Guernsey's Health Committee criticised after taking months to share news of 'high risk' data breach

Guernsey's Health and Social Care Committee took 52 days to notify the island's Data Protection Authority of the data breach. Credit: Claudio Schwarz / Unsplash

Guernsey's Health and Social Care Committee (HSC) has been reprimanded by the island's Data Protection Authority after significant delays in reporting a "high risk" personal data breach.

An investigation found that sensitive information about three people, including substance misuse, was inappropriately shared in December 2023.

It took HSC 52 days to tell the regulator - the law requires them to be notified within 72 hours - and between 50 and 62 days to inform the individuals whose data had been breached.

HSC says it needed longer than the 72-hour window to understand the extent of the data breach but the regulator believes this was not a valid reason to delay notifying them.

The group should also have written to those affected "as soon as it was practical", something the regulator says it did not do.

HSC says it needed to check contact details for two of the people before sending letters but the regulator concluded this was not done in a timely manner as required under the law.

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know...