DATA PROTECTION OVERVIEW
The previous incarnation of Guernsey’s data protection legislation (the Data Protection (Bailiwick of Guernsey) Law, 2001) was based on the United Kingdom’s Data Protection Act 1998 and mirrored the European Union’s (EU) Directive 95/46/EC. Given the scope and importance of the EU’s General Data Protection Regulation (GDPR), Guernsey’s government revised the existing law to match what it saw as the new “global standard”.
Guernsey was recognised by the European Commission as an equivalent in 2003 (Opinion 02072/07/EN WP 141 and Opinion 10595/03/EN WP 79). Its adequacy decisions are in the process of being reassessed by the European Commission, in line with the review requirements of GDPR.
The Data Protection (Bailiwick of Guernsey) Law, 2017 (DPL) was therefore drawn up in consultation with the EU to maintain Guernsey’s adequacy status. The DPL was in the process of being finalised when the United Kingdom produced its draft legislation, and is similarly intended to be broadly equivalent. Since the DPL came into force, two Ordinances and several sets of Regulations have been passed to augment Guernsey’s DPL framework.
Although Guernsey is not part of the EU, the DPL is based around the same fundamental ‘data protection principles’ upon which the previous legislation was based. However, the scope and application of those principles has been expanded to reflect the globalisation and digitalisation that has occurred in the intervening period.
The DPL applies to the processing of personal data which is undertaken either wholly or partly by automated means and which forms part of a filing system. The processing must take place in the context of a “controller” or “processor” established in the Bailiwick, or relate to the processing of Bailiwick residents’ personal data outside of Guernsey (usually in relation to the offering of goods or services, or monitoring behaviour).
A “data controller” is a person who (either alone, or jointly with others) determines the purpose and the means of processing of any personal data. A “processor” can also be a “controller” if it also makes those determinations. However, an employee carrying out these functions on behalf of a “controller” is not considered to be a “controller” in their own right, merely by virtue of their employment.
Under the DPL, both controllers and processors must comply with the “data protection principles”, which are:
Lawfulness, Fairness and Transparency
processing data lawfully, fairly and in a transparent manner
collecting data for a specific, explicit and legitimate purpose and not further processing it in a manner which is incompatible with the original purpose(s)
data collected is adequate, relevant and limited to what is necessary for the purpose(s) for which it is processed
data is accurate and up to date; if data is inaccurate, it is erased or corrected without delay
data is kept no longer than is necessary for the purpose for which it is processed
Integrity and Confidentiality
data is processed in a manner which ensures its security, using appropriate technical or organisational measures
having responsibility for, and the ability to demonstrate, compliance with the data protection principles
Whilst “Security” was listed as a “principle” under the old regime, it does not expressly appear as such under either the GDPR or DPL. It is instead a specific requirement under both pieces of legislation.
The “principles” are to be borne in mind whilst assessing the risks and practicalities of processing personal data. It is important to remember that they are not new concepts, rather their scope has evolved over time. In all cases, a lawful basis for processing has to be established, by reference to a processing “condition”, such as the consent of the individual whose personal data it is, fulfilling the terms of a contract, the legitimate interests of the controller, or the vital interests of the individual.
The definition of personal data under the DPL includes “any information relating to an identified, or identifiable, individual” and is sufficiently wide so as to include online identifiers, location data, identity codes and biometric data, for example.
“Processing” includes any operation carried out on personal data. This might be obtaining, holding, storing or recording data or carrying out operations such as disclosure, retrieval, consultation, organisation and ultimately erasure, or destruction, of the data.
Under the DPL, both controllers and processors established locally must be registered with the Data Protection Commissioner. Pure data processors that do not “control” data in their own right, are not required to register.
Special Category Data (“sensitive personal data” under the old regime) attracts additional protection. It is data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, health data, biometric data, sex life or sexual orientation, or criminal data (relating to the (alleged) commission of a criminal offence by an individual or any criminal proceedings).
Additional conditions must be satisfied prior to processing Special Category Data, such as: obtaining explicit consent and only using the data where necessary (fulfilling the pastoral care elements of an employment contract, to protect a data subject’s vital interests, or for legal proceedings, for example).
