Jersey Office of the Information Commissioner Annual Report 2022.

1

R.103/2023

Fulfilling the obligations of the Authority under Article 44 of the Data Protection Authority (Jersey) Law 2018 and the Information Commissioner under Article 43 of the Freedom of Information (Jersey) Law 2011.

Contents

TRHOEL EJE, VRASLEUYE DSA, TVAISPIORONT, EPCUTRIPOONS AE U ATNHDO2R0IT2 Y2   S    SECTION 1-3 48 51 BREACH REPORTING SECTION 9 STRATEGIC OUTCOMES

06 Our ROur Valuesole  52 53 ENFORCEMENT AUDITS SECTION 10

15  Our Vision

Our Purpose

54 55 AINNFNOURAMLARTEIOPNO RATC TOIFV IFTRIEE SEDOM OF  SECTION 11

2022 Strategic Outcomes

Statement from the Chair

Information Commissioner s Foreword

56 59 OPERATIONAL PERFORMANCE AND APPEALS SECTION 12 THE JERSEY DATA PROTECTION AUTHORITY SECTION 4

16 25 GoAuthority Structurvernance, Accountability & Te & Authority Rranspareportency 60 61 ENVIRONMENTAL, SOCIAL AND GOVERNANCE SECTION 13

Governance Report

Authority Sub-Committees 62 71 OUTREACH AND COMMUNICATIONS SECTION 14 SECTION 5

26 29 PRINCIPAL AND EMERGING RISKS 72 74 REMUNERATION AND STAFF REPORT SECTION 15

Summary of Principal Risks

30 37 PERFORMANCE REPORT  SECTION 6 7769  FINANCE REPORT SECTION 16 38 43 2022 CASE DATA SECTION 7 80 95 AUDITED FINANCIAL STATEMENTS SECTION 17 44 47 2022 CASE OUTCOMES SECTION 8

Strengthened

Team

Increased depth in engagement and regulatory policy

188 Self Reported

Data Breaches

6634 Organisations registered

Host Nation

nation status fJerseMy aeeting 2024warded host or Global  75% Privacy Assembly Annual

 Amicable Resolution cases resolved informally

75%

*

Growing  that attended JOIC

Recognition  events said they

would benefit  80% * Jersey s contribution  professionally and/

to data protection  or personally  rated event deliberations on  content either international stage  Good or VGood ery

continues to grow

Young Privacy Ambassador Programme

Global Privacy Privacy-led data  Assembly Executive

stewardship services Committee

Authority has taken a

leading step to support  Presented to

the development of

500

these services

Information Commissioner selected

Students Glto serobal Privacy Assembly ve as member of Executive Committee

learnt 93%* something

new

* of those that responded

The Jersey Data Protection Authority (the  

Authority) is an independent statutory body  

established to promote respect for the  We are Fair

private lives of individuals through ensuring

We treat people equally, without favouritism or privacy of their personal information by: discrimination. We are impartial in our activities and

free from bias or dishonesty. We are competent, reliable

and respectful. Our decisions are open, honest and

Implementing and ensuring compliance with the Data  rationalised by a sound evidence base to promote Protection (Jersey) Law 2018 (the DPJL) and the Data  integrity and trust. Protection Authority (Jersey) Law 2018 (the DPAJL).

Influencing attitudes and behaviours towards privacy  and processing of personal information, both locally and  internationally.  

Providing advice and guidance to Island businesses  

the Government of Jersey in response to changes in  We are Collegial

and individuals and making recommendations to

international data protection laws.

We share responsibility, including being honest and fair in our conduct towards others. We are willing

The Information Commissioner has separate responsibility for  to be judged on our performance. We work together regulating the Freedom of Information (Jersey) Law 2011 (the  to achieve our strategic outcomes. A collaborative

FOI Law). This includes encouraging public authorities to follow  approach allows us to work effectively together or good practice in their implementation of the FOI Law (including  individually. We communicate clearly, actively listen to adherence to the relevant code of practice) and help to  others, take responsibility for mistakes, and respect promote transparency by supplying the public with information  the diversity of our team. We demonstrate impartiality about the law and advice and guidance on how to exercise their  and accountability.

rights.

We are Respectful

We respect those we work with and liaise with; this Our vision is to  To provide those who  Our values are hugely  means that we actively listen to others and behave

create an island  interact with Jersey  important to us, they  considerately towards others. We have self-respect and culture whereby the  organisations and  create our identity  make responsible choices in what we say and do, to protection of personal  the Government of  and inform how we do  reach personal and organisational outcomes. We treat data and privacy  Jersey with the highest  business. We created  others in the way we want to be treated.

becomes instinctive,  standard of personal  our values to be

with individuals and  data protection.  more than words on

organisations taking a  a page, using them

proactive approach to  to guide decisions,

embed such protection  select behaviours

activities and business  improvement in our  We are Energetic throughout their daily  and drive continuous

planning.  service. Our values  We are enthusiastic and approach our

apply to us all,  activities with vigour and vitality.

regardless of rank and

flow through each area

of our service, every

day.

02 Maopporximising ttunities technolo enhancogical and ece the Island s onomic

reputation as a safe place to host personal data and do business.

1. Jersey is a unique jurisdiction where the  Strengthening our team with the

regulation of personal data (particularly in  development of a policy function will Strategic  fast and seize opportunities that both  they have solid foundations, are minimising

the finance sector) is already entrenched  allow us to proactively identify relevant

in our society. It will be critical for our  developments in the field of data protection,

economy to ensure we remain at the  such as new and emerging technologies,

leading edge, monitoring international  economic or social change. Our deliverables

legislative frameworks, trading corridors  in this area start at grassroots level, with the

and innovation to ensure Jersey can act  aim of helping our stakeholders to ensure Outcomes  government have enabled us to participate  facilitate positive change.

grow and preserve our already strong  risk and are alert to both future threats and reputation for data privacy. opportunities. As a small but agile team, our

focus will be to understand the emerging

2. Our strong relationships with relevant  landscape, work collegially with key change stakeholders in the digital sector and  agents and provide thought leadership to

in a major project on the feasibility of

Data Stewardship, Data Dignity and Data  This will include our on-going responsibility Sovereignty in Jersey. These concepts can  to maintain an awareness of regulatory provide exciting opportunities for Jersey  and legal changes which may impact on where the Island can be seen as a world  privacy and data protection in Jersey and leader. We are key stakeholders in those  to contribute to our ability to navigate new discussions. privacy frontiers.

01 Athe highest standarchieving and maintaining d of data

protection in Jersey.

1. Our purpose demands the highest  ahead with our outreach and education standards of data protection for our  programmes, to specific enforcement citizens, and those who interact with  initiatives, such as targeted audits, we are Jersey, remembering that our Law (like  committed to achieving and maintaining GDPR) has extra-territorial scope.  the highest standards of data protection. However, we cannot do this alone. We will
2. It is also important to remember that as a  continue to engage with all sectors of our fundamental human right, data protection  community, such as charities, government, is intrinsically linked to well-being,  local business and primary and secondary mental health, reducing inequalities and  schools to reach young people. Our improving living standards. All of these  deliverables in this area, support our aim to areas are key elements of the Island s  be an exemplar and a source of leadership collective strategy in the coming years. to our stakeholders. This in turn helps them to understand their role and their This outcome covers all areas of our  responsibilities, so that they too can deliver organisation and those who we are here to  the highest standards of data protection. serve and support. From delivering proactive

day to day guidance and resources, to forging

03 Prby putting chilotecting our drfuturen and ye generoung ations

people first.

1. Given the exponential advances and uses  c. Highlighting children is not at the exclusion of technology, it is critical, now more than  of adult populations within our community. ever, that we take steps to educate children  We respect all members of our community on how online behaviours can affect their  whilst recognising that some populations opportunities in later life and provide them  may be at higher risk and need greater

with the tools to protect themselves against  protection. Our role as regulator is to ensure the many harms associated with a digital  that we target our support accordingly and environment, including social media, online  apply the law in a fair and consistent manner, gaming and the darker sides of the internet. protecting those who need it most.

2. Equally, many of these young people will be  In working towards this outcome, our

our future digital innovators. It is incumbent  deliverables build on our already strong

upon us to help them embrace technological  relationships with the Island s schools, through innovation in a safe way, and work with them  further development and wider roll-out of

to improve their own broader skills so as to  our education programme. Through specific ensure that Jersey remains not only a safe  targeted outreach campaigns, we will raise place to live, but also an exciting, attractive  children s awareness of their data protection and progressive Island in which to do  rights, whilst alerting them to the potential risks business. of their online and other activities.

Jacob Kohnstamm

Chair, Jersey Data Protection Authority A further significant achievement in 2022 is

Chair

the growing recognition

of Jersey s presence and contribution to data

Report to every household that has enabled the development protection deliberations on

the international stage

and continuing growth of a vibrant and diverse digital economy. These factors support Jersey as an ideal

testbed jurisdiction for new technology-enabled products and services. With regard to data protection, I am

On behalf of the Jersey Data Protection Authority, it is once again my  pleased to report that the Authority has been working pleasure to present to the Minister and members of the States Assembly our  together with Digital Jersey, a government-supported Annual Report for 2022. This fulfils our statutory obligation under Article 44  economic development agency, to establish and launch of the DPAJL. the world s first data trust for the common good based

on the Jersey trust law framework. With government,

commercial service providers and professional trustees 2022 started in a similar way to 2021 with the  delighted that one of our Authority Members,  included as key stakeholders, the Authority has taken a Covid pandemic still very much around us and an  Clarisse Girot, has been recognised for her broad,  leading step to support the development of privacy-led integral part of our daily lives, meaning that as an  global and multi-jurisdictional experience and  data stewardship models and services and I am looking Authority we were still unable to meet in person  expert knowledge in data protection policy  forward to reporting on our progress in the years ahead until August. The Russian invasion of Ukraine in  development with the opportunity to take on  as this pilot scheme gains momentum.

