JERSEY - 1st JOIC Public Statement re DSAR failure

On 14 April 2023, The Jersey Office of the Information Commissioner  issued its first public statement of 2023 against the Government of Jersey, Customer & Local Services [CLS]:

• https://www.jerseyoic.org/news-articles/public-statements/public-statement-april-2023/

This relates to two subject access requests [DSARs] made by an individual and a complaint made to the JOIC that CLS had failed to respond to those requests in line with the the Data Protection (Jersey) Law 2018 (the DPJL 2018)

THE OUTCOME IS THAT

• CLS has received a formal Reprimand, and
• The JOIC also issued certain orders requiring CLS to improve their internal processes within a specified timeframe.
• The Authority indicated that it would have considered imposing an administrative fine in this case, but it is unable to issue penalties against a public authority

Specifically, the JOIC found that:

• CLS' records management function had significant failings. It did not have appropriate resources or systems in place to be able to respond to the Complainant's DSARs in a proper manner.
• The initial searches undertaken in response to the First and Second DSARs were undertaken by a junior officer who lacked the appropriate training and knowledge to respond to those subject access requests in terms of properly
  • Knowing where information is held within CLS systems and
  • Also which exemptions applied (if any) and how to properly redact documents.
• Certain exemptions had been relied upon unlawfully by CLS,
• CLS redactions were inappropriately and/or inconsistently applied.
  • The Complainant raised concerns about the quality of the DSAR responses, including worries about apparently missing information and inappropriately used redactions
• The general interactions between CLS and the Complainant regarding these issues were poor and not well-managed.
• The Controller showed insufficient appreciation of the significance of some of the problems arising from the processing of personal data, which were the subject of the investigation and tended to minimise the effect the processing had on the data subject.

What learnings can we take away from this?

• Controllers need to know where to look for personal data if a subject access request is received, and systems should enable controllers to respond to such requests effectively.
• Staff members dealing with responses to DSARs must be able to properly analyse the request received, know where to locate the data and have appropriate training in preparing a response, relying on exemptions and applying any redactions; this is an important function.
• If an individual says they don't think the response is complete/they don't understand the redactions/they believe information is missing, don't dismiss them out of hand as they may be right.