Collecting personal data
At the time of collection the data subject should be provided with a description of –
(a) what personal data is being collected;
(b) the purposes for which the data is being collected and processed, whether by or on behalf of the data controller;
(c) the recipients, or recipient classes, to whom the data will, or may be, disclosed;
(d) any countries or territories outside the Bailiwick to which the data controller, whether directly or indirectly, transfers, intends or wishes to transfer the data; and
(e) general technical and security measures that will be taken to keep the data secure.
This information should be provided within a separate privacy notice so that the data subject can make a clear, informed decision as to whether to proceed. A privacy notice should be provided by the data controller at each point of data capture, whether online, via a mobile handset, or in paper form, by telephone or otherwise.
What constitutes valid consent?
Consent means “any specific, informed and unambiguous indication of the data subject’s wishes….. by a statement or by a clear affirmative action, [which] signifies agreement to the processing..”. There are also a number of conditions applicable which must be met for consent to be valid (that the consent has been freely given, for example).
It is not necessary in all cases for a data subject to signify agreement in writing (though Guernsey’s Office of the Data Protection Authority (ODPA) guidance states that explicit consent must be recorded), however, it does mean that there must be some active communication between the parties. You cannot infer that a data subject has consented to processing if the data subject simply fails to respond to a communication or does not object.
Consent may be expressed or inferred from some relevant action (implied consent) but cannot be inferred from silence. It can also be withdrawn at any time.
Where consent is relied upon to process “sensitive personal data” that consent must be explicit, clear and cover the specific processing, including particular processing aspects, such as disclosures.
If explicit consent is not obtained in writing, it is recommended that a data controller keep some form of permanent record, such as a file note, indicating how explicit consent was obtained. This would be important if a complaint arose.
Processing and retention of personal data
Controllers and processors must comply with the data protection principles outlined earlier. There must be a “lawful basis” for processing the data (such as consent, performance of a contract or legitimate interests of the controller). In addition, controllers may rely on one or more conditions of processing in order to legitimise such processing (such as compliance with a legal obligation, public interest, or in the vital interests of the individual).
“Processing” in relation to personal data includes any operation performed on personal data, such as collection, recording, organising, storage, alteration, retrieval, use, disclosure, erasure or profiling.
Broadly, personal data should only be processed for the purposes for which it has been collected and these purposes should be notified to the data subject on or before collection. If a third-party processor is retained to undertake processing functions on behalf of the controller, a contract must be put in place between controller and processor to ensure that similar data processing standards are upheld throughout the supply chain.
In terms of data retention, the DPL requires that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.
The DPL does not specify how long personal data should be retained, as the law applies to many different organisations and indeed, there are various potentially applicable statutory retention periods.
The retention time also depends on the type of information, the purpose for holding it, and whether there are legal obligations affecting the data retention. The retention principle applies to any personal data held, whether computerised or paper records, digital images, CCTV or voice recordings. At the end of its lifetime, information must be destroyed securely and appropriately.
A record retention policy and a record destruction policy tailored to the organisation’s particular requirements and obligations should be developed and regularly reviewed to ensure compliance.
The DPL does not make it mandatory for a data controller to appoint a data protection officer, except in limited instances (where large scale processing operations are carried out as a core activity, for example). However, it is considered good practice to have someone responsible for oversight and the monitoring of compliance with the DPL, and as a point of contact for regulatory queries or dealing with individuals wishing to exercise their rights under the DPL.
Accessing Personal Data
An individual is entitled to be informed by a data controller whether their personal data is being processed by or on behalf of the data controller. If so, the individual is entitled to a description of:
(i) the personal data,
(ii) the purposes for which it is being or is to be processed, and
(iii) the recipients or classes of recipient to whom the data may be disclosed.
The individual is also entitled to a copy of their data. The right is subject to certain limitations (such as the rights of third parties whose personal data is “mixed” with that of the data subject). The individual must send a data subject access request to the data controller, who must respond within 30 days. The data controller cannot (except in exceptional circumstances) charge a fee for responding. Data subjects can also request that their data is corrected where it is not accurate, or that it be erased (in limited circumstances).