February signalled the beginning of even more  an important full-time role as Head of the Data

significant change around the globe with further  Governance and Privacy Unit with the Organisation  A further significant achievement in 2022 is the growing disruption of supply chains, rising importation  for Economic Cooperation and Development (OECD).  recognition of Jersey s presence and contribution to costs, increasing geopolitical tensions, as well as the  We thank Clarisse for her service to the Authority  data protection deliberations on the international stage. obvious humanitarian crisis arising from conflict,  and wish her every success in her new role.  Jersey has been represented on more working groups of where many innocent people continue to lose their  Clarisse s departure and the planned retirement  the Global Privacy Assembly (GPA) than ever before, and I lives, livelihoods and homes. We regularly talk about  of David Smith later this year who brings expert  am pleased to report that, for the very first time, Jersey s data protection as a fundamental human right, but  knowledge of UK and EU data protection laws, have  Information Commissioner, Paul Vane, has been invited we must also remember that data protection sits  led to the engagement of a specialist search firm to  to serve on the GPA Executive Committee. Jersey has alongside and is indeed connected to a whole suite  support a recruitment round for the Authority that  also been awarded host nation status for the 2024 GPA of human rights which are equally just as important. was completed in February 2023. International Conference and we are looking forward to

welcoming our international data protection colleagues In my last report, I noted the continued growth of  Jersey is a small Island jurisdiction that has  for a very special event. It is likely that data stewardship the office that supports the Authority s mandate  consistently punched above its weight throughout  services will feature high on the agenda given the

and why this is critical to aid our understanding  its history. Currently, Jersey is recognised as a  significant work already underway in the island on this of the complexities of emerging technologies and  leading international finance centre supported  subject.

artificial intelligence (AI) and the challenges they  by well-respected and stable legal and regulatory

bring to privacy and data protection. I am pleased  frameworks that include a robust data protection

to report that the Jersey Office of the Information  regime and a trust law that is recognised globally

Commissioner (JOIC) has strengthened its team to  for its innovative and flexible applications. Jersey

increase depth in its engagement and regulatory  also has a world-leading IT infrastructure with top-

policy development capabilities. We were also  ranked broadband speeds and fibre connectivity

Finally, the ongoing funding discussion with the Government of Jersey is entering its third year as we have yet to come to a mutually acceptable resolution. The right to privacy is a fundamental human right that Jersey has chosen to recognise with a corresponding data protection framework defined under the DPJL and DPAJL. The Authority is established as an independent statutory public authority with a mandate defined by these laws. The Authority regulates both the private

and public sectors in respect of their data processing activities. As the largest public sector employer, Government is also processing some of the largest data sets of mostly sensitive, special category data about

the people who are resident in Jersey as they access a range of public services including health and social care. Currently, around 25% of our workload can be attributed to Government-related data processing matters yet

less than 10% of our total funding was provided by Government last year the receipt of this funding is dependent on a grant mechanism that is uncertain and may be withheld entirely by Government for any given period. This is clearly an unacceptable framework from a fairness perspective with respect to private/public sector funding contributions. Also, more fundamentally and from the perspective of adequacy and integrity, it is essential Government recognise, through their financial contribution, the importance of providing meaningful access to and the protection of, a fundamental human right. I am, however, pleased that discussions with Government are progressing on this important matter, and we remain hopeful that a mutually acceptable long- term solution can be reached in the very near future

to emphasise the importance of resolving this long outstanding matter to secure a more sustainable data protection framework for the benefit of Jersey and the exciting opportunities ahead.

To conclude, my thanks go to fellow Authority members and the entire JOIC team for another year of outstanding achievements. We look forward to welcoming our new Authority members in 2023 and building upon the data protection foundations we have established to support the development of our regulatory sandbox and explore further engagement and technology-led innovations for Jersey in the years to come.

Jacob Kohnstamm

Chair, Jersey Data Protection Authority

between the JOIC and the business community as well as increasing awareness levels and understanding of their legal obligations.

During the year, our office ran numerous events

including guidance sessions, workshops and

seminars, with a greater focus on small businesses Paul Vane BA(Hons) Soc Pol Crim (Open) in-house compliance expertise found in larger, more

and start-ups who often do not benefit from the Information Commissioner established organisations. It was also election year

in Jersey, so assistance was provided to election

candidates in helping them understand their data

protection obligations through the development of

bespoke guidance.

In my view, one of the key factors to changing culture in Jersey is to engage with young people as early as possible. 2022 saw the continuation of our Young Privacy Ambassador Programme in Island secondary schools, focusing on what privacy means to young people, and how best they can protect themselves as they enter adult life and navigate the privacy issues arising from new and emerging technologies. The

tech age is not slowing down so it is vitally important Information

that we provide young people with the appropriate tools and learning to help them along their life

paths. It was refreshing to see such interest from our

younger generation who were fully engaged in the Commissioner s

subject matter and asked some searching questions of our team. Again, having these discussions now

and developing those relationships with our future

teachers, business leaders and professionals is both Foreword  activities, the office saw a drop in the total number of

hugely inspiring and critical to the success of our

long-term vision.

In terms of our compliance and enforcement

complaint cases opened. This can likely be attributed As Chair Kohnstamm has already mentioned, 2022 started in much the same  to a change in process and in particular the addition

way to the previous year, adjusting to living with Covid and the numerous  of a mediation layer as part of our outcomes- adaptations to life the pandemic forced upon us.  based approach to regulation, whereby attempts

are made to reach an amicable resolution between The main focus of our activities throughout 2022 was on our overarching vision to create a culture in  the complainant and the data controller before the Jersey where privacy becomes instinctive. This meant greater investment in our outreach programme  complaint is tipped into a formal investigation.

and on educating the individual at all levels, empowering them to ask the right questions, both as  Unsurprisingly, as the largest sector and data individuals and in their business capacities. We have expanded our Let s Go DPO initiative which  user, the public sector represented 29% of overall

is designed to promote awareness of the Law and increase compliance levels by providing Data  complaints received, with 17% relating to the financial Protection Officers or those with responsibility for data protection in their respective organisations  and professional services sector. Consistent with the with a safe space to share their experiences and learn from each other. Membership doubled in 2022  previous year however, most complaints received

and the feedback from attendees has been extremely positive. were in relation to the improper sharing of personal Similarly, the Board Support Squad initiative, designed to ensure Board-level individuals are better  information, closely followed by alleged failures to

equipped to navigate the data protection landscape, has also gained momentum and has been  respond appropriately to subject access requests. well received across the business community. It has also helped in building important relationships  Also similar to last year, few complaints reached the

threshold of requiring any formal sanction from our

office, however provided an opportunity for learning and development on the part of the controller.

Similarly, the number of Self-Reported Data Breaches (SRDBs) dropped slightly in comparison to 2021, with the financial and professional services sector reporting the most overall. There was an increase

in the number of reported SRDBs coming from the health and wellbeing sector, which perhaps reflects some of the work carried out with this sector from our desk-based audit programme the previous year. Again, most of the breach reports received related to the unauthorised disclosure of personal data.

Outside of the day-to-day complaints, we have expanded our casework team to focus on our audit programme. A year-long project was undertaken to develop our audit function, strengthen our capability

It was refreshing to see such interest from our younger generation who were fully engaged in the subject matter...

and implement new IT solutions that will enhance our ability to mobilise our audit powers using a risk-based approach.

Our strategic projects remain at the heart of our culture as a regulator that is anything but regular, and are key to achieving our vision to create an island culture where the protection of personal data and privacy become instinctive. The planning and management of these projects are important aspects of our overall governance and our aim to be an exemplar to all stakeholders. Our key strategic projects support our purpose, vision and strategic outcomes and are funded through the collection

of registration fees. They form part of our future 5-year plan and examples of these projects may be found throughout this report, including our ground- breaking partnership with Digital Jersey to examine data stewardship services, discussed in more detail in the Outreach and Communications section.

In terms of our international activities and profile, as a small island state it was an honour for both

me personally, and the office to be invited to join the Executive Committee of the GPA during the final quarter of 2022. Despite Jersey s small size, our office

faces many of the same challenges faced by larger  also provides a platform to show Jersey at its best Perhaps the greatest achievement of  Data Protection Authorities, particularly in relation  in terms of its beauty as a unique place and what

to applying the law to emerging technologies,  it can offer to the world in terms of innovation, the year in terms of our international  increasing the levels of awareness of data  expertise and its renowned regulatory landscape.

protection rights amongst the general public, and

profile was to be awarded host nation  playing our part in the preservation of democracy  Tohf ethteh ecmonefse raenndc etoapriec sint hdaist cwuislls ifoonrm, b tuhte i tc iosn ltiekenlty

in the Island. The appointment recognises the work

for the 2024 GPA Annual Meeting of the JOIC both locally and internationally, with  twhiallt fceoantucreep thsi gs hu cohn  atsh ed aatgae sntde aw, apredrshhai pp s s leinrvki ec des

Jersey becoming one of only a small number of

to the importance of ensuring privacy by design data protection and privacy authorities around the

features throughout the organisation, as well as world to be selected to serve as a member of the

a focus on the individual. Last year I talked about Executive Committee.

the similarities between privacy and normality Our office has been a member of the GPA, and its  and how both concepts can mean different things prequel body since 2005. In recent years we have  to different people. What I didn t say however was become more actively involved in GPA activities,  that both can be embedded from the outset into with representation on a number of their Working  everything we do. Norms are generally accepted Groups. Since May 2022, the JOIC has chaired the  ways of doing things within a community or society. newly formed Working Group on Data Sharing for  We have a general understanding about what is

the Public Good. This is an extremely important  considered, and thus defined as normal . The same area of the GPA s work, with a focus on finding  can be achieved in terms of privacy, by setting the simple and practical solutions for sharing of  standards from the outset. In a business sense this personal data where there is a direct public benefit  means embedding privacy controls throughout the to the sharing. We have maintained a presence on  data lifecycle.

a number of other international groups, including

As a final note, I must take the opportunity to thank the Association francophone des autoritØs de

the significant efforts of my team who have worked protection des donnØes personnelles (AFAPDP), the

tirelessly to ensure our Island community, as well Global Privacy Enforcement Network (GPEN), the

as those who interact with Jersey businesses, International Association of Privacy Professionals

are provided with the highest standards of data (IAPP), and the British, Irish and Islands Data

protection. Their collective work this past year has Protection Authorities Association (BIIDPA).

gone above and beyond my expectations in all areas In respect of our long-term vision to create a  of our activities, despite the challenges resulting culture in Jersey where privacy becomes instinctive,  from significant growth and change. As a team, we the continued work of the GPA in advancing global  are all united in our commitment to paving the way privacy in an age of accelerated digitalisation,  to a safer Island that we can all be proud of. maximising the voice of the GPA, particularly in

The JOIC remains committed to ensuring our

terms of the broader digital policy, and building

Islanders and those who interact with Jersey

the capacity of the GPA and its members will most

organisations are afforded the very highest

certainly help to secure that vision.

standards of data protection for this generation Perhaps the greatest achievement of the year in  and those to follow as we strive to add real value to terms of our international profile was to be awarded  our Island s health and prosperity and achieve our host nation for the 2024 GPA Annual Meeting. This  long-term vision whereby thinking privacy becomes meeting brings together all 132 Data Protection  instinctive.

Authorities around the world to discuss major

issues impacting upon privacy and data protection.  Paul Vane BA(Hons) Soc Pol Crim (Open)

This is a huge honour for both the Authority and the  Information Commissioner

Island and we are now working hard to ensure that

the event not only delivers success to the attendees

in terms of relevant and stimulating content but

16 The Jer4sey  The Chair and vThe Information CIs remplesponsibloting memberoyommissioner is the Chief Exees of the Ae for managing the other s aruthoritye appointed becutivy the Ministe and:er.  17

Is in charge of the day-to-day  

operations of the Authority

Has the functions conferred or imposed on  

him or her by the Law and any other enactment Data Protection

Authority The Infthe AAthan, the issuing of a public statnoticuthority unde tuthority undormation Co the Infer the DPormation Cerommissioner on behalf of takes the fAJL and the DPommissionerunctions of the ement undJL other . er  It is also incumbent upon the Atprthe StatAperfo Gouthority cotormed indection lavernment on the operes of Jeronsidws and tependseery on ans shoulently and fro advise the Ministy amendments that the d be madation of the data uthority tee fre tom diro the laer and o reporect ws.t

Article 14, the making of an order to pay an

administrative fine under Article 26, or any other

function specified by the Authority by written  All of the Authority s functions must be

or indirect external influence.

