Request
Please tell me, each year for the past five years:
A
How many data protection breaches have there been in the Health and Social Services Department?
B
The type of information and number of records
C
The circumstances of the data loss / release / corruption
D
i) Whether the breach was reported to the Information Commissioner
ii) What action, if any, the Information Commissioner took
Response
A to C
The table below outlines the number of data breaches per year in the Health and Social Services. Each breach has been aligned to one of the eight Data Protection principles in order that the circumstances of the breach be shown:
| 1 | 0 | 0 | 0 | 0 | 0 |
|---|
| 2 | <5 | 0 | 0 | 0 | 0 |
|---|
| 3 | 28 | 52 | 32 | 31 | 11 |
|---|
| 4 | 33 | 34 | 51 | 48 | 33 |
|---|
| 5 | 0 | <5 | 0 | 0 | 0 |
|---|
| 6 | 0 | 0 | 0 | 0 | <5 |
|---|
| 7 | 13 | 17 | 23 | 11 | 20 |
|---|
| 8 | <5 | <5 | 0 | 0 | 0 |
|---|
Please note that the data above has been gathered from the internal reporting system and is based on all types of records held within Health and Social Services. These include medical records, social services records, first response records, and pharmacy records and so on. Each instance shown above represents one record.
Please also note that due to the small numbers represented above, Article 25 of the Freedom of Information (Jersey) Law 2011 has been applied and numbers are shown as fewer than 5 (<5). This is to protect the privacy of individuals.
*The Data protection Principles are as follows:
| 1 | Personal data shall be processed lawfully and fairly |
|---|
| 2 | Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in a manner incompatible with that purpose or purposes |
|---|
| 3 | Personal data shall be adequate, relevant and not excessive in relation to the purpose that it was collected |
|---|
| 4 | Personal data shall be accurate and, where necessary, kept up to date |
|---|
| 5 | Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes |
|---|
| 6 | Personal data shall be processed in accordance with the rights of data subjects under this law |
|---|
| 7 | Appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data |
|---|
| 8 | Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data |
|---|
D
In the years between 1 January 2014 and 30 November 2017, six breaches have been reported to the Information Commissioner’s Office. Less than five enforcement notices have been issued by the Office of the Information Commissioner.
All other breaches have been managed internally and the Health and Social Services Department continuously reviews procedures and policies to seek improvement.
Exemptions applied
Article 25 Personal information
(1) Information is absolutely exempt information if it constitutes personal data of which the applicant is the data subject as defined in the Data Protection (Jersey) Law 2005.
(2) Information is absolutely exempt information if –
(a) it constitutes personal data of which the applicant is not the data subject as defined in the Data Protection (Jersey) Law 2005; and
(b) its supply to a member of the public would contravene any of the data protection principles, as defined in that Law.
