DATA PROTECTION OVERVIEW
Jersey’s previous data protection legislation (the Data Protection (Jersey) Law, 2005) was based on the United Kingdom’s Data Protection Act 1998 and mirrored the European Union’s (EU) Directive 95/46/EC. Given the scope and importance of the EU’s General Data Protection Regulation (GDPR), Jersey’s government revised the existing law to match what has become the new “global standard”.
Jersey was recognised by the European Commission as an equivalent jurisdiction in 2008 (Decision 2008/393/EC). Its adequacy decision will be reassessed in due course by the European Commission, in line with the review requirements of GDPR.
The Data Protection (Jersey) Law, 2018 and the Data Protection Authority (Jersey) Law, 2018 (together the DPL) were therefore drawn up to maintain Jersey’s adequacy status. The DPL is intended to be broadly equivalent to GDPR. Since coming into force, several sets of Regulations have been passed to augment Jersey’s DPL framework. Jersey’s Freedom of Information (Jersey) Law, 2011, may also be of relevance in some situations.
Although Jersey is not part of the EU, the DPL is based around the same fundamental ‘data protection principles’ upon which the previous legislation was based. However, their scope and application has been expanded to reflect the globalisation and digitalisation that has occurred in the intervening period.
The DPL applies to the processing of personal data which is undertaken either wholly or partly by automated means and which forms part of a filing system. The processing must take place in the context of a “controller” or “processor” established in Jersey, or relate to the processing of Jersey residents’ personal data elsewhere/outside of Jersey (usually in relation to the offering of goods or services, or monitoring behaviour).
A “data controller” is a person who (either alone, or jointly with others) determines the purpose and the means of processing of any personal data. A “processor” can also be a “controller” if it also makes those determinations. However, an employee carrying out these functions on behalf of a “controller” is not considered to be a “controller” in their own right, merely by virtue of their employment.
Under the DPL, both controllers and processors must comply with the “data protection principles”, which are:
Lawfulness, Fairness and Transparency
processing data lawfully, fairly and in a transparent manner
collecting data for a specific, explicit and legitimate purpose and not further processing it in a manner which is incompatible with the original purpose(s)
data collected is adequate, relevant and limited to what is necessary for the purpose(s) for which it is processed
data is accurate and up to date; if data is inaccurate, it is erased or corrected without delay
data is kept no longer than is necessary for the purpose for which it is processed
Integrity and Confidentiality
data is processed in a manner which ensures its security, using appropriate technical or organisational measures
having responsibility for, and the ability to demonstrate, compliance with the data protection principles
Whilst “Security” was listed as a “principle” under the old regime, it does not expressly appear as such under either the GDPR or DPL. It is instead a specific requirement under both pieces of legislation.
The “principles” are to be borne in mind whilst assessing the risks and practicalities of processing personal data. It is important to remember that they are not new concepts, rather their scope has evolved over time. In all cases, a lawful basis for data processing has to be established, by reference to a processing “condition”, such as the consent of the data subject whose personal data it is, fulfilling the terms of a contract, the legitimate interests of the controller, or the vital interests of the individual.
The definition of personal data under the DPL includes “any information relating to” an “identified, or identifiable, individual” and is sufficiently wide so as to include online identifiers, location data, identity codes and biometric data, for example.
“Processing” includes any operation carried out on personal data. This might be obtaining, holding, storing or recording data, or carrying out operations such as disclosure, retrieval, consultation, organisation, and ultimately erasure or destruction of the data.
Under the DPL, both controllers and processors established locally must be registered with the Information Commissioner. Pure data processors that do not “control” data in their own right, are not required to register.
Special Category Data (“sensitive personal data” under the old regime) attracts additional protection. It is data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, health data, biometric data, sex life or sexual orientation, or criminal data (relating to the (alleged) commission of a criminal offence by an individual or any criminal proceedings).
Additional conditions must be satisfied prior to processing Special Category Data, such as: obtaining explicit consent and only using the data where necessary (fulfilling the pastoral care elements of an employment contract, to protect a data subject’s vital interests, or for legal proceedings, for example).