The Authority is established to undertake a

variety of key activities which includes promoting  The Authority does not have any responsibility

public awareness of risks and rights in relation  for Freedom of Information, which is a separate

to processing, especially in relation to children  responsibility of the Information Commissioner

and to raise awareness for controllers and  under law. Please refer to page 55 for more The Jersey Data Protection Authority is a statutory  processors of their obligations under the data  information.

protection laws.

body which oversees the protection of personal data.

The Authority consists of the Chair, and as per Article

3 of the Data Protection Authority (Jersey) Law 20181

 no fewer than 3 and no more than 8 other voting

members and the Information Commissioner as an

ex officio and non-voting member.

1  https://jerseyoic.org/dp-foi-laws/

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Governance,  Authority Structure Accountability  & Authority Report

.

& Transparency The Authority is currently comprised of a non- The Authority meets at least four times per executive chair and five non-executive voting  annum. The Authority operates sub-committees

members.  to ensure that relevant matters can be addressed fully, and recommendations taken back to the

The Data Protection Authority main Authority meetings.

The Authority has responsibility to:

Ensure that the JOIC remains accountable to the people of Jersey, in properly fulfilling its mandate and delivering quality services to its stakeholders.

Ensure that the JOIC provides value for money and complies with appropriate policies and procedures with respect to human resources, financial and asset management, and procurement. This includes formal approval of any single item of expenditure in excess of ten per cent of the operating budget for the JOIC.

Delegation of Powers

There are other powers and functions that the Authority may exercise under the Law, most notably:

Enforcing the Law.

Promoting public awareness of data protection issues.

Promoting awareness of controllers and processors of their obligations.

Cooperating with other supervisory authorities.

Monitoring relevant developments in data protection.

Encouraging the production of codes.

Maintaining confidential records of alleged contraventions.

The Authority also provides an advisory function

to the JOIC. With a balance of expertise in data

protection, governance, and local knowledge  Jacob Kohnstamm of the Jersey Government and industry, the  AU T H O R I T Y C H A I R

Authority provides strategic guidance to the JOIC

with respect to fulfilling its mandate effectively

and efficiently.

David Gailina Clarisse Paul  Helen Smith Liew Girot Routier MBE Hatton (resigned on 23 August 2022)

AUTHORITY  AUTHORITY  AUTHORITY  AUTHORITY  AUTHORITY VOTING MEMBER VOTING MEMBER VOTING MEMBER VOTING MEMBER VOTING MEMBER

I N F O R M AT I O N C OM M I S S I O N E R The Authority has delegated all these other

powers and functions to the Information

Commissioner.

There are certain functions that the Authority Law stipulates that the Authority must perform itself, and which cannot be delegated to the Information Commissioner. The most important function is that only the Authority can decide whether to issue administrative fines for contraventions of the Law. While the JOIC will make the official finding in each case as to whether a contravention has occurred, it is the Authority that will determine whether a fine will be applicable and the value of that fine.

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Authority Members

CHAIR OF THE AUTHORITY

Jacob Kohnstamm

TENURE  29 Data Protection Working Party for Jacob has been Chair of the Authority  six years; the advisory body composed since May 2018. His current period of  of the chairs of all Data Protection office expires on 24 May 2024. Authorities in the European Union.

Prior to that, Jacob served as vice- EXPERIENCE  Chairman of the Executive Committee

Jacob has 19 years experience in  of the International Conference of Data the field of data protection, having  Protection and Privacy Commissioners served as chairman of the Dutch Data  for four years and hosted that Protection Authority for 12 years. He also  conference in Amsterdam in 2015. served as vice chairman of the Article

VOTING AUTHORITY MEMBER

Helen Hatton

TENURE  regulatory regime. Helen retired as Helen joined the Authority on 1 August   Deputy Director General of the Jersey 2019 for a period of three years. Helen  Financial Services Commission in May was reappointed for a second term of  2009 having led the implementation office which is due to expire on 1 August  of regulatory development in the

2025. Island from its blacklisted state in 1999

to achieving one of the world s best EXPERIENCE  International Monetary Fund evaluation

Helen is widely recognised as the  results.

prime architect of the modern Jersey

VOTING AUTHORITY MEMBER

Gailina Liew

TENURE  of privacy, data protection and their Gailina joined the Authority in October  intersection with the ethical use of 2018 and was reappointed for a further  technology, human behaviour, artificial three years until 28 October 2024. intelligence, and the future of human

society. Gailina brings more than 20 EXPERIENCE  years of board governance experience

Gailina is a broadly-experienced  and data protection perspectives from independent non-executive director  the listed company, investment fund, with a legal, scientific, operations  human health, economic development, and international business executive  education, regulatory, adjudication and background. She is interested in the  voluntary sectors to the Jersey Data evolving frameworks for the regulation  Protection Authority.

21

VOTING AUTHORITY MEMBER

Paul Routier  MBE

TENURE  During his final term of office, he

Paul joined the Authority on 1 August  successfully led the debates in data 2019 for a period of three years and was  protection legislation which, after reappointed for a second term of office  gaining the support of States Members, which is due to expire on 1 August 2025. led to the establishment of the Data

Protection Authority. He also led the EXPERIENCE  time critical political work in negotiating

Paul was an elected member to the  the final version of the Data Protection States of Jersey for 25 years and  (Jersey) Law 2018 and the Data Assistant Chief Minister for a period  Protection Authority (Jersey) Law 2018 of this time. During this time, he was  which are in force today.

responsible for working with officers

and the public to develop a number

of policy documents and legislation

covering a wide cross section of

commercial and social issues.

VOTING AUTHORITY MEMBER

David Smith

TENURE  Commissioner David had oversight of David joined the Authority in October  all the ICO s data protection activities, 2018 and was reappointed for a further  including its enforcement regime,

two years until 28 October 2023. successfully leading the introduction

of the UK s first administrative fines. EXPERIENCE  He played a significant role in shaping

David is an independent data protection  the UK position on the General Data expert, following his retirement from  Protection Regulation and represented the role of Deputy Commissioner at the  the ICO on the Article 29 Working Party UK Information Commissioner s Office  of European Supervisory Authorities set (ICO) in November 2015. David spent  up under the Data Protection Directive. over 25 years working with the ICO and

its predecessors, serving in a variety

of data protection roles, under four

previous commissioners. As Deputy

VOTING AUTHORITY MEMBER

Clarisse Girot

TENURE EXPERIENCE

Clarisse resigned from the Jersey Data  Clarisse is a seasoned data privacy Protection Authority on 23 August 2022  and Asian law expert and has unique as her new role at the Organisation  expertise in the area of the regulation for Economic Co-operation and  of international data flows. She is also Development (OECD) as head of the Data  a well-known figure in the world of Governance and Privacy unit does not  data protection globally, having been permit her to serve, concurrently, as a  involved in major international cases in voting member of an independent data  data protection and privacy.

protection authority.

As noted in the Chair s Report, recruitment for new voting members was successfully concluded in February 2023 and we look forward to welcoming three new members to the Authority as from May 2023.

Further details regarding the Authority members external appointments can be found at https://jerseyoic.org/team

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Governance Report   Authority Sub-Committees

.

The Authority is committed to ensuring a high standard of governance and all members are expected to   Audit & Risk Committee (ARC) conduct themselves in accordance with the Seven Principles of Public Life.

The voting members who comprise the ARC are:

Helen Hatton (Chair)

David Smith

Gailina Liew (until her resignation from ARC 1 June 2022) Christine Walwyn (Co-opted accountant, Non-voting)

Accountability

The Audit & Risk Committee s mandate is to advise and make recommendations to the Authority. The purpose of the ARC is to:

Openness Selflessness Assist the Authority in its oversight of the Provide input to the Authority in its

integrity of its financial reporting, including  assessment of risks and determination of supporting the Authority in meeting its  risk appetite as part of the overall setting of responsibilities regarding financial statements  strategy.

and the financial reporting systems and

Assist the Authority in its oversight of its risk

internal controls.

management framework.

Monitor, on behalf of the Authority, the

Standards in  effectiveness and objectivity of external Honesty public life. Integrity auditors.

Mrs Walwyn was recruited to bring formal  Business Transformation Director for the Garenne accredited accountancy skills and knowledge  Construction Group. She currently works as a

to the ARC following the Authority s skills  freelance Chartered Accountant and business assessment in 2022. Mrs Walwyn is a fully  consultant.

qualified Chartered Accountant, bringing key

Leadership Objectivity analytical and financial acumen skills, plus  Mrs Walwyn has significant experience of experience in establishing effective and efficient  understanding and interpretation of financial

control environments.  reports, with detailed knowledge of accounting standards, and experience of operating and

Mrs Walwyn has spent 11 years working within  advising at Board level, providing constructive the Government of Jersey in senior finance roles  challenge and identification of risks and issues. and as Chief Operating Officer with the former

Education Department. She was also Group

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Governance Committee

The voting members who comprise the Governance Committee are:

Gailina Liew (Chair)

Jacob Kohnstamm

Clarisse Girot (until her resignation on 23 August 2022)

The Governance Committee s mandate is to advise and make recommendations to the Authority. The purpose of the Governance Committee is to:

Keep the Authority s corporate governance Review the balance, structure and composition arrangements under review and make  of the Authority and its committees. Its role also appropriate recommendations to ensure that the  encompasses the selection and appointment Authority s arrangements are, where appropriate,  of the Authority s senior executive officers and consistent with best practice corporate  voting members of the Authority and giving full governance standards.  consideration to succession planning and the skills and expertise required to lead and manage

Lead the process for appointments ensuring

the Authority in the future.

plans are in place for the orderly succession to

the Authority.

The Governance Committee completed a recruitment process for new Authority members in February 2023 as part of its responsibility to ensure orderly succession and appropriate skills composition of the Authority. The new Authority members will be joining in May 2023.

Remuneration & Human Resources Committee (R&HR)

Each Sub-Committee Chair reports back to the Authority, making recommendations for consideration.

The following table sets out the number of full Authority and Sub-Committee meetings held during 2022 and the number of meetings attended by each voting Authority member.

Remuneration & Full Authority Audit and Risk Governance

Human Resources

Number of Meetings 5 5 2 2 Jacob Kohnstamm 4 - 2 1 Clarisse Girot

(resigned from Authority  2 - 2 -

23 August 2022)

Helen Hatton 4 4 - -

G(raesiliginnaed L f ir eomw  ARC   5 3 2 1

(deputised for Chair) 1 June 2022)

Paul Routier MBE 5 - - 2

David Smith  5 5 - -

2022 Authority Members Remuneration

The voting members who comprise the R&HR Committee are:

The Authority voting members received, in  Further details regarding the Authority voting Paul Routier MBE (Chair)  aggregate, £64,343 in remuneration in 2022.  member remuneration can be found at page 78.

Jacob Kohnstamm

The Remuneration & Human Resources Committee is mandated to advise

and make recommendations to the Authority, with the purpose of:

Performance Evaluation and Re-appointments

Assisting the Authority in ensuring that the Authority and Executive retain an appropriate structure, size and balance of skills to support the organisation s strategic outcomes and values.

