.

• Advocates Mark Gerard Ferbrache, Paul Richardson and Robin John Reeves Cowling
• Practising under the style and name of AFR Advocates (‘AFR’).

INCIDENT AND COMPLAINT ABOUT AFR

• In July 2022, a paralegal from AFR Advocates delivered a ring binder containing over 200 pages—including highly sensitive health data—directly to a client's doorstep in St Peter Port while the client was away, leaving it in plain sight near a busy road
• Following a formal complaint by the individual, the Authority investigated and concluded that a breach of the Law had occurred.

DATA PROTECTION AUTHORITY ACTION

• In February 2023, consequently, the Authority issued a determination finding that AFR had contravened
• Section 6 (the principle of ‘Integrity and Confidentiality’) and
• Section 41 of the Law (‘Duty to take reasonable steps to ensure security of personal data’).
• Alongside its determination, the Authority issued a reprimand.

AFR APPEL

• AFR appealed a determination and reprimand by the authority from February 2023. It was the first appeal against a regulator's determination.
• AFR, as a data controller, disagreed with the Authority’s determination and exercised its right of appeal.
• The appeal was against a breach determination by the Data Protection Authority (‘Authority’) issued against AFR.
• This is the first time a (data protection) controller has exercised its right of appeal pursuant to section 84 of the Data Protection (Bailiwick of Guernsey) Law, 2017 (“Law”), against a breach determination issued by the Authority.

APPEAL REJECTED

• Judge Fionnuala Connolly rejected all grounds of the appeal in her judgment published just before Christmas. The appeal was heard earlier this year.

APPEAL JUDGMENT,

• The appeal concerned the investigation and determination of an incident in 2022, in which AFR Advocates hand-delivered a bundle of documents to an individual's home address.
• The bundle contained over 200 pages of materials related to a private legal claim brought by the individual against a third party.
• Among other items, the bundle, left on the individual’s doorstep, contained various pages of the individual’s health data, defined in the Law as ‘special category data’.
• The bundle was in an ordinary ring binder folder and was not enclosed in an envelope, box, or any other container. Nor was it delivered to a ‘safe place’ or out of sight of the road.
• The individual was not at home at the time of the delivery and considered that they had put their private and sensitive personal data at risk.

COMMISSIONER BRENT HOMAN SAID:-

• AFR’s reaction to the determination was  ‘bewildering’.

• “We welcome the court’s judgment that upholds our determination while confirming our proportionate approach to investigation.
• We further appreciate the awarding of costs, as our preferred approach continues to involve constructive engagement with organisations to help them “get it right” rather than to be brought into costly and lengthy litigation.
• “There are also essential lessons from the determination upheld by the Court.
• The Law requires anyone working with people’s data to take appropriate safeguard measures ensuring the security of personal data at all times.
• Special category data, such as health data, requires additional measures to ensure confidentiality.”

 Case Overview

• Law Firm: AFR Advocates
• Incident: In July 2022, a paralegal from AFR Advocates delivered a ring‑binder containing over 200 pages—including highly sensitive health data—directly to a client's doorstep in St Peter Port while the client was away, leaving it in plain sight near a busy road. [guernseypress.com], [sg.news.yahoo.com]

Data Protection Breaches

• Violated Section 6 (Integrity and Confidentiality) and Section 41 (duty to ensure data security) of the Data Protection (Bailiwick of Guernsey) Law, 2017. [guernseypress.com], [channeleye.media]
• The bundle was not protected—no envelope or secure location—and the delivery method placed “private and sensitive personal data at risk”. [sg.news.yahoo.com], [guernseypress.com]

Legal Proceedings & Outcome

• AFR Advocates appealed the Data Protection Authority’s determination, arguing they had taken “reasonable steps” by using a lever‑arch folder and hand-delivering the documents. [guernseypress.com], [channeleye.media]
• The Royal Court dismissed the appeal, confirming the breach and upholding the Authority’s ruling on 23 December 2025.
• The Court also awarded costs to the client. [sg.news.yahoo.com], [channeleye.media]

Key Takeaways

• This marks the first-ever appeal by a data controller under Section 84 of the 2017 Law. [channeleye.media]
• Data Protection Commissioner Brent Homan praised the ruling, noting the need for appropriate safeguarding measures, especially for “special category” data like health information. [sg.news.yahoo.com], [guernseypress.com]

SOURCES

• https://channeleye.media/royal-court-of-guernsey-upholds-data-protection-authoritys-decision-re-afr-advocates/
• https://guernseypress.com/news/2025/12/30/royal-court-dismisses-landmark-data-protection-appeal
• https://sg.news.yahoo.com/data-ruling-upheld-papers-left-131745380.html?guccounter=1