Statement regarding data breach by the Parish of St Helier
Tuesday 22 August 13:01
The Office of the Information Commissioner has now concluded its enquiries relating to complaints regarding a data breach by the Parish of St Helier during the afternoon of Friday 14th July 2017.
‘The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients were included, and therefore disclosed. It is apparent that the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box,’ said Jersey’s Information Commissioner, Emma Martins.
‘We have now agreed, with the Parish, on a number of recommendations to improve procedural controls in this area of data processing. This includes a review of practices connected to all email communication with parishioners, as well as further training of staff and provision of instruction and guidance on maintaining security of individual email addresses. We can confirm upon completion of our enquiries that we have determined this incident as a case of individual human error in failing to prevent the disclosure of group email addresses of other recipients.
‘In concluding our enquiries, we can confirm that we consider the Parish, acting as data controller, took timely and appropriate measures in response to the breach. Contact was made with this office immediately the incident came to light and we have had full co-operation since that time for which we are grateful. This incident has been recorded on our systems as a self-reported data breach and will remain on file referenced to the data processing activities of the Data Controller. It does serve to highlight the risk all organisations face when handling personal data and reinforces the importance of tight policies and procedures as well as staff training and awareness,’ concluded Mrs Martins.