Assisting the Authority in meeting its responsibilities regarding the determination, implementation and oversight of remuneration arrangements to enable the recruitment, motivation and retention of employees generally.

Overseeing arrangements for appointments

(including recruitment processes) and  The Governance Committee has established  Diversity of The Authority

succession planning. an Authority performance evaluation process

which is based on an internal annual peer review  The six voting members of the Authority reflect

Assisting the Authority by reviewing and  of performance by voting members with an  a balance between male and female members, making recommendations in respect of the  independent external review contemplated for  different nationalities, ranging in age from late 40s remuneration policies and framework for all  every third year. The first internal review was  to early 70s, with a broad mix of formal education staff.  performed last year. and professional qualifications including law, IT,

sciences, business administration, education and The Governance Committee undertook an internal  teaching.

self-assessment in 2022 to survey the breadth

of skills, knowledge and experience of Authority

voting members. The Skills Matrix reflects a broad

mix of skills, knowledge and experience across the

primary areas of governance, sectoral skills and

personal attributes that are appropriate for the

Authority s mandate.

26 5 Risks arCmitigating actions and rWmanagommitte id2entify and manage oee, who monitement frverseen by the Aamewor risk moelevancudit and Risk ork which is based on our le te these and other risks thrvements and o the strategic  Risks arwhich is linke scrutinised via a sced to o likw appetitough our risk elihood and coring mechanism e for risk. onsequence.  27

The following table identifies the principal risks

outcomes. We continue to monitor political

and mitigating actions. The risks are categorised

and legislative developments and assess the

into five main areas.

opportunities and threats to enable us to

regulate effectively.

1 Legal and Regulatory  Operational

Principal and  

Emerging Risks 3 Governance

4 Strategic  

The AprimarindAuthority s strependuthority has a ly obligation is tent body prategic outoomoting rw appetito fculfil statutomes supporespect fe for risk. The Aory rt us in the for privatesponsibilities as the uthority s e livulfilment of es. The  5 Political

our mandate.

The strategic outcomes are subject to a number of risks and

Since our previous 2021 report our principal  planning and the current pressures on the uncertainties that could, either individually or in combination,  risks have been reviewed in light of the political  financial economy here and in the UK.

affect the operational performance of our team.  situation in the Ukraine, the States Assembly

elections in mid-2022, Authority succession

P R I N C I PA L A N D E M E R G I N G R I S K S

Summary of Principal Risks

Risk Description  How we manage the risk

Understand our compliance obligations and what this

Internal compliance failing to comply with the Data  looks like on a practical level.

Protection Authority (Jersey) Law 2018 in terms of case  Monitor how we implement and sustain our management, process and reasonableness of decisions  obligations.

made.  Put in place effective and ongoing training, staff

feedback, internal audits and reviews.

Maintaining consistent and compliant investigation,

Perception industry and Government perception that  inquiry and audit processes.

our effectiveness as a regulator is based on our fining

actions.  Enforcing appropriate and proportional enforcement

sanctions.

Risk Description  How we manage the risk

Embedding succession planning throughout the organisation.

Maintaining a capable and knowledgeable team. It is  Building skills and knowledge through personal and essential that the statutory functions of the Jersey Data  professional development.

Protection Authority are fulfilled to the highest standard  Ensuring Human Resources strategy aligns with our to maintain credibility and trust.  strategic outcomes.

Striving for diversity and inclusion throughout our operational and HR activities.

Revenue. The revenue model is delivering sufficient

monies to support the necessary activities of the  Monitor operational costs and revenues closely. Authority. Any changes in revenue streams from industry  Stakeholder relationships to gauge industry

or Government funding could impact on our ability to  movements.

fulfil our regulatory functions.

Achieving proportionate and relevant accredited security standards.

Testing, maintenance, asset replacement, training,

Asset management, software and hardware security.  Appointment of IT company and external Chief

Information Security function on appropriate contract to support robustness of software and hardware.

Critical applications are only accessible through secure portals requiring layered authentication.

We undertake Disaster Recovery exercises to test

Cyber threat and Information Security. The Authority  systems.

recognises that it is a target for cyber threats.  We employ industry best practices as a fundamental

part of our cyber security policies, processes, software and hardware.

Cyber awareness training is ongoing within our team.

Change to AML Legislation and Administered entities in

Jersey. Impact on number of entities operating in Jersey  This will be carefully monitored.

and potential reduction in registration fees.

Risk Description  How we manage the risk

Time sensitive recruitment of suitably experienced

Authority succession planning and recruitment

Authority members.

Stakeholder relationships if not maintained impact on  Plan stakeholder management. potential loss of inclusion, credibility and reputation.  Review feedback.

Risk Description  How we manage the risk

Jersey Adequacy it is essential that the island maintains  Ensure that we deliver the relevant activities to help its adequacy status with Europe to help protect data  Government maintain adequacy with Europe.

flows.  Monitor effectiveness of the data protection laws.

Greater accessibility & availability of technology in all

areas, impacts on ability to keep abreast of developing  Horizon Scanning.

changes in personal information processing. Impact on  Recruit a Director of Regulatory Strategy. detriment to the individual and reputation of JOIC.

Determine what information is needed.

Developing relevant management information on data  Consider most effective options for gathering protection trends. The absence of relevant and timely  information and tracking progress / improvement. information impacts on service performance, informed

decision making and relevant strategic outcomes.  Create baselines for most vital areas to track.

Recruit a Director of Regulatory Strategy.

Risk Description  How we manage the risk

Maintaining constructive dialogue with the Department

of the Economy. Changes in personnel and availability of  Monitor relationship.

key personnel impacts our working relationship.  Proactive approach to maintaining regular dialogue.

Frequent reviews.

Government funding for Government data protection  Provide activity data.

activities.  Protecting our independence as a key priority.

Reviewing grant and working agreement.

Potential Change of Minister loss of continuity of work

Maintaining frequent and positive dialogue with GoJ

and projects.

30 6 The vision of the Aprivacy becpractivities and business planning. The Aengaging with the Island coactive appromes instinctivoach tuthority is to privacy and data prommunity te, with individuals and organisations taking a o create an Island culturo embruthority aims totection which is parace a collaboro achiee wherativvebe this be and t of daily y  y  31

innovative approach to data protection whilst providing a leading-edge model to other, similar jurisdictions.

Our Strategic Outcomes

1 Achieving and maintaining the highest standard of data

protection in Jersey

Performance  2 Maenhancximising te the Island s rechnological and eceputation as a safonomic oppore place ttunities to host  o Report  3 personal data and do business

Protecting our future generations by putting children

and young people first

All of our activities contribute to the delivery  The following pages review our compliance and The Authority will strive to promote the data  of our strategic outcomes. Our priorities are to  enforcement activities in relation to our strategic ensure that Jersey achieves and maintains the  outcomes. Our communications and outreach

protection rights of individuals, be they our local  highest standard of data protection.  activities also contribute significantly to the citizens or international stakeholders, through a  outcomes and details of these activities are

detailed from page 62 of this report. practical and ethical approach to business practice

and regulation that supports the delivery of public

services and promotes the social and economic

interests of the Island.

Personal information flows throughout every organisation, this may include special category data. Organisations would struggle to function or achieve their goals without personal data. Data Protection legislation is in place to

help ensure, that all of us are provided with appropriate legal protections and remedies in today s highly digitised world. Data Protection holds organisations entrusted with personal

information accountable, setting standards for how that information is used and as a last resort to provide a framework for enforcement where rules are breached.

The infographic shows the number of complaints and self-reported data breaches proportionally to the volume of sector registrations.

1.8%

2.0%

3.1%

3.2%

27.2% Anne King £

Operations Director 3.9%

4.0%

4.3% 6634 Performance

Registrations Report  6.5% 7.7% 13.2%

7.8% 10.1%

Jersey s economy is a blend of business activities, with over

3,000 people working in the Digital-Tech sector and this sector is  Financial & Professional Services - 1889 Education - 221

growing. The Hospitality sector employs 5,000 people, the public  Real Estate & Property Management - 912 Technology & Telecommunications - 213 sector is the largest single employer on the island, with over 7,000  Construction, Trades & Services - 702 Media & Communications - 139 public servants. The agriculture and fisheries sector employs over  Health & Wellbeing - 538 Public Authority / Regulators - 123 1,800 people. The Retail sector employs over 7,500 (12%) people  Leisure & Fitness / Hospitality / Tourism - 531 Legal Services - 123

and Construction has over 5,500 employees. Finance is Jersey s  Manufacturing / Whole Sale - 448 Agriculture & Fishing

largest industry, employing more than 13,500 people2 representing  Charities - 296 Utilities & Delivery Services 40% of Jersey s economic output3.  Social Clubs & Associations - 27Professional Bodies - 270 8 Faith, Worship & Religion

Animal Husbandry & Welfare

2  https://www.jerseyfinance.je/working-in-finance/#:~:text=Working%2 in%20Finance,a%20variety%20of%20different%20sectors 3  https://www.gov.je/LifeEvents/MovingToJersey/WhyChooseJersey/pages/businessandindustries.aspx

P E R F O R M A N C E R E P O R T

Complaints have gradually declined since 2019.

As in 2021 we reported that this in part could The finance sector has reported 57 breaches in  they represent only 2% of our data protection  be because individuals were not placing as 2022; so as in previous years we have noted that  registrations, they represent 29% of our annual  much emphasis on data protection as life is within the finance and professional services sector  complaints in 2022 and 10% of our SRDBs. In 2021  beginning to feel normal again and partly there is a culture of compliance and reporting.  public authorities represented 22% of the SRDBs,  because data controllers/processors are

This sector has reported high volumes of low-level  the number of complaints reported against public  managing individual rights better, with many breaches and this must be considered in light of  authorities has decreased by 9 in number, both of  organisations being more aware of their data the fact that this is an industry used to reporting  these decreases are welcome.  protection responsibilities and responding requirements and that takes a pro-active approach  appropriately to subject access requests.

to such matters. Public Authorities across Jersey

process huge volumes of personal data and whilst  We believe data controllers/processors are

potentially finding their feet with breach reporting understanding the thresholds for reporting and also hopefully less reportable breaches occurring.

The Authority is bound by the Law to investigate complaints and SRDBs. The DPAJL provides the Authority with significant fining and enforcement powers and we are pleased

to report that in Jersey none of the cases investigated by our office and involving non- public authority controllers warranted the issuing of an administrative fine.

The DPAJL is very prescriptive in terms of the threshold for fining, and so far, we have not had a case that has met those criteria. Jersey does not have the large corporations which

we have seen subjected to fines from Data Protection Authorities in other jurisdictions.

The Authority is an independent regulator and will only impose fines where proportionate and having had regard to the matters it must consider, as set out in the DPAJL, Art.26(2). We always undertake a thorough investigation and/or inquiry process, as detailed in the DPAJL. (The process is detailed on page 43). We are specifically prohibited from issuing administrative fines against public authorities.

