Staff data breaches (FOI)Staff data breaches (FOI)
Produced by the Freedom of Information officeAuthored by States of Jersey and published on
21 December 2018.Request
A
I would like information on the number of States of Jersey employees dealt with for breaches of the Data Protection Law, for example investigated as a result of complaints, reports or internal audits.
B
The resultant outcomes, punishments / sanctions within the last three years, for example disciplined, words of advice, no further action, prosecuted, dismissed or required to resign.
Response
The tables below have been compiled from information provided by the various departments in relation to recorded data breaches involving SOJ staff members.
Total breaches by year
2016 | 2017 | 2018 | Total |
12 | 20 | 33 | 65 |
Total breaches by outcome
Referred to the OIC | 17 |
Disciplinary | 14 |
Words of advice / warning / training | 34 |
Of the 65 incidents in total, fewer than five members of staff faced criminal proceedings, 14 members of staff faced internal disciplinary proceedings, and 34 members of staff were officially warned or were offered additional advice or provided with further training. Of the 65 breaches, 17 were reported to the Office of the Information Commissioner (OIC).
Each States department has traditionally managed its own data breaches, but in line with the One Government approach, work continues towards a more centralised system to ensure that incidents are managed consistently and that the opportunity for any lessons to be learnt are maximised across the organisation. The States of Jersey have recently appointed a Data Protection Officer to provide strategic oversight of data protection compliance across the organisation. This officer is advised of breaches reported by States of Jersey departments.
To avoid the potential for identification of individuals, disclosure control has been applied to numbers fewer than five under Article 25 (Personal information) of the Freedom of Information (Jersey) Law 2011 (the Law).
Article applied
Article 25 Personal information
(1) Information is absolutely exempt information if it constitutes personal data of which the applicant is the data subject as defined in the Data Protection (Jersey) Law 2018.
(2) Information is absolutely exempt information if –
(a) it constitutes personal data of which the applicant is not the data subject as defined in the Data Protection (Jersey) Law 2018; and
(b) its supply to a member of the public would contravene any of the data protection principles, as defined in that Law.