Collecting personal data
At the time of collection, the data subject should be provided with various information, including a description of –
(a) what personal data is being collected;
(b) the purposes for which the data is being collected and processed, whether by or on behalf of the data controller;
(c) the recipients or recipient classes to whom the data will or may be disclosed;
(d) any countries or territories outside the jurisdiction to which the data controller, whether directly or indirectly, transfers, intends or wishes to transfer the data; and
(e) general technical and security measures that will be taken to keep the data secure.
This information should be provided within a separate privacy notice so that the data subject can make a clear, informed decision as to whether to proceed. A privacy notice should be provided by the data controller at each point of data collection.
What constitutes valid consent?
Consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes….. by a statement or by a clear affirmative action, [which] signifies agreement to the processing..”. There are also a number of conditions applicable which must be met for consent to be valid.
It is not necessary in all cases for a data subject to signify agreement in writing (though the Jersey Office of the Information Commissioner (JOIC) guidance states that explicit consent must be recorded), however, it does mean that there must be some active communication between the parties. You cannot infer that a data subject has consented to the data processing if the data subject simply fails to respond to a communication or does not object.
Consent may be expressed or inferred from some relevant action (implied consent) but cannot be inferred from silence. It can also be withdrawn at any time.
Where consent is relied upon to process “sensitive personal data” that consent must be explicit, clear and cover the specific processing, including particular processing aspects, such as disclosures.
If explicit consent is not obtained in writing, it is recommended that a data controller keep some form of permanent record, such as a file note, indicating how explicit consent was obtained. This would be important if a complaint arose.
Processing and retention of personal data
Controllers and processors must comply with the data protection principles outlined earlier. There must be a “lawful basis” for processing the data (such as consent, performance of a contract or legitimate interests of the controller). In addition, controllers may rely on one or more conditions of processing in order to legitimise such processing (such as compliance with a legal obligation, public interest, or in the vital interests of the individual).
“Processing” in relation to personal data includes any operation performed on personal data, such as collection, recording, organising, storage, alteration, retrieval, use, disclosure, erasure or profiling.
Broadly, personal data should only be processed for the purposes for which it has been collected and these purposes should be notified to the data subject on or before data collection. If a third-party processor is retained to undertake processing functions on behalf of the controller, a contract must be put in place between controller and processor to ensure that similar data processing standards are upheld throughout the supply chain.
In terms of retention, the DPL requires that personal data “that permits identification of data subjects” shall be kept for ”no longer than is necessary for the purposes for which the data are processed”.
The DPL does not specify how long personal data should be retained, as the law applies to many different organisations and indeed, there are various potentially applicable statutory retention periods.
The retention time also depends on the type of information, the purpose for holding it, and whether there are legal obligations affecting the data retention. The retention principle applies to any personal data held, whether computerised or paper records, digital images, CCTV or voice recordings. At the end of its lifetime, information must be destroyed securely and appropriately.
Record retention and destruction policies tailored to the organisation’s particular requirements and obligations should be developed and regularly reviewed to ensure compliance.
The DPL does not make it mandatory for a data controller to appoint a data protection officer, except in limited instances (where large scale processing operations are carried out as a core activity, for example). However, it is considered good practice to have someone responsible for oversight and the monitoring of compliance with the DPL and as a point of contact for regulatory queries or dealing with individuals wishing to exercise their rights under the DPL. Groups of undertakings are permitted to appoint a single data protection officer to oversee several legal entities.
Accessing Personal data
An individual is entitled to be informed by a data controller whether their personal data is being processed by or on behalf of the data controller. If so, the individual is entitled to a description of:
(i) the personal data,
(ii) the purposes for which it is being or is to be processed, and
(iii) the recipients or classes of recipient to whom the data may be disclosed.