During the course of 2022, the Authority issued one Public Statement reflecting the fact that the Children s Services Department, Government of Jersey4 contravened Art.8(1)(f) and Art.20(1) of the DPJL, in that on two occasions it failed to comply with the integrity and confidentiality principle and ensure that they had appropriate technological and organisational measures

in place to ensure the security of the data

it processes and also that it failed to notify

the Authority of a personal data breach in

the requisite timeframe. The contraventions occurred during a virtual meeting whereby

5  https://jerseyoic.org/news-articles/public-statements/public-statement-february-2022/

184

145 140

90

58

2022 2021 2020 2019 2018

141

188

229 232

256

some family members remained on the call when their access should have ended as part of the Child Protection meeting was intended to discuss certain sensitive matters in the absence of the child s family members .5

We are very pleased that following the introduction of our Amicable Resolution process, three quarter of cases were resolved informally, providing a personal resolution process affording greater flexibility for both the data controller/processor and the data subject. Less than one third of the amicable resolution cases tipped into a formal complaint as we were unable to mediate between the two parties successfully.

P E R F O R M A N C E R E P O R T

AMICABLE RESOLUTION REQUESTS IN 2022 BY DISPUTE TYPE 2022

Direct marketing

I asked for access to/copies of my personal information and I ve not  8 received it/they have withheld it from me

Ia ansoktehde rf ocor nmt yro ilnlefor  ramn ad t  imony  rteoq buee rs et  chtaifis e bde/eenra rseefdu/sseednt to  1 I don t think my personal data is being/has been kept safe 3 My information has been shared and it shouldn t have been 7 Someone has collected my personal data, but I didn t give it to them 2 Uncategorised at time of submission 3

TOTAL 25

COMPLAINT TYPES OPENED IN 2022 2022

Direct marketing

I asked for access to/copies of my personal information and I ve not  15 received it/they have withheld it from me

Ia ansoktehde rf ocor nmt yro ilnlefor  ramn ad t  imony  rteoq buee rs et  chtaifis e bde/eenra rseefdu/sseednt to  5 I don t think my personal data is being/has been kept safe 4 My information has been shared and it shouldn t have been 18 Other 4 Someone has collected my personal data, but I didn t give it to them 2 Uncategorised at time of submission 9

TOTAL 58

We opened one inquiry following a complaint however upon further review the inquiry was not progressed as it was deemed disproportionate and unnecessary.

The 58 complaints resulted in a combination of  As stated earlier in this report, our vision is to reprimands, orders and words of advice. Over half  create an Island culture whereby privacy becomes of complaints received result in a determination  instinctive with individuals and organisations detailing the contravention of the DPJL. taking a proactive approach to privacy and data

protection by it being embedded throughout their daily activities and business planning. In striving to achieve this we pride ourselves on making every touch point with a complainant, an enquirer, an organisation reporting a breach or a registration enquiry, an informative and positive experience aimed at fostering a constructive and educational

relationship. We also facilitate learning

and information exchange, helping us

to understand the challenges faced by industry and the frustrations faced by complainants.

That said, we will not shy away from exercising our enforcement powers where warranted, or where

the organisation at fault has demonstrated wilful neglect or a repeated pattern of behaviour.

38 2022  7 The JOIC rinto the fEThese rropporegarNQding our lolltunities tUecangIRo eive frIwing catESes a brom simplocation and caro the morege questions oad re cories:ompleer angex  e of contacts. W Ce classify them OMPLAINTS 58 39

questions around guidance matters.

COMPLAINTS 4 CONSULTATION

REVIEW

Complaints are received from individuals

concerned about the use of their

personal information, non-response to

a subject access request or other rights  ENQUIRIES - 99

which have not been fulfilled.  DATA PROTECTION

1 FOI ENQUIRY

SELF REPORTED DATA

BREACHES

Case Data Undrtbecthe brrisk to the JOIC within 72 hourequiroming aer the DPo the rights and freach is unliked to rwareporJL, data ce of the brt ely tcer ontrtain bro reed s of esult in a each unlolloms of the ereaches s aress e  FOI APPEAL 1

1

individual.  INQUIRY

FREEDOM OF INFORMATION  REQAUMESICTAFBOLRE 25

Enquiries exploring if there are grounds  RESOLUTION

for an appeal or for further guidance.

Schedule 4 of the DPAJL details the process of Enforcement  188 SDEALTFA- RBERPEOARCHTEEDS

by the Authority in the event it receives a complaint (which

can lead to a formal investigation) or conducts an inquiry.

FREEDOM OF INFORMATION

Appeals. An applicant who is dissatisfied  TOTAL with a rinfappeal tormation fresponse to the Infom a public authority maormation Co a request fommissioneror  y . 374

2 0 2 2 C A S E D ATA

The volume and type of cases undertaken submitted to the Authority is consistent with the pattern of activity over the years since the introduction of the DPJL. The Authority presents this report to demonstrate that we handle each complaint, breach and enquiry with fairness, consistency and respectfully.

2022 58

2021 90

2020 140

2019 145

2018 184 2017 55

0 50 100 150 200

The above table shows the number of complaints received by the JOIC over the last six years.

Article 19 of the DPAJL summarises the parameters of the Right to make a complaint

An individual may make a complaint in writing to the Authority in a form approved by the Authority if

1. the individual considers that a controller or processor has contravened or is likely to contravene the Data Protection Law; and
2. the contravention involves or affects, or is likely to involve or affect, any right in respect of personal data relating to the individual.

Individuals complain to our office about their concerns in relation to the processing and use of their personal information.

Each complaint and self-reported data breach (SRDB) is evaluated using a standard framework as set out in Part 4 of the Data Protection Authority (Jersey) Law 2018

2 0 2 2 C A S E D ATA

Investigation

Each cstandarDPcliklearn about fronduct an Inquirely cAJL. The JOIC will also use this fromplaint and SRDB is eontrd framewavention of the DPom a whistlork as set out in Py on its oe-blwn initiativoAJLvaluatwer or b, which wamewar ed using a t 4 of the y obsere intork te mao a  o ving y  In the case of a ceis advised in writing whether or not a fincthis stagOncomplainant has a 28-davaluation has takvestigation will take the ine if the Avestigation is undomplaint, oncuthority den place placy winde, the ce. Aecidert this stage the initial owaes it ww of appeal at omplainant y the JOIC oulormal e, the d not be  Matrix

a behaviour relating to the use of personal  appropriate to carry out a formal investigation and

information by an organisation. The investigation  it may reject complaints if they fulfil certain criteria

will identify if there has been a contravention of  set out in the Law.

the Law.

provide updates at least every 12 weeks. The

investigation must conclude whether the Law has

been contravened (Article 23 of the DPAJL) and,

184 if so, must decide whether or not to impose any  Inquiry Complaint

formal sanction (although it does not have to do

145 so). The JOIC will then notify the data controller or

140 data processor of the proposed determination

90 which sets out the findings and includes details of

any sanctions it is minded to impose, and they are  8 weeks to 58 afforded 28 days to provide any representations on  decide if we are

those draft findings and/or sanctions.  investigating.

The JOIC must take into account any  No Investigation representations made before issuing its

2022 2021 2020 2019 2018 final determination which will be sent to the  Notice to Controller and Complainant

data controller or data processor and to the  that we ARE investigating/carrying out inquiry Noticwe are te o NCOomplainantT investigating that complainant. Both parties have a 28-day period to

appeal that final determination to the Royal Court

of Jersey.

The above process is almost identical in terms  Request additional information within 10 days

of an inquiry although such obviously does not

141 involve a data subject in the same way.

Updates every 12 weeks. Controller / Processor / Complainant 188 As part of our formal investigation and inquiry

process, we have the power to issue a formal

232 229 Information Notice to compel the production of  Contravention of the DPJL 2018? information and the recipient will usually have 28

256 days to respond.

In the majority of cases such correspondence is  No Yes

requested and responded to directly by email.

This is generally quicker and more efficient as

most controllers are willing to cooperate fully  Art. 23 Proposed Determination 28 Days to Upon receipt, each complaint and self-reported  with the investigation. This often makes for a good  Controller / PrArt. 28 Noticocessor / Ce to omplainant Including any orders or Submit

data breach is evaluated to determine whether  relationship between JOIC and the organisation we  sanctions to Controller Representations or not to investigate or conduct an inquiry,  are investigating.

as appropriate. The Authority undertakes this

evaluation as soon as is practicable and in any  We would make use of the more formal information

event within eight weeks for complaints and as  notice where we were experiencing resistance from  Final Determination

soon as possible for self-reported data breaches. a controller to provide us with the information

requested. To: Controller / Processor / Complainant

Both Parties have 28 days to appeal

Public Statement

44 8 This policy seeks twithout cin the digital agin hoThis policy is based on fivw Jeromprsey s public authorities managomising the ability of businesses te. It helps to promote ko enge the best prey principlender trust and builes:ote perection fsonal data.o operor perd public catsonal data e and innoonfidencvate e  45

1 Proportionality

5 Transparency

2 Targeted

2022 Case  3 Accountability

Outcomes  4 Consistency

The JOIC s Regulatory Action and Enforcement Policy[6] ,

introduced in 2020 supports the Authority s Strategic

Outcomes as detailed above and in the JOIC Business Plan.

2 0 2 2 C A S E O U T C O M E S

Authority Sanctions Public Statement

The Authority has several tools in its enforcement suite, namely: As with everything it does, the Authority  would be in the public interest to do so. It does

approaches the issuing of Public Statements  not report on every formal action taken because

Reprimand on a proportionate basis and will only issue a  that is not what the Law provides for and the

Warning Public Statement where, because of the gravity  Authority reserves this power for the most

Orders of the matter or for other exceptional reason, it  serious cases.

Public Statement

Administrative Fine

Administrative Fines

Reprimand

This is a formal acknowledgment that an organisation has done something wrong and is being rebuked for its conduct. This remains on the record of an organisation and could be considered if further incidents occur in the future. Generally, reprimands are issued in tandem with certain other orders, but this is not always the case. For

Warning

We may issue a Warning when the Authority considers that any intended processing or other act or omission is likely to contravene the Law. A

Orders

The Authority can make a variety of Orders but we make sure these are proportionate to the actual contravention. During 2022, the Authority issued a range of orders including:

Ordering a controller to provide certain staff members with appropriate training and to

report back to the Authority within a stipulated timeframe, confirming that training had been provided, who it had been provided to and with a copy of the course materials, this for review by the Authority.

The DPAJL provides for substantive administrative fines and sanctions for contraventions of the

Law, but it is our intention to use these as a example, whilst there may have been a technical

position of last resort.

contravention of the Law for which the organisation

was responsible, they might have taken steps to put  In determining whether to impose an

things right and rectify the issues that contributed  administrative fine in accordance with Article 26 to the contravention and a formal rebuke may  of the Law, the Authority will consider:

suffice.

The nature, gravity and duration of the contravention.

Whether the contravention was intentional or neglectful.

The action taken by the controller or processor to mitigate the loss or damage, or distress suffered.

Warning is designed to avoid such a contravention.

We have not had occasion to issue any warnings.

Information Notices

As part of our investigation process and

powers under Schedule 1 of the DPAJL, we

have the power to issue an organisation with

Directing that a controller should respond to a  an Information Notice. This imposes a legal previously unanswered subject access request  requirement to provide us with any information within a certain timeframe (including providing  we consider necessary to assist us in any previously withheld information). investigation or inquiry.

Directing that a controller properly actions

a request for rectification, including giving  An Information Notice requires we give the notice to third parties previously in receipt of  data controller 28 days to provide the requisite inaccurate information / information it should  information. This is a lengthy and formal process. not have received.

