Top CI retailer scolded by data watchdog

Thursday 19 August 2021

The Channel Islands' largest retailer has been scolded by Guernsey's data watchdog for failing to properly comply with an individual's request for the data held about them by the company.

Individuals are legally entitled to make requests for a copy of all personal data held by a company or entity - known as a 'right of access request'.

Sandpiper CI received one such request on 30 June 2020, which Guernsey's Data Protection Authority ruled yesterday was not properly handled in line with the law.

An investigation by the authority confirmed that Sandpiper CI failed to:

• respond to the request within the designated one-month period,
• did not notify the requester of their reasons for not complying with the request,
• and did not advise them that there was a right to complain to the authority, and right to take civil action.

Pictured: Section 27(4) of the Law provides for the application of a two-month extension on the condition, as long as that decision is communicated to the requester along with the reasons for the extension within the designated period.

The nature of the request required Sandpiper CI to access archived information, the retrieval of which was not straightforward.

The authority's formal judgment elaborated: “The reason for the delay in the request was that the Controller had not searched in archived material in its initial response to the request. Upon being notified that the response was incomplete, this became apparent and further searches were required to fulfil that request.

“Had the Controller had a more robust data governance structure in place, allowing it to easily recognise the fact that archived material fell within the scope of the request, it is likely a breach of this nature could have been either avoided or mitigated.”

The Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “This case highlights the importance of controllers knowing exactly where the personal data they are legally responsible for are located.

“Archived data has as much capacity for harm as other forms of data and needs to be part of the overall data governance framework of any organisation. We are grateful for the full cooperation of the Controller in this case and hope it serves to remind us all to be prepared to respond to rights requests from individuals.

“The right of access, as exercised in this case, is a very important part of the data protection law and individuals seeking access to information about themselves have the right to expect timely and complete responses.”