The individual is also entitled to a copy of their data. The right is subject to certain limitations (such as the rights of third parties whose personal data is “mixed” with that of the data subject). The individual must send a data subject access request to the data controller, who must respond within four weeks of receipt. The data controller cannot (except in exceptional circumstances) charge a fee for responding. Data subjects can also request that their data is corrected where it is not accurate, or that it be erased (in limited circumstances).
The DPL includes exemptions which restrict the obligations around disclosure of data, where the data is processed for the specified purposes of:
- the prevention or detection of crime,
- the apprehension or prosecution of offenders,
- safeguarding national security,
- disclosures required by law or in connection with legal proceedings, or
- the assessment or collection of any tax or duty or of any imposition of a similar nature.
The burden is on the data controller to justify disclosing the personal information to the requester. The exemption limits when, and what, personal information should be disclosed, i.e.
- the circumstances must be of sufficient importance that not releasing the personal information would be likely to prejudice (harm) any attempt to prevent or detect a crime, and
- the personal information disclosed must be necessary and relevant to the investigation.
Are there any other exemptions?
There are exemptions from certain provisions of the DPL (particularly those around data subjects’ rights) which apply in specific circumstances. These limit the applicability of requirements such as:
- access to personal data; and/or
- to give notice of processing; and/or
- the non-disclosure of personal data to third parties.
The circumstances include disclosures required by law, financial services data, management forecasting, negotiations, legal advice and proceedings, confidential references for job applicants, legal professional privilege and where the personal data is being used for purely domestic purposes, or for journalism, literary or artistic purposes.
International transfers of personal data
Jersey’s status as an “adequate” jurisdiction means that international transfers to “third countries” (non-EEA jurisdictions or territories) are only permitted to the extent that contracts or other similar recognised mechanisms are put in place to safeguard the data and ensure an adequate (and equivalent) level of protection.
Contracts can be put in place to control data transfers with third party processors or between members of the same group of companies. The DPL also sets out a number of exemptions from the transfer restriction, for example where the data subject’s consent has been obtained, if the transfer is in the public interest or if Jersey’s Information Commissioner has authorised the transfer.
It is common for businesses to use the EU’s model contractual clauses, data transfer agreements, Privacy Shield (for US transfers) or binding corporate rules (BCRs) for this purpose.
How is direct marketing regulated?
When direct marketing is targeted at named individuals, i.e. their personal data (name, email address, residential address etc.) is used to send direct marketing, then that marketing is caught by the DPL. Whilst there is no prohibition on the use of personal data for direct marketing, individuals do have the unconditional right to object to such processing and/or a right to prevent the processing. Individuals have the right to opt out of the use of their personal data for the purposes of direct marketing, and can do so at any time by communicating that wish to the relevant organisation holding their data.
Whilst this area is nuanced and detail is beyond the scope of this Guide, compliance depends on the nature of the intended recipient (employee of a business or the business itself, or an individual or sole trader), the medium being used (email, telephone, mail, SMS, etc.) and the content. For example, sending an unsolicited marketing message to an employee of a business customer using their work email address without their consent might be acceptable if:
- their details were provided during the course of a sale to them
- the marketing relates to similar products or services, and
- the individual is given a simple method of opting out of receipt of future marketing communications.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring under the DPL however, employers should carry out a privacy impact assessment and consider less intrusive approaches to achieving the monitoring objectives. Employers should explain the purposes of the monitoring and the kinds of personal information being collected. Consideration should be given to limiting surveillance to areas of particular risk where the expectation of privacy is low (for example entrances/exits, communal areas and immediate perimeter).
Insofar as the monitoring consists of reviewing emails, location data, internet usage and the like, then such purposes and limits should be clearly explained to employees and policies assessed at regular intervals and following a data protection impact assessment.
Employee data may often include sensitive personal information so additional consideration should be given to how and whether such data should be collected and the purposes for its collection. Employers should only use covert surveillance in extreme cases (such as collating evidence of dishonesty). Employers should also be mindful of the provisions of the Computer Misuse (Jersey) Law, 1995 (as amended), which sets out various offences relating to the use of computers.
