Copyright jerseyeveningpost
This week’s news that the Island’s financial services watchdog has escaped any fine for breaching the data protection law – by revealing the details of nearly 67,000 individuals on a confidential register – has come as a timely reminder. A reminder not of the importance of conducting thorough checks, particularly when in a position of such authority as the JFSC – but rather that public authorities, such as Government departments, the Parishes, regulators and many other so called “arms-length organisations” are not able to be fined when they get it wrong. In this case the Information Commissioner was clear – the nature of the breach was likely to have warranted a fine, but they are not able to take that step with a public authority. For them, just being publicly named is deemed to be sufficient, although they may also be ordered to make changes to their system. There will be a few in the private sector who will read that sentence with more than a rueful shake of the head. Unlike in the UK, public authorities here are protected from fines, presumably because such a penalty would be seen as “rubber dollars” – ultimately, one public authority would be fining another public authority, with the fine eventually being paid by islanders. But does that argument still hold water when it is public authorities who probably hold the most, and the deepest, data about us? If you consider some of the most sensitive data which could be disclosed, well, it probably exists somewhere on a public authority’s database – and if, as happened in this case, a software issue results in it being exposed…well the only sanction is to be named in the pages of this newspaper. As the number of “public authorities” has grown, so has the problem – should that definition include bodies with independent boards, and the means of raising significant amounts of revenue from their customers? The point here is not to focus specifically on the JFSC, or what happened in their particular case; what it has done is to bring to light an apparent anomaly in the law which needs a rethink. There are other examples of where a public body is not held to the same rules as a private one, and each time one surfaces, it creates an unnecessary perception of double standards. We need little reminding now that our data is sensitive, whoever holds it; and all should be subject to the same standards and sanctions.
