Revenue Service reprimanded for data breach

Guernsey's Revenue Service has been reprimanded for mistakenly sending personal information to an incorrect email address.

The Office of the Data Protection Authority (ODPA) said the mistake involved personal data of people who owed money to the Committee for Health and Social Care.

An ODPA investigation found Revenue Service staff failed to follow its policy, external that emails containing personal data should be sent using a specialised secure platform.

It said the Revenue Service had since implemented "robust measures" to ensure an enhanced version of the secure platform was installed on employee computers.

The ODPA said if the email had been sent using the secure platform, the unintended recipient's access could have been immediately revoked.

The Revenue Service suffered a similar breech in 2022.

"Had the Revenue Service acted upon what was revealed from earlier breaches, that some staff were failing to comply with this policy, there would have been additional measures in place to mitigate the impact of this personal data breach," the ODPA said.

The ODPA said the incident highlighted the importance of a monitoring the effectiveness of security measures in response to breaches.

"While the Revenue Service had previously taken several steps towards ensuring the security of personal data, security safeguards against breaches are a dynamic rather than static responsibility," the ODPA said.

"It is not sufficient to just have policies and procedures in place, they must be followed, monitored and updated as new security risks are revealed.

"This is especially relevant in the digital era where technological risks are a persistent and continuously evolving reality."

Follow BBC Guernsey on X, external and Facebook, external. Send your story ideas to channel.islands@bbc.co.uk, external.