Data breaches involving the States of Jersey Police over the last 5 years

​​Request 733180849

Please provide the following information relating to data protection or data regulation breaches involving the States of Jersey Police over the past five years (January 1, 2019 – present):

1. How many instances of confirmed data breaches or data protection regulation violations have been identified?

2. Please provide a breakdown of the types of breaches (e.g. unauthorised disclosure, loss of data, unauthorised access, inappropriate sharing, failure to redact, etc.).

3. How many breaches were the result of: human error, system failure, malicious or unauthorised access, other causes

4. For each breach (or category of breach), please indicate: any disciplinary action taken, any remedial action (e.g. training, policy revision, system changes)

5. Were any officers or staff members responsible for more than one breach?

6. Were any breaches classified as systemic or resulting from organisational policy failures?

7. How many of the breaches were publicly reported or resulted in press statements or formal reports?

Response

The States of Jersey Police (SoJP) take data protection extremely seriously and maintain rigorous standards in recording and managing all known data breaches. Our approach is fastidious: every known data breach, regardless of severity, is logged and reviewed to ensure transparency and continuous improvement. The figures provided include even minor breaches—such as emails sent to the wrong police colleague, which are recorded in line with our commitment to thoroughness and openness.

All officers and staff receive regular, comprehensive training in data protection principles and practices. This ensures a strong culture of awareness and accountability across the organisation.

Despite these measures, it is inevitable that some breaches will occur, particularly in complex and busy operational environments. 

Data has been provided for breaches involving staff or physical assets only. SoJP neither confirm nor deny the existence of any cyber breaches. Article 10(2) (Neither confirm nor deny), Article 27 (National security) and Article 42 (Law enforcement) Freedom of Information (Jersey) Law 2011 apply and a response to this part of the request is declined. 

1-2. Please see attached Table 1.

Freedom of Information response 733180849 - Attachment.pdf​

3. Please see attached Table 2.

Freedom of Information response 733180849 - Attachment.pdf​

4. Please see attached Table 3. Where numbers are small, disclosure control has been applied to protect the privacy of individuals. Numbers fewer than five are represented as ‘<5’. Article 25(2) of the Freedom of Information (Jersey) Law 2011 has been applied.

Freedom of Information response 733180849 - Attachment.pdf​

A force wide awareness campaign has been conducted to highlight the need to recognise a data rights request. Additional technical controls have been implemented to enhance SoJP’s audit function. 

5. Yes. All of which were classified as human error. 

6. States of Jersey Police can confirm that no breaches were classed as systemic or resulting from organisational policy failure. 

7. States of Jersey Police can confirm that between 1st January 2019 – 4th August 2025 nine breaches were reported to the Jersey Office of the Information Commissioner. There have been no breaches publicly reported or reported in press statements. 

Articles applied

Article 10 - Obligation of scheduled public authority to confirm or deny holding information

(2) If a person makes a request for information to a scheduled public authority and –

(a) the information is absolutely exempt information or qualified exempt information; or

(b) if the authority does not hold the information, the information would be absolutely exempt information or qualified exempt information if it had held it, the authority may refuse to inform the applicant whether or not ​it holds the information if it is satisfied that, in all the circumstances of the case, it is in the public interest to do so.

Article 25 - Personal information

(2) Information is absolutely exempt information if –

(a) it constitutes personal data of which the applicant is not the data subject as defined in the Data Protection (Jersey) Law 2018; and

(b) its supply to a member of the public would contravene any of the data protection principles, as defined in that Law.

Article 27 - National security

(1) Information which does not fall within Article 26A(1) is absolutely exempt information if exemption from the obligation to disclose it under this Law is required to safeguard national security. 

(2) Except as provided by paragraph (3), a certificate signed by the Chief Minister certifying that the exemption is required to safeguard national security is conclusive evidence of that fact.

Article 42 - Law enforcement

Information is qualified exempt information if its disclosure would, or would be likely to, prejudice –

(a) the prevention, detection or investigation of crime, whether in Jersey or elsewhere;

(b) the apprehension or prosecution of offenders, whether in respect of offences committed in Jersey or elsewhere;

Public interest test

As Article 42 is a qualified exemption, there is a requirement to undertake a public interest test. 

Factors favouring disclosure: It is in the public interest to know if there have been data breaches as a result of system failures. The public need to be reassured that their police force has adequate systems in place to maintain fully functioning despite the ever-present threat of cyber-attack.  

Factors against disclosure:  Were any details to be disclosed, the cyber resilience of the States of Jersey Police could be compromised. A cyber-attack on SoJP can have serious and far-reaching consequences, affecting public safety, trust, and operational continuity. 

On balance, it is believed those factors against disclosure outweigh those for.​