A freedom of information request asked how many data breaches there had been in the past four years following the export of Islanders’ information to providers based outside Jersey.
According to the response, there was a data breach in December 2016 by a ‘data processor in a third country’ which maintains and supports Jersey driving licence and vehicle registration databases.
‘Under the standard procedure data is sent in a pseudonymised format (ie in a way that cannot be attributed to a specific individual),’ the response says.
‘On this occasion, data related to approximately 80,000 driving licences and 125,000 vehicle registrations was exported to the secure data processor without pseudonymisation.’
The response adds that the error was quickly identified. Access to the States databases by the contractor was ‘immediately suspended’ and the personal data was pseudonymised within 12 hours. It also states that there was no loss of personal data, as it was only sent to the secure data processor and ‘no negative impact on any individual has been identified’.
The Information Commissioner was notified shortly after the incident and has been kept updated.
‘Given the swift and appropriate action taken, no sanction has been imposed by the Information Commissioner and since there was no risk of personal data loss, this was not publicly communicated at the time,’ the response says.
The response also states that work is currently under way to collate and review all existing data processing arrangements to ensure they are ‘sufficiently robust’ to meet the requirements of the Data Potection(Jersey) Law 2018, which includes a focus on ensuring there are suitable safeguards with data
processors based outside Jersey.