Children's services reported 95 data breaches over four years, seven late to regulator

• Children and family community services recorded 95 data breaches between 2022 and 2025, with numbers rising from seven in 2022 to 33 in both 2024 and 2025
• Seven of the 95 breaches met the threshold for mandatory reporting to the data protection regulator, with most reported within the statutory 72-hour deadline
• One breach in 2024 was reported 21 days late, the longest delay in the four-year period covered by the freedom of information request
• Health and Social Care said delays were caused by the need to accurately assess breach severity and gather complete information before notification
• Staff receive regular data protection training, and the committee emphasised that breach numbers represent a small proportion of thousands of interactions processed annually

Listen to this article

0:00

/0

1×

Children and family community services recorded 95 personal data breaches between 2022 and 2025, with seven incidents reported to the data protection regulator beyond the statutory 72-hour deadline, according to information released under the freedom of information regime.

The figures, provided by Health and Social Care in response to an FoI request, show an increase in recorded breaches over the four-year period, though the majority did not meet the threshold for mandatory reporting to the Office of the Data Protection Authority (ODPA).

In 2022, seven personal data breaches were recorded by the children's and family community service. Two met the threshold for mandatory reporting to the ODPA. The first incident was reported within 72 hours, whilst the second was reported within six days.

The following year saw a rise, with 22 breaches recorded in 2023. Only one met the requirement for reporting to the ODPA and was submitted within nine days of discovery.

Both 2024 and 2025 recorded 33 breaches each. In 2024, two incidents required notification to the ODPA, with one reported 21 days after discovery and the second within four days. During 2025, two breaches met the reporting threshold, with one reported within seven days and the other within 72 hours.

Of the 95 total breaches across the four years, only seven required reporting to the regulator due to their severity.

Under the Data Protection Law, controllers must provide written notice of a breach to the ODPA as soon as practicable and no later than 72 hours after becoming aware of it, unless it is not practicable to do so.

This requirement does not apply where the breach is unlikely to result in any risk to the significant interests of the data subject.

The committee stated that delays in reporting beyond the 72-hour period were due to additional time required to accurately identify the nature, scope, and impact of breaches.

Initial information was insufficient to determine whether incidents constituted notifiable personal data breaches, according to the response.

The delays resulted from technical investigation constraints, reliance on third-party information, and the need to ensure that any notification submitted was complete, accurate, and not misleading, the committee said.

The committee emphasised that not all personal data breaches are severe in nature.

Examples provided included the shredding of a document that subsequently needs to be replaced to maintain accurate records, or an internal email being inadvertently sent to the wrong healthcare professional.

Incidents of this type do not necessarily meet the threshold for notification to the ODPA, according to the response.

The committee stated that breach numbers must be considered in context, noting that the controller processes and manages thousands, and in some cases tens of thousands, of interactions, transactions, and communications each year.

Against this substantial volume of activity, the number of breaches represents a very small proportion of overall processing activities, the committee said.

The controller places significant emphasis on ensuring that all staff understand and comply with their data protection responsibilities, according to the response. Employees receive regular data protection and information governance training designed to promote awareness of applicable legal and regulatory requirements, reinforce good data handling practices, and ensure that staff are equipped to identify and appropriately respond to potential risks.

This training is supplemented by internal policies, procedures, and guidance, which are periodically reviewed and updated to reflect evolving legal obligations and operational requirements.

The committee stated that the controller takes its data protection obligations extremely seriously and is committed to maintaining the confidentiality, integrity, and security of personal data.

Data protection considerations are embedded within the controller's governance framework and operational processes, with appropriate technical and organisational measures implemented to safeguard personal information.

Where incidents or concerns are identified, they are investigated promptly, lessons are learned where appropriate, and remedial actions are taken to reduce the likelihood of recurrence, the committee said. The controller remains committed to continuous improvement in its data protection practices and to ensuring compliance with applicable data protection legislation.

Q&A

Q: How many data breaches did children's services record between 2022 and 2025?
A: A total of 95 personal data breaches were recorded over the four-year period, rising from 7 in 2022 to 33 in both 2024 and 2025.

Q: How many breaches required reporting to the data protection regulator?
A: Only 7 of the 95 breaches met the severity threshold requiring mandatory notification to the Office of the Data Protection Authority.

Q: What is the legal deadline for reporting data breaches?
A: Under the Data Protection (Bailiwick of Guernsey) Law, 2017, controllers must report breaches to the ODPA as soon as practicable and no later than 72 hours after becoming aware of them, unless the breach is unlikely to result in risk to data subjects.