Guernsey’s Civil Service: A Catalogue of IT Failures and Negligence
The recent public statement by the Data Protection Authority1 regarding the catastrophic failure of Guernsey’s government IT systems should send shockwaves through the island’s administration. The Policy & Resources Committee (P&R), as the ultimate authority responsible for the infrastructure in question, has been found in breach of data protection law due to its blatant disregard for basic operational safeguards. The implications of this failure stretch far beyond the immediate disruption caused—it is a damning indictment of systemic incompetence at the highest levels of the civil service because the reality is that it was senior management within the Island’s Civil Service who were to blame. P&R take the blame because the Controller is the Policy & Resources Committee.
A Failure Foretold
This was not an unforeseeable incident. The cause of the failure—overheating in a server room due to air conditioning failure—had been flagged as a risk well before the event. P&R was warned about the vulnerability of the cooling system at Sir Charles Frossard House but chose to do nothing. This neglect set off a chain reaction, resulting in the loss of critical IT services between November 2022 and January 2023.
The Authority’s inquiry concluded that the failure of the air conditioning system was just one of multiple technical and monitoring failures. However, rather than taking responsibility, P&R / CS allowed the situation to deteriorate until it culminated in an IT crisis that directly impacted access to personal data and essential government services.
As Deputy Helyar mentioned recently:
“Our management caused, through its ineptitude, several million pounds’ worth of computer equipment to be destroyed and came within a hair’s breadth of losing all States data… Someone senior has to be held responsible for that.”
No Disaster Recovery Plan – An Unforgivable Oversight
Perhaps more shocking than the air conditioning failure itself was the revelation that there was no IT disaster recovery plan in place at the time. The very purpose of such a plan is to ensure continuity of service in the event of unforeseen failures, yet P&R / CS failed to implement even the most basic safeguards. The absence of a plan significantly prolonged the outages and exacerbated the disruption to public services. This is a textbook example of poor governance: foreseeable risks were ignored, and no contingencies were in place when those risks materialised.
The Authority has determined that these failures constitute a clear breach of Section 41 of The Data Protection (Bailiwick of Guernsey) Law, 2017. This law mandates that organisations handling personal data must take reasonable steps to ensure the ongoing confidentiality, integrity, availability, and resilience of their processing systems. One may argue that P&R’s negligence in this regard was total – but it is clear that the real failure was that of senior management in our civil service. As usual the politicians carry the can for CS failures.
Marking your own homework may yield good grades, but it does little to prepare you for real challenges.
A Toothless Response to Systemic Incompetence
Despite the severity of these breaches, the only consequence was a formal reprimand. The Authority’s public statement notes that had P&R failed to implement remedial actions, a more severe sanction would have been imposed. But why should such a failure need to be rectified only after disaster has struck? In the private sector, an IT outage of this magnitude—resulting from such clear and repeated failings—would have led to high-level dismissals. Yet, within Guernsey’s civil service, there is no accountability. Those responsible for this debacle continue in their roles, as if their failure to uphold basic IT security and governance standards is just another bureaucratic misstep.
Lessons That Should Have Already Been Learned
The findings from this investigation highlight a broader culture of complacency within Guernsey’s government. If warnings about a known risk can be so casually ignored, and if a disaster recovery plan is considered an optional extra rather than a fundamental necessity, what other systemic vulnerabilities are being overlooked?
There are clear lessons to be drawn from this scandal:
- Preventative Maintenance is Essential – The failure to maintain critical infrastructure, despite clear warnings, is inexcusable. Government departments must adopt a proactive approach to risk mitigation, rather than waiting for disasters to occur.
- Disaster Recovery Planning is Non-Negotiable – IT resilience should be a cornerstone of public sector digital strategy. That there was no existing recovery plan in place for these systems is a damning oversight that should never be repeated.
- Accountability Must Be Enforced – A reprimand is little more than a slap on the wrist. Those in senior management who ignored repeated warnings and failed to ensure basic IT governance should be held accountable for their inaction.
- Security and Resilience Require Continuous Investment – IT systems are not static; they require ongoing investment, updates, and monitoring. Cutting corners on IT resilience leads to far greater financial and operational costs when failures inevitably occur.
A Public Disservice
The Data Protection Authority’s findings make it abundantly clear that Guernsey’s civil service, under the leadership of P&R, has failed the public. The sheer scale of the negligence exposed in this report should lead to wholesale changes in how IT systems are managed across the States of Guernsey. Yet, unless there is real accountability, the same mistakes will be made again and again.
It is not enough to belatedly implement safeguards only after a major incident. The public deserves competent management of critical infrastructure, not an administration that only acts once a crisis has exposed its failures. Guernsey’s civil service should be leading by example when it comes to IT governance and security. Instead, it has shown itself to be unfit for purpose.
This IT outage was entirely avoidable. That it happened at all is a disgrace. That no one has been held accountable is an even greater scandal.
That will continue until the civil service (who we pay) have proper, effective, external oversight. Marking your own homework may yield good grades, but it does little to prepare you for real challenges.
That is why a Public Services Ombudsperson is so desperately needed. We simply cannot afford to continue as we are.