The DPL includes exemptions which restrict the obligations around disclosure of data, where the data is processed for the specified purposes of:
- the prevention or detection of crime,
- the apprehension or prosecution of offenders,
- safeguarding national security,
- disclosures required by law or in connection with legal proceedings, or
- the assessment or collection of any tax or duty or of any imposition of a similar nature.
The burden is on the data controller to justify disclosing the personal information to the requester. The exemption limits when, and what, personal information should be disclosed, i.e.
- the circumstances must be of sufficient importance that not releasing the personal information would be likely to prejudice (harm) any attempt to prevent or detect a crime, and
- the personal information disclosed must be necessary and relevant to the investigation.
Are there any other exemptions?
There are exemptions from certain provisions of the DPL (particularly those around data subjects’ rights) which apply in specific circumstances. These limit the applicability of requirements such as:
- access to personal data; and/or
- to give notice of processing; and/or
- non-disclosure of personal data to third parties.
The circumstances include disclosures required by law, financial services data, management forecasting, negotiations, legal advice and proceedings, confidential references for job applicants, legal professional privilege and where the personal data is being used for purely domestic purposes, or for journalism, literary or artistic purposes.
International transfers of personal information
Guernsey’s status as an “adequate” jurisdiction means that international transfers to “authorised jurisdictions” are permitted (these include the EU, Jersey, UK and other adequate jurisdictions). Transfers to other jurisdictions are permitted, but only to the extent that contracts or other similar recognised mechanisms are put in place to safeguard the data and ensure an adequate (and equivalent) level of protection.
Contracts can be put in place to control data transfers with third party processors or between members of the same group of companies. The DPL also sets out a number of exemptions from the transfer restriction, for example where the data subject’s consent has been obtained, if the transfer is in the public interest or if Guernsey’s Data Protection Commissioner has authorised the transfer.
It is common for businesses to use the EU’s model contractual clauses, data transfer agreements, Privacy Shield (for US transfers) or Binding Corporate Rules (BCRs) for this purpose.
How is direct marketing regulated?
Regulation is effected through a combination of the provisions of the DPL and the European Communities (Implementation of Privacy) Directive (Guernsey) Ordinance 2004 (e-Privacy Ordinance) which brought into force the equivalent provisions of the Privacy and Electronic Communications Regulation, 2003 (PECR).
The DPL defines ‘direct marketing’ as “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.” It is wide enough to incorporate direct marketing purposes, which captures activities such as profiling, if the collated data is then passed to a third party for them to send the relevant marketing communication.
When direct marketing is targeted at named individuals, i.e. their personal data (name, email address, residential address etc.) is used to send direct marketing, then that marketing is caught by the DPL and/or the e-Privacy Ordinance. Whilst there is no prohibition on the use of personal data for direct marketing, individuals do have the right to object to such processing and/or a right to prevent the processing. Individuals have the right to opt out of the use of their personal data for the purposes of direct marketing, and can do so at any time by communicating that wish to the relevant organisation holding their data.
Whilst this area is nuanced and detail is beyond the scope of this Guide, compliance depends on the nature of the intended recipient (employee of a business or the business itself, or an individual or sole trader), the medium being used (email, telephone, mail, SMS, etc.) and the content. For example, sending an unsolicited marketing message to an employee of a business customer using their work email address without their consent might be acceptable if:
- their details were provided during the course of a sale to them
- the marketing relates to similar products or services, and
- the individual is given a simple method of opting out of receipt of future marketing communications.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring under the DPL however, employers should carry out a privacy impact assessment and consider less intrusive approaches to achieving the monitoring objectives. Employers should explain the purposes of the monitoring and the kinds of personal information being collected. Consideration should be given to limiting surveillance to areas of particular risk where the expectation of privacy is low (for example entrances/exits, communal areas and immediate perimeter).
Insofar as the monitoring consists of reviewing emails, location data, internet usage and the like, then such purposes and limits should be clearly explained to employees and policies assessed at regular intervals and following a data protection impact assessment.