THE PUBLIC STATEMENT SAYS

Data Controller: Government of Jersey, Customer & Local Services

1. The Data Protection Authority for the Bailiwick of Jersey (the Authority) has determined that the Government of Jersey, Customer & Local Services (CLS) (the Controller) has contravened
   • 8(1)(a), Art.14(1)(a), Art.14(1)(b), Art.27(1) and Art.28(3)(a) of the Data Protection (Jersey) Law 2018 (the DPJL 2018)
   • in that it failed to respond appropriately to certain requests for access to information held by it.
2. Following a lengthy investigation commenced in October 2020 pursuant to Art.20 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018), the Authority has determined that CLS was responsible for contraventions relating to failure to respond appropriately to two subject access requests (the First DSAR and Second DSAR) made by an individual (the Complainant):
   • In respect of the First DSAR:
     • A response ought to have been provided to the Complainant by 19/06/2020 at the latest, but a full response was not, in fact, provided until 09/06/2021. Accordingly, CLS failed to provide a response to the First DSAR in accordance with the legal timeframe, in contravention of Art.27(1) of the DPJL 2018;
     • CLS failed to provide certain copies of the Complainant's information to which he was entitled in response to the First DSAR, in contravention of Art.28(3)(a) of the DPJL 2018.
   • In respect of the Second DSAR:
     • A response ought to have been provided by 20/07/2020 but a full response was not, in fact, provided until 09/06/2021. Accordingly, CLS failed to provide a response to the Second DSAR in accordance with the legal timeframe, in contravention of Art.27(1) of the DPJL 2018;
     • CLS failed to provide certain copies of the Complainant's information to which he was entitled in response to the Second DSAR, in contravention of Art.28(3)(a) of the DPJL 2018.
   • CLS failed to process the Complainant's data, lawfully, fairly and in a transparent manner, in contravention of the first data protection principle at Art.8(1)(a) of the DPJL 2018;
   • CLS failed to implement proportionate technical and organisational measures to ensure processing is performed in accordance with this Law, in contravention of Art.14(1)(a) of the DPJL 2018;
   • CLS failed to demonstrate that those measures are in place so that processing is indeed performed in accordance with this Law, in contravention of Art.14(1)(b) of the DPJL 2018;
3. Specifically, it was found that:
   • CLS' records management function had significant failings in that it did not have appropriate resources or systems in place to be able to respond to the Complainant's DSARs in an appropriate manner.
   • The initial searches undertaken in response to the First and Second DSARs were undertaken by a junior officer who lacked appropriate training and knowledge to properly respond to those subject access requests in terms of knowing where information is held within CLS systems and also which exemptions applied (if any) and how to properly redact documents.
   • Upon review of the relevant material by the Authority, it was clear that certain exemptions had been relied upon unlawfully by CLS and redactions inappropriately and/or inconsistently applied.
   • When the Complainant raised concerns about the quality of the DSAR responses (including raising concerns about apparently missing information and inappropriately applied redactions and with which the Authority ultimately agreed) such concerns were dismissed with little interrogation and the general interactions between CLS and the Complainant in respect of these issues were poor and not well-managed.
   • The Controller showed insufficient appreciation of the significance of some of the problems arising from the processing of personal data which were the subject of the investigation and tended to minimise the effect the processing had on the data subject.
4. Whilst the Controller maintained open and candid correspondence with the Authority during the course of its enquiries, made early admissions in terms of identified failings and took swift steps to rectify those matters, ultimately the Authority imposed a formal Reprimand and made a number of orders pursuant to Art.25(3) of the DPAJL 2018 regarding:
   • the updating of its processes relating to their DSAR response including reviewing the information that is provided to members of the public about how CLS actions such requests;
   • education for staff and improvements made to their technical and organisational measures to ensure responses to DSARs will be achieved fully and in a timely manner and that those involved in the process are of sufficient training and education to carry out such activities.
5. Those improvement measures were ordered to be carried out within a stipulated timeframe and confirmation of such provided to the Authority, which CLS has done.
6. Had this been a private sector entity, the Authority would have considered the imposition of a significant fine in a case of this gravity. However, the DPAJL 2018 sets out that the Authority cannot issue administrative fines against public authorities and so the only sanctions available for consideration are the issuing of a formal reprimand and/or the making of certain orders designed to bring processing in-line with the DPJL 2018 and to ensure appropriate supervisory oversight by the Authority.
7. This public statement should act as a reminder to all controllers of the need to have appropriate systems, policies and appropriately trained staff to properly respond to requests that are made to them.

Legal Framework

1. This is a public statement made by the Authority pursuant to Art.14 of the DPAJL 2018 following an Investigation by the Authority and following receipt of a complaint regarding the Controller's processing of certain personal data. Individuals can make a formal complaint under Art.19 of the DPAJL 2018 Law if they think that a controller has contravened the DPJL 2018 and it involves or affects their rights.
2. The Authority may investigate a complaint and once an investigation has been completed, Art.23 of the DPAJL 2018 requires the Authority to make a Proposed Determination as to whether a Controller has contravened the DPJL 2018.
3. If the Authority determines that there has been a contravention, it must then go on to consider what sanction should be imposed against the Controller, if any.
4. Art.25 of the DPAJL 2018 sets out the various sanctions that are available to the Authority following a Proposed Determination and, having considered all relevant facts (including representations made by the Controller), the Authority has considered that this matter is most appropriately disposed of by way of a formal reprimand and the imposition of orders. (Administrative fines may not be levied against public authorities and so this form of sanction was not available in this particular case.)
5. Art.32 of the Authority Law allows an affected party a right of appeal to the Royal Court of Jersey. Any such appeal must be made within 28 days.

https://www.jerseyoic.org/news-articles/public-statements/public-statement-april-2023/