Guernsey Revenue Service Reprimanded Over Data Breach

Guernsey’s Revenue Service has received a reprimand for erroneously transmitting personal information to an incorrect email address. The Office of the Data Protection Authority (ODPA) indicated that the error concerned personal data of individuals who had outstanding payments to the Committee for Health and Social Care. An inquiry conducted by the ODPA determined that personnel within the Revenue Service did not adhere to its policy mandating the use of a specialized secure platform for emails containing personal data. The ODPA reported that the Revenue Service has since put in place “robust measures” to guarantee the installation of an enhanced version of the secure platform on employee computers. The ODPA noted that had the email been transmitted via the secure platform, access for the unintended recipient could have been instantly withdrawn. A comparable breach occurred at the Revenue Service in 2022. “Had the Revenue Service acted upon what was revealed from earlier breaches, that some staff were failing to comply with this policy, there would have been additional measures in place to mitigate the impact of this personal data breach,” the ODPA said. The ODPA stated that the incident underscored the necessity of monitoring the effectiveness of security measures following breaches. The ODPA further stated: “While the Revenue Service had previously taken several steps towards ensuring the security of personal data, security safeguards against breaches are a dynamic rather than static responsibility.” The authority added, “It is not sufficient to just have policies and procedures in place, they must be followed, monitored and updated as new security risks are revealed. “This is especially relevant in the digital era where technological risks are a persistent and continuously evolving reality.”