The degree of responsibility of the

person concerned and the technical and organisational measure implemented for the purposes of data protection.

Previous contraventions.

The degree of cooperation with the Authority.

The categories of personal data.

In issuing a fine, the Authority will consider the need for it to be effective and proportionate, as well as to have a deterrent effect. To date it has not had to issue any fines.

Often upon receipt and analysis of the requested information, we have further questions which results in a follow up Information Notice. It will be clear that such exchanges can take a number of months.

Therefore, we tend to use the Information Notice for the more complex/serious cases or where there is reluctance from a data controller to engage with us at an early stage.

Keeping a controller under effective supervision for a period of time whilst they update certain policies, procedures and IT systems and requiring an update report at the end of that period.

48 9 2022 Self Repor 3.2%ted D2.7%ata Br9.6%eaches Opened - Shown b 14.4%y Organisation Type: 49

3.2% 30.3%

3.7% £

4.3% 188

Cases Opened

8.5%

Breach

Reporting 12.2%

Financial & Professional Services - 57 Leisure & Fitness / Hospitality / Tourism - 6

Health & Wellbeing - 27 Technology & Telecommunications - 5

Charities - 23 Professional Bodies

Public Authority / Regulators - 18 Utilities & Delivery Services

Sector not found - 16  Real Estate & Property Management

Education - 8 Social Clubs & Associations

Under the DPJL in the case of a personal data breach, the controller  Manufacturing / Whole Sale - 7 Agriculture & Fishing

must, without undue delay and, where feasible, not later than  Legal Services - 6

72 hours after having become aware of it, notify the personal

data breach in writing to the Authority (Article 20). In relation to

breaches we also have an obligation under Art 11 (1) (e) of the DPAJL

 to promote the awareness of controllers and processors of their  Inreprvestigating self-resented 50% of our Ceported data bromplianceaches e and  The charreported tt aboo us wve highlights 30% of the brere from the financial and eaches obligations under this Law and the Data Protection Law . Enforcement caseload during 2022. In 2021  professional services sector. It should be noted that

self-reported data breaches made up 48%  this sector has a culture of reporting and monitoring and 27% in 2020. breaches throughout their activities.

B R E A C H R E P O R T I N G

From our records it is evident that just under half of the reported breaches were unlikely to result in a risk to the rights and freedoms of natural persons . However, we are not discouraging organisations to report breaches as this enables us to understand the breach landscape in Jersey to help shape our guidance and advice.

Most reported breaches do not warrant the conducting of a formal regulatory response and/ or the imposition of a formal sanction. However, the Authority may impose an administrative fine in a case of deliberate, wilful, negligent, repeated or particularly harmful non-compliance. It is important to note that failing to report a breach, where required, could result in a severe penalty.

As previously noted, we take every opportunity to educate and support the organisation reporting a breach. Breaches can be traumatic for organisations to manage and can carry serious reputational damage. The JOIC team works sympathetically, yet professionally, when responding to breach reports.

Types of Breaches Reported in 2022

Types of Breaches Reported 2022

Alteration 1 Destruction 1 Lack of availability /access 5

Loss 4 Unauthorised access 46 Unauthorised disclosure 131

TOTAL 188

188 Breaches

Of the breaches reported in 2022, one resulted in a formal inquiry and a determination that there had been a contravention of the DPJL.

Of the remaining self-reported data breaches, many did not cross the threshold for reporting to the Authority and were of a minor nature. Once reported, the Authority makes enquiries of the data controller to obtain a full picture of the breach that has occurred, and what steps have been taken by the organisation to deal with the breach and, where appropriate, stop similar occurrences in the future.

Specifically:

131 self-reported data breaches were due to unauthorised disclosure (emails sent in error) but in all circumstances, the breaches were appropriately mitigated, presenting no risk to the data subject.

Of the remaining 57 incidents there were

a number of different issues including malware, phishing attack, lost data and other processes leading to breaches. In  

all circumstances, the breaches were  appropriately mitigated, presenting no risk  to the data subject.

From our records it is evident that just under half of the reported breaches were unlikely to result in a risk to the rights and freedoms of natural persons .

52 10 Enfpraudit capabilitytAeam rchieotorection in Jercving and maintaining the highest standarement audits cecruitment and bespok, fseolly . During 2022 wowing our inontribute te tro our Strvaining. estment in audit software significantly enhancategic Outd of data come -  ed our e,  53

Undertaking compliance audits is a detailed and resource intensive activity. The primary purpose of

an enforcement audit is to provide the Authority with an insight into the extent to which the audited entities are complying with the particular areas audited and highlight any deficient areas in their compliance. The Authority will be executing risk-based enforcement audits, commencing with a

desk-top approach and if necessary, developing into a face-to-face audit. We will also be undertaking remedial audits to track progress and the effectiveness of implementing the recommendations.

Article 22 (7) of the DPAJL details our power to conduct or require data protection audits .

1. The Authority may

1. conduct a data protection audit of any part of the operations of the controller or processor; or
2. require the controller or processor to appoint a person approved by the Authority to

1. conduct a data protection audit of any part of the operations of the controller or processor, and
2. report the findings of the audit to the Authority.

2. The Authority must specify the terms of reference of any audit carried out under

Enforcement

sub-paragraph (1).

3. The controller or processor concerned must pay for an audit required under

Audits Thus prior tsub-paragro undaph (1)(b).ertaking compliance audits of any nature we are required to carefully consider and

document the audit terms of reference.

54 Annual R1epor1t  The FOI LatSchedulo request aced Public Aw prcess tovido es the public with a luthorities (SP, and be providAs). ed with, infegal right formation helor individuals d by  55

This covers information recorded in any form The appeal is frivolous or vexatious; or

held by a SPA and includes printed documents,

computer files, letters, emails, photographs, The appeal has been withdrawn, abandoned

and sound or video recordings. SPAs covered  or previously determined by the Information

by the FOI Law include Government of Jersey  Commissioner.

departments, Parishes, States of Jersey Police  The Information Commissioner must serve a

and Andium Homes.  notice of his or her decision in respect of the

The aim of the FOI Law is to promote a culture  appeal on the applicant and on the SPA. This is

of openness and transparency across the public  done by way of a formal Decision Notice that will

sector, improve accountability and promote  set out:

good governance by providing individuals with a

better understanding of how SPAs carry out their The Crevealing the infommissioner s dormation recision and, without equested, the

duties, make the decisions they do and spend  reasons for the decision; and

public funds.

of Freedom of  The FOI Laacright is acess to their ovailablw does not give undwn perer the DPsonal data because this e individuals a right of JL.In each case, the CThe right of appeal tconferred by Articlommissioner ce 4o the R7. oyal Conducts a ourt Information  Our rfollToo encwing fole in rourunctions:egulating the FOI Laage public authorities tw includo folles the ow  fof administrnaturopporin supporormal appeal pral justictunity tt of their position. The Cative. Both sido make fairness and the laocess adhering te formal writtes are proen submissions o the principlommissioner vidws of ed with an es

Activities An applicant who is dissatisfied with a dglaTthe Lao supply the public with infood prw and the supply of infw .actice in their implormation.ementation of this ormation about ecision  preach pararguments and all rrelesumes that when making its submissions, evant case laty is prowviding their f. The delevant eecision is objectivvidull and cence in supporomple ete t.

The Commissioner issues a Decision Notice

To deal with appeals. based on the submissions of the parties, the

precise wording of the legislation and any

of a SPA in responding to their request may,  and includes adequate reasons. If a party is

within six weeks of the notice of that decision  dissatisfied with the Decision Notice, the only

being given or within six weeks of the date  avenue of appeal is to the Royal Court. The Royal

The Freedom of Information  the applicant has exhausted any complaints  Court may review the Commissioner s decision to

procedure provided by the SPA, appeal to the  determine whether it was reasonable.

(Jersey) Law 2011 Information Commissioner on the basis that the

decision of the SPA was not reasonable. The Commissioner s team also provides informal

advice and assistance to both members of the The Information Commissioner and the  The Information Commissioner must decide the  public and SPA prior to any formal appeal.

appeal as soon as is practicable but may decide

team at JOIC is solely responsible for FOI  not to do so if satisfied that:

under the law. The JOIC team is trained to The applicant has not ecomplaints procedure prxhaustovided bed any the y

fulfil the mandates of both FOI and data  Scheduled Public Authority.

protection laws. Therappeal.e has been undue delay in making the

E N F O R C E M2022 E N T A U D I T S 12

The Central Freedom of Information Unit of the Government of Jersey reported that it received 843 valid FoI requests during 2022.

Operational  Performance  

and Appeals  

The total number of valid FoI requests decreased from 933 in 2019 to 880 in 2020. The numbers increased to 1,130 in 2021.

The Freedom of Information  (Jersey) Law 2011

Requestor Types 2022 The table below highlights the number of   Significant 2022

appeals received by the JOIC.  Decision Notices

1 As of 31 December 2022, there was one 22002221 0 active appeal under review.

2020 7

2019 4

2018 4

Repeat Individual - 48 % 2017 4

Individual - 38% 2016 1

Repeat

Individual 2022 Media - 9% 2015 0 1 2 3 4 4 5 6 7 8

Commercial / Business - 3%

Types Charity / Lobby Group - 1%

Law Firm- 1% Individual Researcher / Student- 1%

The general themes for freedom of information requests in 2022 related to health treatment and services, public sector staffing and costs and government administration.

Health Treatment and Services Government Administration

The majority of Health treatment and services  Requests were received requiring information requests related to patient and case numbers of  on data and figures together with copies of various health conditions, together with waiting list  minutes and reports on a wide range of topics figures and bed numbers. ranging from the Our Hospital project to details

of meetings and overseas trips undertaken by the then Chief Minister.

Public Sector Staffing and Costs

Generally, requests were made for information relating to numbers of staff and contracts, including the figures for the number of consultants employed and related costs.

60 13 Prof the Goenotvirecting the enonmental managvernment of Jervironment is one of our priorities, and wement scheme fsey s Eco Activor organisations on the island. e Business Network . This is an e are a member  61

The Authority continues to be committed to:

1 Improving efficiency in the use of energy

2

Environmental,  3 Reducing waste

Social and  Demonstrenvironmental lating cegislationompliance with Governance  4 Ror other damageducing the risk of causing pollution e to the environment

(ESG)

We achieve this by:

The three central factors in measuring

impact of a company or business.  champion within our officto drivHaving an Ece action and chango-active e.e,  can be saved. the end of each day. the sustainability and societal  Conducting rand officto identity where walk aregular re energy ounds, eviews  considenEncvirer new waouronmental impact.aging staff tys to manago  e  swHpaliaatnvccidheni gcnaogcemrnooemfsfrs ugcoyon umasrla p evwuiqontuergkir plspim,glamhectoneinnt agiatn toidnr  s

Sustainability is development that

meets the needs of the present

without compromising the ability

of future generations to meet

their own needs .  officRecye itcling kitpossiblems whenechen and e. ver  wherUsing rprintever possibler paper ecycled e. Conducting clIsland beaches. eans at  wheneCar sharing ver possible. imprEncawarouroeness at home ve their energy aging staff to

as well as work.

