Jersey's planning department failed to meet legal duty to protect personal data

An investigation into two breaches of the data protection law by the Government of Jersey's planning department has found it has failed to meet its legal obligations to protect personal data.

It comes after sensitive health information of a vulnerable minor was disclosed on the online registry of planning applications.

The Information Commissioner found it had failed to comply with the "integrity and confidentiality principle of the law", and did not have appropriate measures in place to ensure the security of the data it processes.

Health data is given higher levels of protection due to the harm and distress that can result from a breach. The Jersey Data Protection Authority says where organisations are negligent or do not take their legal responsibilities seriously, they could be fined.

The JDPA says while the department cooperated and removed the data relating to the first breach, the information was then uploaded to its online public registry again on two further occasions whilst still containing "insufficient redaction".

The JDPA says it would have considered issuing a fine if the law did not prevent this due to the planning department being a public authority.

The Deputy Information Commissioner Paul Vane says data controllers have "significant obligations in law to be accountable and provide appropriate security for the personal data they are entrusted with".

In a Statement the Government of Jersey says the department will undertake the training and process updates required and has apologised.