Copyright jerseyeveningpost
PUBLIC bodies including the government, parishes and JFSC could soon face fines for breaching data protection laws, an assistant minister has said in the wake of a major privacy lapse at the financial regulator. The existing law, which came into force in 2018, prevents the Jersey Office of the Information Commissioner levying fines against public sector bodies, and those which exercise public functions. But Assistant Economic Development Minister Moz Scott, who holds political responsibility for data protection, told the JEP there should be “consistency” between how public and private organisations are treated – a principle already in force in the UK. It comes after the Jersey Office of the Information Commissioner issued two public reprimands this week – one to the Jersey Financial Services Commission and the other to the Financial Services Ombudsman. The JFSC’s breach involved a system flaw allowing public access to a confidential register containing the names and addresses of nearly 67,000 people, though there was no evidence that this information had been used to the detriment of any individual on the register. The JOIC concluded that the nature of JFSC’s breach would have warranted initiating the process to consider an administrative fine. However, “as public authorities are not subject to such fines under the current framework, no further consideration was given to this”. Deputy Scott said her department was “currently exploring” updates to the data protection law, and that proposed changes to the legislation were expected to be put forward before the end of the current term of office. “I agree with the principle that there should be consistency. Public bodies should not be seen as not subject to the same sanctions as non-public bodies,” she continued. “The mechanics of it are being worked out – there are concerns that the money could just end up going round in circles and we also need to look at how it impacts on the balance sheets of those public bodies.” She added that it would be “useful” for the Information Commissioner to be able to issue fines to public bodies to “indicate the gravity of the offence”. “We certainly hope to be able to finish that work by the end of this term. There is a certain amount of negotiation and discussion going on because it affects different organisations but it is something we are progressing with.” The move is also backed by Economic Development Minister Kirsten Morel, who has previously spoken about the need for the Island’s data protection law to be reviewed and called for public bodies to be subject to the same punishments for large-scale breaches as private sector companies. There have been a number of other instances since the data protection law came into force where government departments and publicly-owned bodies have fallen foul of the law but could not be fined. In 2022, Children’s Services was issued a warning after sensitive personal details were disclosed during a conference call about child protection while in 2020, the Planning Department avoided a fine for publishing health information of a vulnerable child on three occasions.
