Prison system has no audit logs to track staff access to prisoner records

• Prison Information Management System has no audit logs to track staff access to prisoner records
• Guernsey Prison Service exploring new database with enhanced auditing capabilities as essential functionality
• Role-based access controls in place but no senior staff have unrestricted access to all records
• Suspected breaches investigated through information governance and disciplinary processes with Data Protection Team support
• Medical records managed separately by Health and Social Care Committee in different systems

Listen to this article

0:00

/0

1×

Guernsey's prison information management system does not maintain audit logs to track when staff access prisoner records, a freedom of information response has revealed.

The Committee for Home Affairs disclosed that the Prison Information Management System (PIMS) currently has no functionality to record which staff members view prisoner files, when they access them, or what actions they take.

The admission came in response to a detailed FOI request submitted in April 2026 seeking information about data governance practices within the island's prison system.

According to the response, published this month, the lack of audit trails means there is no automated way to detect or investigate potential unauthorised access to sensitive prisoner information.

The committee stated: "At present, there is no dedicated audit functionality within the current prisoner records database to routinely review officers' access to prisoner records."

However, officials said the Guernsey Prison Service is actively exploring the introduction of a new database system, with enhanced auditing capabilities identified as essential functionality that must be included.

The current system does employ some safeguards. Access to prisoner records is controlled through individual user logins and database permissions based on staff roles, designed to restrict access to only information officers need to perform their duties.

Senior staff, including governors, do not have unrestricted access and are subject to the same role-based permissions as other officers. The committee confirmed that no officers across the prison have fully unrestricted access to all records regardless of their seniority.

Despite the absence of audit logs, the Prison Service maintains that any suspected breaches or misuse of prisoner data are recorded and managed in accordance with organisational procedures and obligations under data protection legislation.

Where concerns about inappropriate or unlawful access are identified, they are investigated through established information governance and disciplinary processes, with support from the States of Guernsey Data Protection Team.

The FOI response also revealed that medical records are managed separately by the Committee for Health and Social Care in different healthcare systems, which may have their own auditing and monitoring controls. The Home Affairs Committee said this information falls outside its remit.

Prisoner records themselves are retained for six years from the date of last release from custody, though the PIMS system does not retain audit logs relating to access to these records.

On conflict of interest procedures, all prison staff are required to declare any personal relationship or connection with a prisoner both before and during their employment. Such declarations are risk assessed, with measures taken as needed to protect prison security and the welfare of prisoners and officers. This may include removing staff from any direct contact with individuals they know.

The committee stated that access to prisoner records is managed in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 and States of Guernsey policies. Role-based permissions are regularly reviewed to ensure they remain accurate and appropriate.

Hard copy records are physically secured with access limited to officers who require the information to perform their assigned duties.

All officers receive mandatory data protection training, whilst information security and confidentiality training is included in the induction programme for new employees. Mandatory e-learning modules on these topics are also rolled out across the States of Guernsey.

The FOI request was submitted on 14th April 2026 and the response was provided on 18th May 2026.

Q&A

Q: Does the Prison Information Management System track staff access to prisoner records?
A: No, the PIMS system does not currently maintain audit logs relating to access to prisoner records.

Q: Do senior prison staff have unrestricted access to all prisoner records?
A: No, senior staff including governors are subject to role-based permissions and no officers have fully unrestricted access to all records regardless of seniority.

Q: What is being done to improve auditing of prisoner record access?
A: The Guernsey Prison Service is actively exploring the introduction of a new database system with enhanced auditing capabilities identified as necessary functionality.