EARLIER this year, a computer expert came to Guernsey at his own expense to show representatives of Treasury and Resources’ Information Technology Unit that there was a security breach on the States election site leaving confidential personal information exposed.

He did so because he claimed that earlier contact with the States about the flaw had been ignored and so he sought the help of this newspaper in his acting as a whistle-blower.

Following discussion with the island’s data protection commissioner and the head of the States ITU, a demonstration went ahead and shocked the officials present to the point where they immediately deleted some files that were exposed.

The Guernsey Press cooperated with the officials over providing sufficient time for the breach to be rectified before any publicity was given to it – and Treasury and Resources responded by issuing a statement playing down the security lapse and attacking the man who highlighted it.

Now, however, following today’s publication of the data protection commissioner’s inquiry into the matter, it is clear that this was a major security incident – ‘severe’ was the expression used – and the States was very lucky that it was not more serious.

Moreover, although the earlier contact by the whistle-blower could not be verified – four years after the event that was hardly surprising – but another warning was definitely received from a different individual last year. And promptly ignored.

The detail of the inquiry will provide little comfort for islanders either. Not only did the professionals in the ITU fail to do the job for which they were paid, the error that caused the problem in the first place was mind-numbingly basic.

The investigation has highlighted substantial data protection deficiencies within the States as a whole, leading to six far-reaching recommendations for the Policy Council to act upon.

In addition, the review also found that yet again when serious issues of accountability occur, it is never clear where responsibility lies.

And in trying to clear up the problems that the whistle-blowing revealed, the report says that staff training and the unit’s expertise should be assessed and documented.

In other words, someone needs to check whether ITU is actually up to scratch.