The Jersey Data Protection Authority Issues a public statement against JRSY Laser Limited

The Jersey Data Protection Authority (JDPA) is the independent regulatory authority that promotes respect for the privacy & information rights of individuals through oversight of the Data Protection (Jersey) Law 2018 and Data Protection Authority (Jersey) Law 2018

DATA PROTECTION AUTHORITY (JERSEY) LAW 2018 - ARTICLE 14 - PUBLIC STATEMENT - Data Controller: JRSY Laser Limited Registration No: 70645

1. On 5-12-23 The JDPA has issued a public statement pursuant to Art.14 of the DPAJL 2018 following an Investigation
• Data Controller: JRSY Laser Limited [Registration No: 70645]

2. Following an investigation commenced in September 2021 pursuant to Art.20 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018), the Data Protection Authority for the Bailiwick of Jersey (the Authority) has determined that JRSY Laser Limited (JRSY Laser) has contravened Art.6(1)(b), Art.6(1)(c) and Arts.8(a)(b) and (f) of the Data Protection (Jersey) Law 2018 (the DPJL 2018).

3. JRSY Laser was issued with a formal Reprimand together with orders to improve its compliance with the DPJL 2018.

Background

4. A customer of JRSY Laser (the Data Subject) contacted the Authority in September 2021 to complain about the processing of their sensitive information by JRSY Laser. There was a fee dispute between the Data Subject and JRSY Laser. The data subject’s complaint was that one of the directors of JRSY Laser (Director A, who was also the nominated DPO) threated to share – and it transpired subsequently did share - sensitive information about treatments undergone by the Data Subject (which is special category data) and other personal data with the Data Subject’s employer and another third party.

5. Director A had told the Data Subject that if payment was not made, information about what treatments the Data Subject had received would be shared with the Data Subject’s employer. When the Data Subject did not pay monies JRSY Laser said were owed, Director A carried through on their threat and wrote to the Data Subject’s employer setting out, in full, the nature of the treatment the Data Subject had undergone and details of the fee dispute between the parties. Director A also wrote to the receptionist of the rooms used by JRSY Laser with the same information (the Data Subject had previously spoken to the receptionist about the issues they were experiencing with JRSY Laser and the fee dispute.)

6. As part of the investigation JRSY Laser was asked how they usually dealt with fee disputes and they advised that they would usually submit applications to the Petty Debts Court but on this occasion, they chose to share the information with their Data Subject’s employer because the Data Subject works for an entity that JRSY Laser uses, and Director A decided the Data Subject’s behaviour was so bad that the matter must be reported to their employer instead.

The contraventions of the DPJL 2018

7. The Authority found that JRSY Laser should not have shared the information about the Data Subject’s treatments and the fee dispute with either the Data Subject’s employer or the receptionist and there was no lawful basis for sharing that information. The processing of the data subject’s information in this way was also incompatible with the original purpose for which it was collected. The sharing of the information was therefore in contravention of Art.8(1)(a) and Art.8(1)(b) of the DPJL 2018.

8. During the investigation, it also came to light that JRSY Laser Limited were not in compliance with certain other aspects of the DPJL 2018.

a. It was not registered with the Authority as required by law and it had not paid its registration fee (contravention of Art.6(1)(b) and Art.6(1)(c) of the DPJL 2018);

b. It had no processes or policies in place detailing how customer personal data would be dealt with and failed to provide appropriate training to staff, including the DPO (contravention of Art.8(1)(f) of the DPJL 2018).

9. JRSY Laser also failed to respond to a formal information notice issued under Art.22 of the DPAJL 2018 within the legal timeframe without good reason.

Sanctions and orders

10. A victim impact statement was given by the Data Subject who outlined the very real distress that had been caused by Director A’s actions. They were embarrassed by their employer knowing information about their health and this disclosure caused the Data Subject to consider moving to another job.

11. JRSY Laser showed insufficient appreciation of the significance of some of the problems arising from the sharing of the Data Subject’s personal data and tended to minimise the significant effect the processing had on the data subject. Director A deliberately and purposefully shared the Data Subject’s information knowing that it would likely cause them distress, upset and embarrassment.

12. The only mitigation available to the Controller was that it ultimately obtained the services of a data protection consultant to assist with the Authority’s investigation and to assist and to address the orders ultimately made by the Authority.

13. Considering the above factors, the Authority issued a formal reprimand and made a number of orders pursuant to Art.25(3) of the DPAJL 2018 regarding completing registration with the Authority, and reviewing and updating its processes and education for staff.

14. The Authority considered the range of sanctions available and decided that a public statement was to the appropriate sanction, noting the particular circumstances of the Controller.

15. The orders were completed within the timeframe required by the Authority.

LESSONS LEARNED

16. Special category data (including health data) are afforded higher levels of protection in the DPJL 2018, reflecting the harm and distress that can result from sharing that information where there is no lawful reason for doing so. Where organisations do not take their legal responsibilities to protect such data seriously or where they are negligent to their responsibilities, consideration will be given to the appropriate sanction (including the issuing of a fine, where available).

17. It is not appropriate for organisations to threaten data subjects with disclosure of their personal data (particularly special category data) to try and force settlement of a fee dispute; there are other avenues available to pursue outstanding debts e.g. the Petty Debts Court or Royal Court of Jersey.

18. Any individual within an organisation performing the function of data protection lead/data protection officer must possess the necessary skills and experience to allow them to fulfil their duties. A formal DPO must also be able to independently fulfil their duties and make sure that their DPO duties do not conflict with any other tasks the individual performs.

19. The Authority expects full cooperation from organisations, particularly in situations involving formal enforcement activity under Part 4 of the DPAJL 2018 and expects any requests for information to be responded to within the timeframes set out in law. Organisations are reminded that any failure to engage or to attempt to obstruct the Authority in the performance of its functions may constitute a criminal offence.

20. Finally, the Authority wishes to make its position clear that any vindictive behaviour on the part of a controller towards a data subject (including the issuing of threats to release personal information should certain actions not be complied with) will be viewed with utmost seriousness and is viewed by the Authority as a significant aggravating factor. Accordingly, any controller tempted to behave in a similar way is put on explicit notice that the Authority will have no hesitation in issuing an administrative fine in similar circumstances, should they arise.

More Information

More information on regulation and enforcement of the DPJL 2018 in the Regulatory Action and Enforcement Policy here.

• https://jerseyoic.org/media/l5sfz1s0/joic-regulatory-action-and-enforcement-policy.pdf

Source

• https://www.jerseyoic.org/media/4c5pg2ev/public_statement_jdpa_december_2023_5-12-23.pdf