Employee data may often include sensitive personal information, so additional consideration should be given to how and whether such data should be collected, and the purposes for its collection. Employers should only use covert surveillance in extreme cases (such as collating evidence of dishonesty). Employers should also be mindful of the provisions of the Computer Misuse (Bailiwick of Guernsey) Law, 1991, which sets out various offences relating to the use of computers.
Can telephone calls be recorded?
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal information, its use will be regulated by the DPL.
To ensure that any personal information collected via CCTV is not excessive or goes beyond the collection purpose, consideration should be given to camera location/angles and the necessity of recording.
Particular care should also be taken if CCTV is used as part of any employee monitoring process, which would need to be disclosed to the employees in advance.
Guernsey’s Data Protection Commissioner has issued historic guidance for businesses using CCTV. Although the guidance is not legally binding, it is likely that the Commissioner will consider an organisation’s compliance with the guidance in the event of a complaint. Whilst the guidance pre-dates the DPL, the fundamental data protection principles remain applicable.
Guernsey’s Office of the Data Protection Authority (ODPA) – as defined above is an independent supervisory body which promotes and enforces compliance with the DPL and deals with complaints made under it. The Data Protection Commissioner is employed by the ODPA and their duties include promoting understanding and good practice by data controllers and processors. They can also take regulatory action where there has been a breach of the DPL.
The Commissioner has powers to require the production of information, documents, conduct audits and/or execute warrants to enter premises. They also have powers to issue administrative fines, suspend or prevent data processing and a range of enforcement powers in between.
Following a breach determination, the Commissioner can issue a reprimand, a warning, an order requiring certain steps (such as restricting processing) to be taken, or issue an administrative fine.
The upper limits of administrative fines can vary between £5m and £10m, depending on which section(s) of the DPL have been breached and the seriousness of the issue. In addition, administrative fines are capped at £300,000 (unless this is less than 10% of the annual global turnover or global gross income in the preceding financial year). There is also a cap of 10% of an individual’s global annual turnover or global gross income during the period of the breach, up to 3 years.
What are the penalties for non-compliance?
A person guilty of an offence under a relevant DPL provision is liable on summary conviction to a fine not exceeding £10,000 and/or up to twelve months’ imprisonment. On indictment, the person is liable for a fine and/or a term of imprisonment not exceeding two years.
Where an offence has been committed by a body corporate, and is proved to have been committed with the consent or connivance of, or can be attributable to, neglect by any director, manager, secretary or similar body corporate officer or person purporting to act in any such capacity, the individual can be found guilty of that offence and be proceeded against accordingly.
In 2016, the UK’s National Crime Agency released a Cyber Crime Assessment relevant to Guernsey. The UK Government also released cyber-security guidance which includes educating and raising the awareness of both staff and customers, monitoring the risks and having protection and network security in place as well as disaster recovery policies. Under this guidance certain matters should be reported to the Guernsey Financial Services Commission (GFSC), including incidents involving data or financial loss. The GFSC also issued its own cyber security guidance, has undertaken a Cyber Security thematic and is looking to issue further guidance on approach in the near future.
The DPL requires data controllers to take “appropriate” technical and organisational measures to protect the personal information they process, whether the data is processed by the controller or on the controller’s behalf by a third party. These measures are assessed against what is “reasonable” in the context of industry best practice.
To determine appropriate measures the controller should take into account their personal data estate and the resulting harm from misuse, the available technology to protect the information and also the cost to ensure an appropriate level of security.
When a third party is retained to process personal information on the controller’s behalf, the provider must be able to carry out the work in a secure manner. A written contract should be put in place with the processor to ensure they only use and disclose the personal data in line with the controller’s instructions and requiring them to take appropriate security measures.
Who needs to be notified in the event of a data breach?
Breach notification to the ODPA is mandatory within 72 hours of becoming aware of the breach. There is an online breach reporting facility and the ODPA has issued guidance on breach reporting. The DPL specifies the nature and information required to be covered in a breach notification.
There is no obligation to notify affected individuals, unless there is a “high risk” to their rights and freedoms. It is commonplace for a strategy to be developed in order to manage the notification and response to maintain customer trust, notwithstanding the lack of a direct obligation in some cases.