Hair removal company shared 'embarrassing' info with customer's boss

Tuesday 05 December 2023

A laser hair removal company which "deliberately" shared a customer's information with their boss during a row over an unpaid bill has been slapped by the island's data protection authority.

A director of JRSY Laser Ltd wrote to the customer's employers, giving full details of the treatment and informing them of the disagreement over payment.

The director had earlier warned the customer that they would share the information with the customer's bosses if they failed to settle the bill, according to a public statement by the Jersey Office of the Information Commissioner.

The JOIC found that the director "deliberately and purposefully" shared information knowing that it would "likely cause them distress, upset and embarrassment".

Following an investigation, which began in September 2021, the JOIC concluded that the firm had breached the Data Protection Jersey Law.

It also found that JRSY Laser Ltd had breached the law by failing to register with the authority and not paying a registration fee, and by failing to have policies in place detailing how customers' personal data would be processed.

"Very real distress" caused to customer

In its public statement, the JOIC said: "A victim impact statement was given by the Data Subject [customer] who outlined the very real distress that had been caused by Director A’s actions.

"They were embarrassed by their employer knowing information about their health and this disclosure caused the Data Subject to consider moving to another job.

"JRSY Laser showed insufficient appreciation of the significance of some of the problems arising from the sharing of the Data Subject’s personal data and tended to minimise the significant effect the processing had on the data subject.

"Director A deliberately and purposefully shared the Data Subject’s information knowing that it would likely cause them distress, upset and embarrassment."

"Vindictive behaviour... viewed with the utmost seriousness"

Issuing a formal reprimand and making orders for the firm to complete registration with the authority and update its processes for staff, the JOIC warned: "The Authority wishes to make its position clear that any vindictive behaviour on the part of a controller [business] towards a data subject (including the issuing of threats to release personal information should certain actions not be complied with) will be viewed with utmost seriousness and is viewed by the Authority as a significant aggravating factor.

"Accordingly, any controller tempted to behave in a similar way is put on explicit notice that the Authority will have no hesitation in issuing an administrative fine in similar circumstances, should they arise."

Lessons learned

The authority said there were three key 'lessons learned' from the breaches by the hair removal firm:

• Special category data must be given higher protection, reflecting its more sensitive nature.
• Individuals must not be threatened with disclosure of their personal data to try and force settlement of fees.
• Data protection officers/leads must have the necessary skills/experience to fulfil the role, and this should not conflict with any other role the individual performs.

You can read the full public statement and findings of the JOIC HERE.

JRSY Laser Limited trades as Jersey Laser Clinic. The company’s clinic is located at The Wellness Centre, Castle Quay.

The company runs the following websites:

• www.aliftfacials.co.uk
• www.jerseyhairlossclinic.co.uk
• www.cavi-lipo-inch-loss.co.uk
• www.jerseymedicalfacials.co.uk
• www.jerseylasercentre.co.uk
• www.jerseylemonbottle.co.uk
• www.jerseylaserclinic.co.uk
• www.jerseybeautyclub.com
• www.jerseymedical.co.uk

JRSY Laser Limited is not associated with Naidu Medical Services which trades as The Laser Centre Jersey.