Jersey's Information Commissioner has released a statement criticising the government's planning department for twice breaching the Data Protection Law.
It published the health information of a vulnerable child in a planning application and went on to do it twice more after being told to take it down.
An investigation found that the Department failed to comply with the integrity and confidentiality principle of the law and failed to make sure it had the appropriate data security measures in place.
Health data has a higher level of protection in the law, given the harm and distress that a breach can cause.
The Jersey Data Protection Authority says where organisations don't take their legal responsibilities seriously or fail to take proper care, the appropriate sanction will be taken.
The department did take down the relevant data relating to the first breach, but then uploaded the application with the same health details twice more.
"The JDPA has determined that, on balance, the circumstances of this case were grave enough to warrant a public statement, and had the JDPA not been prevented by law from imposing a fine due to the Controller being a Public Authority, the JDPA would have considered a fine in these circumstances." - Jacob Kohnstamm, JDPA Chair.
It's the first time the Commissioner has released a statement to a public authority.
"All data controllers and processors have significant obligations in law to be accountable and provide appropriate security for the personal data they are entrusted with.
"This is particularly important when the organisation concerned is a Public Authority, as building the trust and confidence of the Jersey public in Government data handling activities is paramount." - Paul Vane, Deputy Information Commissioner.
Under the 2018 law, the Information Commissioner can investigate, collect evidence and impose a range of sanctions. That can include a warning, a public statement, and a financial penalty.
In a statement, the government says it accepts the Commissioner's decision.
"The department is acutely aware of its obligations under the JDPL and accepts the decision of the Commissioner. In dealing with the many thousands of documents which are processed and published each year, errors were made which resulted in the inadvertent publication of private information. The department has apologised unreservedly to the individual for this error and will undertake the training and process updates required by the Commissioner."