62 14 Incrstakmanagour C Ceasing engageholommunity Education and Outrommunications and Outre their perder relationships and empoement with organisations, strsonal information and privacy was the priority feach activities during 2022.wering Islandeach engerthening s of all ages t or o  63

Commitment to Organisations

Let s Go DPO!

In line with our strategic outcome to achieve

and maintain the highest standard of data

protection in Jersey, a key area for development

throughout 2022 was to grow our Let s Go DPO  I find the support at the

support network. Launched in Autumn 2021 to

provide Data Protection Officers (DPOs) and  Let s Go DPO sessions

Leads in our island the chance to network,

identify and explore common experiences and  really helpful. As a new

engage with our office in a safe and confidential

environment, membership has doubled since  member to the network,

the network s launch and members have shared  it has been extremely Outreach and  support and guidance that would help them in  and fellow network

that they find the platform that provides for the

sharing of guidance and experience, extremely  beneficial to be able to

useful. Topics throughout 2022 ranged from

asking DPOs about the nature and level of  learn from the regulator Communications  network member about their organisation s  experiences in an open,

their roles to hearing more about our policies

and processes.  members and share

Other workshops included hearing from a

experience of a data breach to another  transparent and safe

member lthey experienceading a session about the challe in an advisory role to data enges  environment at regular

cintontrerprolleting the DPers, as well as the challJL. The netwengork s purpose es of  times throughout the year.

Sarah Moorhouse is to promote compliance and awareness of  I thank the JOIC team for

the law and demonstrate our commitment to

Communications Lead providing support to local DPOs and Leads  their time and guidance at

band ty offo cering the opporontribute to our offictunity for discussion e s development  the sessions.

initiatives and other guidance, where

appropriate.

Navigating Risk at Board Level Outreach and Awareness Campaigns

In order to further strive to achieve and maintain  risks and responsibilities. The aim of our Board the highest standard of data protection in Jersey,  Support Squad is to ensure data protection is a the promotion of our Board Support Squad  key consideration at Board level and high on the was a priority throughout 2022. Following that  agenda, across Jersey organisations. Feedback promotion, every organisation that enquired  throughout 2022 confirms our office is succeeding about our Board Support Service, took up the  in increasing understanding of data protection risk opportunity for a senior member of our team to  and responsibility, through this initiative.

visit their Board, in their own environment, to

help them navigate data protection landscape,

In a safe environment, our Board learnt about the work of the JOIC and effectively have 1:1 rapport on any issues or concerns, whilst providing the opportunity to the JOIC to learn a little more about our business from those running it and the data protection nuances that it all presents.

A focus for 2022 was a specific campaign to support small businesses in Jersey. This involved creating a guide for Small to Medium Enterprises to assist them with their data protection obligations, as well as launching a Small Organisation Self-Assessment tool on our website.

Ahead of the Jersey Election 2022, our office created specific guidance for candidates standing for election to support them in navigating their data protection responsibilities and representatives from our Compliance

and Enforcement Team attended the Election Candidate Forum held at Jersey s Town Hall , to further provide guidance and assistance.

Boosting brand awareness on social media was a priority for 2022. Social media campaigns included links to data protection guidance and tips and advice about how to safeguard personal information when using social media. We also published content about our JOIC culture and values to inform organisations and citizens about the way our office operates.

To celebrate the fourth anniversary of the DPJL, we promoted our toolkits for small, medium

and large organisations. Children s Day in July provided the opportunity to further highlight our video Your Privacy a Price Worth Paying which features children questioning how their personal information is handled.

We ran two radio campaigns on local commercial radio during 2022. The first focused on the importance of protecting personal information and privacy and the second focused on helping organisations to become data protection confident .

Other campaigns focused on empowering Islanders by raising awareness of personal information rights and the importance of thinking twice before sharing personal information, in person or online.

Events

Our JOIC events programme for 2022 included guidance sessions, workshops, drop-in sessions and seminars to guide organisations with their data protection obligations and inform individuals about their individual rights. Sessions ranged from Employee

Data How much is too much? to Let s Go DPO sessions and an Introduction to Data Protection for Individuals , which explained more about our role promoting individual rights and gave guests the opportunity to ask questions about how to exercise their rights,

in an informal setting.

Data Protection Day events for 2022 were held online (due to the Covid-19 pandemic), and guests were invited to join our Compliance and Enforcement Manager and Operations Director at our webinar titled

 Covid Vaccination Certificate What, How, When? to discuss privacy and transparency. Islanders were also invited to join the Information Commissioner as he outlined where Jersey features on the international stage.

Young Privacy Ambassador Programme Notable points gleamed from the survey included:

Our Young Privacy Ambassador Programme  formats including classroom learning, assemblies continued in Island secondary schools and  and workshops. Topics ranged from what is  colleges throughout 2022, as part of our  personal information and how can it be protected  commitment to protect our future generations by  to Individual Rights and the Principles of the Data  putting children first . Protection (Jersey) Law 2018.  

The programme was developed to encourage  young people to challenge their considerations of  privacy and sessions were delivered in a variety of  

Islanders have a greater  Islanders are placing increasing understanding of their rights  importance on securing their under local legislation personal data

For the 2022 survey, 41% of  When asked how important it was for respondents stated they had either a  companies to keep their data safe and very good or good understanding of  secure; in 2021 81% of respondents said their individual rights compared to  it was very important. That rose to 88% 35% that responded in 2021. in 2022, suggesting a larger number of

people are prioritising the security of their personal information.

Islanders understand the  

importance of protecting special  The JOIC s role is becoming category data more evident

It s All About You Survey The 2022 survey saw a 12% increase  When asked how familiar they

from 2021 in respondents stating they  were with the role of the JOIC, 21%

would be very concerned if their genetic  of respondents stated they were During April 2022, we repeated our It s All About  The 2022 survey generated 10% more responses  data was compromised, while health  very aware compared to 14% in You survey to further explore islanders views  than the previous year. The results of the 2022  data saw a 13% increase. When asked  2021. This suggests islanders have about data protection and privacy and for 2022,  survey highlighted a heightened awareness of the  how concerned they would be about  a greater understanding of the role we were interested to learn whether the global  importance of data protection and data privacy,  any kind of special category data being  the independent regulator plays pandemic changed islanders awareness of how  an increased awareness of the role of our office  compromised, all results revealed an  in promoting protection of their their personal information was being moved  and a greater understanding of individual rights.  increase from the 2021 survey. personal information and supporting around and/or shared. We were encouraged to find islanders want

organisations to follow good data

to learn more about the importance of data

protection of personal data. protection practices.

I T S A L L A B O U T YO U S U R V E Y

Islanders are more curious about who has access to their personal information

We asked a new question in this year s survey about whether the Covid pandemic had raised islanders awareness of how much their personal information was being moved around or shared. 54% of respondents said they were made more aware or slightly more aware of who might have access to their personal information.

Social Media and Blogs

A priority for 2022 was to create a range of simple solutions

aimed at how to manage social media privacy. Simple,

practical videos were developed to help citizens of all ages

to better understand and proactively manage and review

their privacy settings on social media platforms Facebook,

Instagram, TikTok and YouTube and stay in control of their  It can be so hard to know personal information. Hosted on our website, the videos  where to start when it comes were shared on social media to maximise their reach.

to managing my privacy Blogs this year included a focus on privacy and  settings. These simple videos sustainability, exploring data breaches and security  from the JOIC offer tips and awareness, and Demystifying Article 12 the importance

of transparency . Another area explored was Privacy  guidance and make me Washing, discussing why commitment to data protection  feel more in control of my has to be more than lip service. During the summer months,  personal information

we published tips for taking care of personal data when

travelling abroad, such as thinking twice before using public

Wi-Fi and sharing personal information on social media.

69

Media and Public Relations

Media releases issued during 2022 included  between personal data and prejudice, as well as a Commissioner launches survey to explore  guide to our Board Support Squad support service. the Island s views on Data Privacy to Jersey s  Other published articles included guidance about Information Commissioner selected to serve on  how to help reduce data protection and cyber risk International Stage . We continue to liaise with  and information for business owners about how to local media organisations in order to promote the  protect the personal information of customers and work of our office and raise awareness of our key  staff.

messages. Coverage in Jersey publications included

our Ask the Commissioner feature in the Jersey  The Information Commissioner featured in a local Evening Post which included the item Don t pay  leadership publication, a collaboration between with your personal details online shopping and  Leadership Jersey and the Jersey Evening Post. protecting your personal data and Demystifying  We also informed local media of the Information Article 12 Don t cloud over the importance of  Commissioner s selection to serve as a member transparency . Pan-Island magazine Business Brief  of the Executive Committee of the Global Privacy featured our article exploring the relationship  Assembly.

Local Stakeholder Engagement and Collaboration

In line with our strategic outcomes, stakeholder

engagement and collaboration was an integral

part of our Outreach and Communications plan for

2022, as our office liaised with local organisations

to raise awareness about the importance of data  JOIC s recent workshop provided protection compliance. clear guidance, helpful resources

We are members of, and the Commissioner  and handy tips for sports

is proud to Co-Chair, the Jersey Regulators  organisations to improve their Forum, which includes the Channel Islands  knowledge and implement practically

Financial Ombudsman, Jersey Financial Services  within their setting

Commission, Jersey Competition Regulatory

Authority, Children s Commissioner for Jersey,

Jersey Care Commission, Jersey Gambling

Commission and Trading Standards. a Data Protection and Cyber Security Workshop

titled Essential, simple steps for keeping your

JOIC is pleased to be part of the Jersey Cyber  business data safe .

Security Task Force and the Jersey Fraud

Prevention Forum, a group of Jersey agencies that  We are also pleased to be working with Digital work together to coordinate a strategic approach  Jersey, a government-supported economic

to protect Jersey citizens from frauds and scams.  development agency, to establish and launch the Our team members represented the Jersey Fraud  world s first data trust for the common good based Prevention Forum at Island events and supported  on the Jersey trust law framework. This initiative with promotional campaigns such as  has led to the creation of the Authority s

 romance fraud awareness and  regulatory sandbox to test and learn International Fraud Awareness  about the data protection implications Week, as part of the Forum s  of applying Jersey s trust law to treat community first ethos.  data assets such as rights of access

as trust assets. With government, We were proud to support  commercial service providers CERT.JE during Cyber Security  and professional trustees Awareness Month in October  included as key stakeholders, 2022 by being part of a cyber  the Authority has taken a leading incident response advisory  step to support the development panel for local businesses,  of privacy-led data stewardship directors, NEDs, charities and  models and services and we are voluntary groups. We were further  looking forward to reporting on our pleased to collaborate with CERT.JE  progress in the years ahead as this pilot when we collaborated with them to hold  scheme gains momentum.

Jersey chosen as host nation for Global Privacy Assembly Annual Meeting 2024

As a small island nation, our office was proud and honoured to learn, in the final quarter of 2022, that we have been selected to host the GPA Annual Meeting for 2024.

The Global Privacy Assembly is considered the premier global forum for data protection and privacy authorities and seeks

to provide leadership in data protection and privacy at international level. It does this by connecting the efforts of more than 130 data protection and privacy authorities from across the globe.

