Jersey Data Controller fines repeat offender for a breach

Data Controller: JRSY Laser Limited Registration No: 70645

1. The Data Protection Authority for the Bailiwick of Jersey (the Authority) has issued a fine to JRSY Laser Limited (JRSY Laser) in the sum of £500 (five hundred pounds Sterling)

Background

1. Following an investigation commenced on 27 March 2024 pursuant to Art.20 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018),
   1. The Authority has determined that JRSY Laser has contravened Art.6(1)(a), Art.8(1)(a) and (b) and Art.9(1) of the Data Protection (Jersey) Law 2018 (the DPJL 2018).
2. A former employee of JRSY Laser (the Employee) contacted the Authority in March 2024 to complain about the processing of their information by JRSY Laser.
3. The Employee complained that
   1. One of the directors of JRSY Laser (Director A) had shared information about their employment terms and resignation, with other members of staff via email.
   2. In the email, Director A had also made insulting comments about the Employee.
   3. The other Director of JRSY Laser (Director B) was also included in the email.
4. As part of the investigation, JRSY Laser
   1. Were asked why they thought it was appropriate to share the email with other members of staff and
   2. They said that they considered their small team as a family.
   3. Director A felt the rest of the staff had a right to be included in the email.

The contraventions of the DPJL 2018

1. The Authority found that Director A shared information about the Employee leaving JRSY Laser’s employment (which included information about a dispute), to other members of JRSY Laser staff.
1. Whilst it was acceptable for the other members of staff to have been told that the Employee was no longer working for JRSY Laser,
2. There was no reason to share any other information about their departure and circumstances surrounding it.
3. This was excessive and there was no lawful basis (legitimate reason) for doing this.
4. The processing of the Employee’s information in this way was also incompatible with the original purpose for which it was collected.
5. The sharing of information was in contravention of Art.8(1)(a) and Art.8(1)(b) of the DPJL 2018.
2. During the investigation,
1. It also came to light that JRSY Laser were not in compliance with certain other aspects of the DPJL 2018.
3. Even though JRSY Laser had been told what was/was not appropriate on the previous occasion
1. (It had previously been subject to investigation of an almost identical complaint, and which had resulted in the issuing of a formal reprimand, Orders, and a Public Statement in December 2023),
2. The Authority found that JRSY Laser were not in compliance with certain other parts of the DPJL 2018.
3. They still showed a general lack of compliance and understanding of their obligations under the Law (having done the same thing they did previously) and t
4. His was a contravention of Art.6(1)(a) and Art.(9)(1) of the DPJL 2018.

Reason for the fine

1. Administrative fines must be:
   1. Effective
   2. Proportionate
   3. Have a deterrent effect
2. In deciding whether it was appropriate to issue an administrative fine in this case, the Authority gave weight to the following:
   1. This is the second time that JRSY Laser has been investigated by the Authority for a complaint about Director A sharing information with third parties without a lawful reason for doing so.
      1. In its Public Statement dated 5 December 2023, the Authority gave a specific warning that vindictive behaviour and threats to release personal data would not be tolerated and that any similar future behaviour would likely result in the issuing of an administrative fine.
   2. Notwithstanding this very clear warning,
      1. Not only did Director A share personal data with staff members when there was no lawful basis for doing so,
      2. They again made threats to share the Employee’s personal data with an unconnected third party (although did not do so on this occasion).
   3. The Authority considers it a significant aggravating factor in this case that
      1. Director A made a threat towards an individual, which they have been warned previously they must not do.
   4. JRSY Laser
      1. did not initially understand that information should only be shared with those who need it and
      2. did not understand how to identify and respond to a personal data breach.
      3. It is unclear why JRSY Laser should not have understood the Employee’s concerns, given
         1. The recent interaction with the Authority and the subsequent Orders made and
         2. Training received.
   5. JRSY Laser did not seem to appreciate or understand why the Employee was unhappy that other staff members were included in correspondence about their departure from the business.
      1. Whilst Director A initially offered to remove the Employee’s information from their systems, this was more a gesture rather than a genuine acceptance and acknowledgment of responsibility for inappropriately sharing the information.
      2. It was only at the point when Representations were invited, that JRSY Laser finally realised that a breach had occurred and accepted responsibility for what had happened.
   6. A victim impact statement was provided by the Employee.
      1. They outlined the very real distress that had been caused by Director A’s actions.
      2. They explained that they had suffered from emotional distress, anxiety, and low self-esteem, which had impacted on their confidence to carry out their work.
      3. They also reported feeling threatened, embarrassed, and hurt by the content of the email shared with the JRSY Laser staff because it was very negative about the Employee’s character.
3. In addition to the fine, the Authority also issued a formal reprimand.

Lessons Learned

1. Organisations
1. Must not share data inappropriately and
2. The appropriate lawful basis (the reason for sharing) must be identified in advance of any sharing taking place.
3. Do not share more than is needed for the stated purpose and only share it with those who need it.
2. It is unacceptable to threaten individuals with disclosure of their personal information to try and settle disputes that may have arisen between the parties.
1. Proper avenues are open to businesses to pursue employment related matters e.g. the Employment and Discrimination Tribunal or Royal Court of Jersey.
3. Finally, the Authority wishes to stress that
1. When an organisation has already been subject of an investigation, orders and a Public Statement issued, if that organisation then repeats that behaviour (indicating that lessons have not been learnt), the Authority will not hesitate increasing the severity of its sanction, including issuing a fine if appropriate.
2. It is of the utmost importance that organisations understand that the Authority will be robust in their approach if previous involvement and enforcement have been ignored and/or dismissed.

More Information

1. More information about how we regulate and enforce the DPJL 2018 can be found in our Regulatory Action and Enforcement Policy here
1. https://jerseyoic.org/media/l5sfz1s0/joic-regulatory-action-and-enforcement-policy.pdf

Source

https://jerseyoic.org/media/xx2exd5v/jdpa_public-statement_march-2025_website.pdf

https://jerseyoic.org/news-articles/public-statement-v2/authority-issues-public-statement-and-fine-to-jrsy-laser-limited/