Jersey Data Authority issues Public Statement to “Department for Children, Young People, Education and Skills”.

The JOIC has issued a public statement to the Department for Children, Young People, Education and Skills (CYPES)

• https://www.gov.je/government/departments/education/Pages/index.aspx

and the statement is made by the Authority pursuant to Art . 14 of the DPAJL 2018 following an Investigation by the Authority.

1. Following an investigation commenced on 1 July 2024 pursuant to Art.20 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018), the Data Protection Authority for the Bailiwick of Jersey (the Authority) has determined that the Controller has contravened Art.8(1)(f) and Art.9 of the Data Protection (Jersey) Law 2018 (the DPJL 2018).

2. CYPES was issued with a formal Reprimand together with Orders to improve its compliance with the DPJL 2018.

3. ORDER 1: CYPES will review the referral process to ensure information used and shared as part of this process is clearly captured and understood by all professional parties using it, providing an opportunity to raise questions before meeting with the family. This review should be carried out immediately, and a copy of the revised documentation should be provided to the Authority by 10 April 2025.

4. ORDER 2: CYPES will ensure all staff and third-party organisations are appropriately trained to manage special category data as part of the referral process and more generally in their roles. This training should be provided as soon as possible and in any event by 7 April 2025.  CYPES will advise the Authority by 10 April 2025 of the training that has been provided and confirm that all those with responsibility for referrals have attended and are of sufficient understanding to fulfil their obligations.

Background

1. This Public Statement is related to an investigation by the authority following receipt of a complaint (a complaint) made to the Authority by a member of the public (the complainant) about the processing operations of CYPES.
2. During a routine meeting to discuss their child, special category data (highly sensitive personal data) relating to the child’s mother (the complainant) was shared, whilst the complainant’s mother was in the room. The complainant’s mother was not aware of this information, and the disclosure of this has caused a hugely negative impact on the family.
3. CYPES demonstrated poor governance and a lack of controls relating to their records management and note-taking.  Records of previous disclosures had not been recorded appropriately, leading to the unauthorised disclosure detailed above.

The contraventions of the DPJL 2018 9.

The Authority found that CYPES should not have openly shared ‘the information’. CYPES was therefore in contravention of Art. (8)(1)(f) of the DPJL 2018. 10.

10 FINDING 1: Breach of Art.8(1)(f) of the DPJL 2018

• Art . 8 (f) of the DPJL 2018 sets out. A controller must ensure that the processing of personal data in relation to which the controller is the controller complies with the data protection principles, namely that data are processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”) b. The complainant’s special category data was shared with her mother, who attended a meeting with the complainant and the complainant’s daughter.
• The complainant’s mother was not aware of this sensitive information, and as a result, it has caused the complainant and her mother significant distress.

FINDING 2: Contravention of Art 9 Lawful processing of the DPJL 2018

• The complainant did not provide explicit consent for the special category data being shared with her mother.
• CYPES did not have a lawful basis for sharing the special category data with the complainant’s mother.
• Art.9 of the DPJL 2018 sets out: (1) The processing of personal data that would otherwise be lawful is lawful for this Law only if it meets at least one of the conditions specified in Schedule 2. (2) However, in the case of any processing of data that includes special category data, it must meet at least one of the conditions mentioned in Part 2 of Schedule 2. d. The special category data was disclosed by the meeting host to clarify to whom the information related, as it was not clear in the notes provided in the referral paperwork. Sanctions and Orders

1.  During the investigation, evidence was gathered, which highlighted and supported the complainant’s statement that “our whole world has been ripped apart”, which caused them very real distress.
2. Considering the above factors, the Authority issued a formal reprimand and made several orders pursuant to Art 25(3) of the DPAJL 2018 (see paras 4 and 5)
3. The Authority considered the range of sanctions available and decided that a public statement was appropriate, noting the particular challenges in terms of the nature of the work and resources available to the controller.
4. The orders were reviewed and completed to an appropriate standard and within the timeframe required by the Authority.
5. The Authority continues to work with CYPES, providing advice and guidance, and ongoing supervision to ensure continuous improvement and development of their data protection procedures. Lessons Learned.
6. Special category data (including health data) are afforded higher levels of protection, as demonstrated within the DPJL 2018, reflecting the harm and distress that can result from sharing that information where there is no lawful reason for doing so. Where organisations do not take their legal responsibilities to protect such data seriously or where they are negligent in their responsibilities, consideration will be given to the appropriate sanction (including the issuing of a fine, where available).
7. Any individual, within an organisation, processing special category data on a day-to-day basis as part of their role must possess the necessary skills, experience, and have undertaken appropriate training to allow them to fulfil their duties.
8. Processes relating to records management and the processing of special category data must be robust and fit for purpose, ensuring the data is captured correctly and protected appropriately during every step of that process.

Sources

• Read the full Public Statement https://jerseyoic.org/media/f4op10jc/joic_public-statement_22-9-25.pdf.
• https://jerseyoic.org/news-articles/public-statement-v2/authority-issues-public-statement-to-department-for-children-young-people-education-and-skills/