Guernsey-based law firm fined over 11,000 Euros by the DPA, after sharing “highly confidential and sensitive” information via emails and post.
Trinity Chambers LLP sent private details about an individual and their family via emails and post, the Data Protection Authority (ODPA) found. The Office of the Data Protection Agency recently released a statement containing the details surrounding this case.
An investigation found that due to repeated human error, sensitive information about the data subject and their family was distributed.
Following a complaint made to the Authority under section 67 of the The Data Protection (Bailiwick of Guernsey) Law, 2017, an investigation was conducted under section 68. The complaint related to the alleged unauthorised disclosure of personal data as a result of repeated human error. According to the report, a lack of security had given “unconnected” third parties access to the data. The breach of data by Trinity was the result of “repeated human error”, the investigation uncovered. It was found that Trinity Chambers LLP sent files via email and in the post including highly confidential and sensitive personal information relating to the complainant and their family without appropriate security. This information was then unwittingly accessed by unconnected third parties who were totally unaware of the nature or sensitivity of the content.
Guernsey based law firm fined to reflect the gravity of the effect of data breach.
The Bailiwick’s Data Protection Commissioner Emma Martins said the ODPA was “disappointed” by the firm’s response. She went on to say “There is little evidence that the controller in this case engaged in a timely manner with the complaint or appreciated the impact of the breach on the individuals concerned.” She added that the fine aimed to reflect “the serious nature and impact of failing to look after personal data”, and its potentially “significant” impact in a small community.
The Firm was fined 11.2 thousand Euros for failure to safeguard personal data.
While the personal data involved did not constitute special category data as defined in the Law, it was highly sensitive and private for the individuals involved. As a result of the investigation, the Authority determined that Trinity Chambers LLP breached the Law in relation to the unauthorised disclosure of personal data to a third party. The Authority has fined Trinity Chambers LLP £10,000 to reflect the serious nature and impact of failing to look after personal data. The fine also reflects the lack of engagement by the controller and concerns that there has been a lack of appreciation of the potential wider impact of the breach for the individuals affected.
Trinity Chambers law firm has not appealed the decision, according to the ODPA.