JRSY Laser fined by regulator in landmark case after data breach and 'threatening' former worker

Channel
Jersey
Employment
Data breach
Wednesday 19 March 2025 at 2:43pm

It is the first time the regulator has imposed a fine on a company. Credit: Jersey Office of the Information Commissioner and Canva

A Jersey laser clinic has been charged £500 after inappropriately sharing information about an employee who had resigned.

An unnamed director at JRSY Laser Limited, based in St Helier, informed other members of staff via email about the reasons why the worker had left and details of a dispute.

The director made "insulting comments" in this message and also threatened to share the employee's personal information with a third party.

The former worker says they felt "threatened, embarrassed and hurt by the content of the email shared with the JRSY Laser staff" and was left with "emotional distress, anxiety and low self-esteem".

The regulator says JRSY Laser believed it was appropriate to share the email with other members of staff as they considered the team a "family" and the director felt the rest of the workers had a right to know.

However, the Authority concluded that whilst sharing information about the employee leaving was acceptable, "there was no reason to share any other information about their departure and circumstances surrounding it".

The regulator added: "This was excessive and there was no lawful basis (legitimate reason) for doing this."

During the investigation, it also came to light that JRSY Laser had not complied with certain aspects of the Data Protection Jersey Law 2018.

Following the company's "almost identical" complaint in 2023, the regulator summarised that JRSY Laser "still showed a general lack of compliance and understanding of their obligations under the Law".

JRSY Laser are the first company to receive a fine from the island's Data Protection Authority. Credit: Jersey Office of The Information Commissioner

In a victim statement, the affected employee "outlined the very real distress that had been caused by Director A’s actions".

Concluding their reasons, the Authority said: "It is unacceptable to threaten individuals with disclosure of their personal information to try and settle disputes that may have arisen between the parties.

"The Authority wishes to stress that when an organisation has already been subject of an investigation, orders and a Public Statement issued, if that organisation then repeats that behaviour (indicating that lessons have not been learnt), the Authority will not hesitate to increase the severity of its sanction, including issuing a fine if appropriate.

"It is of the utmost importance that organisations understand that the Authority will be robust in their approach if previous involvement and enforcement have been ignored and/or dismissed."

Want a quick and expert briefing on the biggest news stories? Listen to our latest podcasts to find out What You Need To Know...