Can telephone calls be recorded?
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal information, its use will be regulated by the DPL.
To ensure that any personal information collected via CCTV is not excessive or goes beyond the collection purpose, consideration should be given to camera location/angles and the necessity of recording.
Particular care should also be taken if CCTV is used as part of any employee monitoring process, which would need to be disclosed to the employees in advance.
Jersey’s Information Commissioner has written about the issues surrounding the use of CCTV. Although not legally binding, the issues are clearly identified and are ones that all organisations should consider.
Jersey’s Data Protection Authority (Authority) is an independent supervisory body which promotes and enforces compliance with the DPL and deals with complaints made under it. Its oversight and enforcement powers are delegated to the Information Commissioner, whose duties include promoting understanding and good practice by data controllers and processors. They can also take regulatory action where there has been a breach of the DPL.
The Commissioner has powers to require the production of information, documents, conduct audits and/or execute warrants to enter premises. They also have powers to issue administrative fines, suspend or prevent processing and a range of enforcement powers in between.
Following a breach determination, the Commissioner can issue a reprimand, warning, or an order requiring certain steps (such as restricting processing) to be taken, or issue an administrative fine.
The upper limits of administrative fines can vary between £5m and £10m, depending on which section(s) of the DPL have been breached and the seriousness of the issue. In addition, administrative fines are capped at £300,000 (unless this is less than 10% of the company’s annual global turnover or global gross income in the preceding financial year). There is also a cap of 10% of an individual’s global annual turnover or global gross income during the period of the breach, up to 3 years.
What are the penalties for non-compliance?
A person guilty of an offence under a relevant DPL provision is liable on summary conviction to a fine not exceeding £10,000 and/or up to twelve months’ imprisonment. On indictment, the person is liable for a fine and/or a term of imprisonment not exceeding two years.
Where an offence has been committed by a body corporate, and is proved to have been committed with the consent or connivance of, or can be attributable to, neglect by any director, manager, secretary or similar body corporate officer or person purporting to act in any such capacity, the individual can be found guilty of that offence and be proceeded against accordingly.
In 2016, the UK’s National Crime Agency released a Cyber Crime Assessment relevant to Jersey. The UK Government also released cyber-security guidance which includes educating and raising the awareness of both staff and customers, monitoring the risks and having protection and network security in place as well as disaster recovery policies. Under this guidance, as reflected in Jersey, certain matters should be reported to the Jersey Financial Services Commission (JFSC), including incidents involving data or financial loss. The JFSC also issued its own cyber security guidance, has undertaken a Cyber Security survey and promotes good practice in its regulatory supervision. The Jersey States requires that all suppliers to government for contracts in excess of £25,000 hold Cyber Essentials certification as a minimum.
Do any specific technical and organisational security measures need to be implemented to protect personal data?
The DPL requires data controllers to take “appropriate” technical and organisational measures to protect the personal information they process, whether the data is processed by the controller or on the controller’s behalf by a third party. These measures are assessed against what is “reasonable” in the context of industry best practice.
To determine appropriate measures, the controller should take into account their personal data estate and the resulting harm from misuse, the available technology to protect the information and also the cost to ensure an appropriate level of security.
When a third party is retained to process personal information on the controller’s behalf, the provider must be able to carry out the work in a secure manner. A written contract should be put in place with the processor to ensure they only use and disclose the personal data in line with the controller’s instructions and requiring them to take appropriate security measures.
Who needs to be notified in the event of a data breach?
Breach notification to the JOIC (defined above) is mandatory within 72 hours of becoming aware of the breach. There is an online breach reporting facility and the JOIC has issued guidance on breach reporting. The DPL specifies the nature and information required to be covered in a breach notification.
There is no obligation to notify affected individuals, unless there is a “high risk” to their rights and freedoms. It is commonplace for a strategy to be developed in order to manage the notification and response to maintain customer trust, notwithstanding the lack of a direct obligation in some cases.