The selection to host the GPA Annual Meeting 2024 will see our office take a lead role in supporting the Global Privacy Assembly with its vision to provide an environment in which privacy and data protection authorities worldwide can

practically fulfil their mandates, both individually and by working together, to ensure high standards of data

Information Commissioner selected to serve as Member  of Global Privacy Assembly Executive Committee

It was a further honour for the Information Commissioner to be invited to join the Executive Committee of the Global Privacy Assembly during the final Quarter of 2022. Despite Jersey s small size, our office faces many of the same challenges faced by larger Data Protection Authorities, particularly in relation to applying the law to emerging technologies, increasing the levels of awareness of data protection rights amongst the general public, and playing our part in the preservation of democracy in the Island.

The Commissioner s appointment recognises the work of the JOIC both locally and internationally, with Jersey becoming one

of only a small number of data protection and privacy authorities around the world

to be selected to serve as a member of the Executive Committee.

Our office has been a member of the GPA, and its prequel body since 2005. In recent years we have become more actively involved in GPA activities, with representation on a number of GPA Working Groups.

protection globally and promote and facilitate effective regulatory cooperation.

JOIC s own strategic outcomes are closely aligned   National and International Working Groups

to the continued work of the Global Privacy

Assembly in advancing global privacy in an age of

accelerated digitalisation, maximising the voice  We continue to use our resources effectively and  to the GPA International Enforcement Working

of the GPA, particularly in terms of the broader  regularly assess what can be learned from local,  Group, which sees members discuss emerging

digital policy, and building the capacity of the GPA  national and international collaboration, to benefit  privacy and enforcement matters of global impact and its members. When hosting the Global Privacy  Jersey. and explore collaborative opportunities. JOIC s Assembly Annual Meeting, we intend to contribute  senior leadership team attends the GPA Digital

our voice and leadership to furthering those  We contribute to the Global Privacy Enforcement  Economy Working Group as part of the stakeholder critically important discussions and policy areas. Network, a network of privacy enforcement  workstream and is proud to be part of the GPA

authorities, to discuss the practical aspects of  Digital Education Working Group and the GPA Digital The Commissioner was delighted to attend  privacy law enforcement co-operation, share best  Citizen and Consumer Working Group which aim

and contribute to the Global Privacy Assembly  practice and support joint enforcement initiatives  to promote digital education and seek to support Annual Meeting 2022 which took place in Istanbul,  and awareness campaigns. We are also delighted  a global regulatory environment with consistently Turkey during October 2022, via video link. Our  to remain a member of the BIIDPA, the British, Irish  high standards of data protection, as digitalisation Operations Director Anne King was delighted to  and Islands Data Protection Authorities, an informal  continues at pace, respectively.

represent our office, in person. The Commissioner  regional network of privacy commissioners that

was proud to deliver his acceptance speech to  meets annually, with open collaboration  Our senior team also attend and contribute to the Executive Committee of the Global Privacy  throughout the year. conferences and seminars run by the International Assembly, as well as a Data Sharing Working  Association of Privacy Professionals and

Group update speech to the conference and a  The Information Commissioner is proud to chair  the International Conference of Information Sustainable Goals and Key Achievements speech  the GPA Data Sharing for Public Good Working  Commissioners.

at a conference side event Group working group and our office contributes

72 15 During 2022 unemplbusinesses, including JOICBrvariety of new waand the ec exit. Rising inflation, talContonomexty. ys, woyment lere just a fent shor, weerve still dels in Jerew of the watages, adapting wealing with challsey drys in which ropped and skill shororking prengeces fent eacticolloes and supporvwing the pandtagents had impactes continued tting emplemic and befed lo rise. Manocal business oyees in a ory le that, ocal  73

Employee Composition

As at the end of 2022 there were five Authority voting members and sixteen (15.6 FTE) permanent employees within the JOIC.

In total, 81% of JOIC employees were female and 19% were male. The JOIC senior leadership team comprised of four permanent employees, 75% female and 25% male, supported by two external

consultants.

Remuneration and Staff Report

Sam Duffy Recruitment

HR and Learning Consultant This was the busiest area of the HR strategy in 2022. In support of our strategic outcomes, particularly

that of achieving and maintaining the highest standard of data protection in Jersey , the JOIC team increased from 12 (11.4 FTE) permanent employees on 31st December 2021 to 19 (18.6 FTE) by the

end of 2022.

To accommodate these changes, new JOIC roles were designed, evaluated and the existing structure expanded during 2022. This resulted in a larger Compliance and Enforcement team, enabling greater capacity for proactive audits within local industries and a newly formed Community team, paving the way for greater engagement with the local community. Additional resources were also recruited to the Finance and Communications teams, resulting in greater expertise and capacity in these areas. After a long recruitment campaign, a Director of Regulatory Strategy was appointed, bringing much needed resilience to the two person JOIC Exec team.

Employee Turnover

Two employees left the team in 2022. This equated to an employee turnover of 15%. The turnover was 16% in 2021.

Talent Management

The 2022 JOIC employee engagement survey clearly confirmed that JOIC s people and culture are vital

to its continued success. Developing our workforce and enabling career progression opportunities was

The changing organisation structure facilitated 3 promotion opportunities for JOIC talent during 2022.  110011 0000 000111 therefore a key strategy, to retain talent. During 2022, JOIC scheduled a comprehensive programme of

more than 35 training sessions to support the team s continuing professional development. The Head

of Finance completed ACCA and three employees passed the PDP qualification, one with distinction.

Pay and Reward

JOIC had completed a comprehensive review of pay and reward in 2020

recommendation to consider broader methods of employee retention,  0111001 resulting in the implementation of a new pay structure in 2021. During 2022,

the HR and Remuneration Committee supported the report s additional

implemented in August 2022. 10111 001000111

such as non-consolidated pay awards and enhancing employee benefits.

Given the challenges of employee health and wellbeing, often tested

in the previous 2 years, the decision to implement a private medical  0111001

insurance (PMI) scheme, was made. A new PMI scheme for employees was

The cost of living in Jersey rose consistently during 2022. The December twelve month increase in the RPI in Jersey was the largest since the early 1980s, causing much concern in the local community. In recognition of the exceptional circumstances, the JOIC team were awarded a 5% cost of living increase; further investment in its people and a commitment to their financial wellbeing.

Employee Engagement

Employee engagement is the extent to which employees invest their cognitive, emotional,

and behavioural energies toward positive organisational outcomes. Following the previous year s first employee engagement survey,

a second survey was conducted in 2022, to measure progress. Satisfaction was measured in the same 7 categories as 2021: Job Satisfaction, Pay and Reward, Training and Development, Leadership and Management, Communication and Engagement and Teamwork. Overall, engagement scores were higher than the previous year, in six of the survey s seven categories. Categories such as internal communication

and structured training had improved notably, following feedback from the previous year. The Job satisfaction category, although still relatively high, was slightly down on the previous year, namely due to high levels of organisational change. Plans are ongoing with the team in this area.

16 77

Financial Performance as at 31 December 2022

The positive variance at the end of Q4 is largely due to the underspends in staffing. The underspend generated in the year has been utilised to support the JOIC strategic outcomes through our key projects.

Income

The revenue model was introduced in 2020, this was impacted by Covid-19. 2021 saw a phased return to normal business activity with 2022 being the first year collecting registration income without Covid disruption. The data collected during 2022 will assist with compiling robust trend analysis allowing for a greater degree of accuracy when forecasting future revenue generation.

Full year 2022 Full year 2021 Finance

Full time equivalent employees fee  £491,930 £463,380* 6%

Past year revenues fee  £81,650  £78,400 4% Report

Proceeds of Crime fee  £113,350 £106,650* 6% Administration services fee  £1,515,800 £1,412,221*  7% Special Category data fee  £41,750  £33,050  26%

Total £2,244,480  £2,093,701  7%

Claire Le Brun * the figures quoted are final figures for 2021 and differ slightly from those reported in the 2021 Annual Report.

Head of Finance There was registration income growth across all  The next highest fee band increase is seen in the the fee bands during 2022 with only one banding  Administration services fee category which makes

falling short of the 5% target. up 67.5% of the total registration revenue received

in 2022. (2021: 67.4%)

The largest increase has been seen in the Special

Category data (SCD) fee category which has  New registrations are received throughout the increased by 26% when compared to 2021.  year, these are made up of new businesses

The SCD fee criteria is met for registrants who  registering for their first year of trading and process special category data who also have a  existing businesses who have become aware of prior year revenue in excess of £100k. The fee  their legal obligations through the year.

income in this category was particularly low in

2021 as it was based on the revenues earnt by

entities during the pandemic so it is encouraging

to see growth in this area.

Working in Partnership with Government

JOIC receives a Government grant and during 2022 the grant received was £250,000 (2021: £500k)

The grant income represents 10% of the total income received during 2022 (19.3% 2021) and in line with the partnership agreement between JOIC and the Government of Jersey this grant income was used for the purposes of administering

the Data Protection Authority (Jersey) Law 2018, oversight and enforcement of the Data

Protection (Jersey) Law 2018 and the oversight and enforcement of the Freedom of Information (Jersey) Law 2011.

Remuneration and Staff

Registration fee income is targeted to grow by  Staff costs have increased by 22.4% compared to the 2021 spend due to an increase in staff numbers. 5% each year but there will be a point in time  

where JOIC reaches saturation and fee income  

will level off. It is with the future in mind that the  2021 2022 %+/- Government grant value is set along with the fee

bandings which are reviewed on an annual basis.

Total Staff cost £965,689 £1,182,210 +22.4%

2021 2022 %+/- Total Staff cost 14 18 +28.6%

Average cost per head £68,978 £65,678 -4.8%

Remuneration rates for the Authority remain at the same rate as 2021. The rate was subject to an external review during 2021, the findings were submitted to the Minister who approved the following time commitments and rates for the Authority members:

Annual Remuneration per Time

Role Day Rate Authority member for the

Commitment

relevant contribution Authority Chair 18 days p.a  £950 £17,100

*VCootimngmmitteeme bCehra  ir and  15 days p.a  £750 £11,250

Voting Members  12 days p.a  £750 £9,000

* the committee chair was a new duty in 2021 attached to an existing Voting member role, the committee chair has an additional 3 days allocated to allow for the increased work load but is paid at the same day rate as a voting member.

There are no other payments made to the Authority members. Authority members are independent contractors and do not constitute an employee for the purposes of the Employment (Jersey) Law 2003 or other local legislation.

Staff costs include the Commissioners salary.

Commissioner Salary 2021* Commissioner Salary 2022 % increase on 2021 £139,526** £143,693 2.9%

*There was a change in personnel during 2021, The  ** the reported 2021 Salary in the 2021 annual report previous Information Commissioner had a payment  was higher due to an allocation for holiday pay for

for reimbursement for the effects of double taxation,  the departing commissioner that was not required. It this amount has not been included in the salary figure  is coincidental that the allowance has matched the detailed above. The grade offered to the Information  increase awarded for the cost of living increase for 2022. Commissioner is a 10.3 on the JOIC pay scale and this was

increased by 2.9% for cost of living from 1st January 2022.

Non-Staff Costs

There are variances throughout the non-staff budget areas, these are related to the previously mentioned recruitment issues causing delays in planned operations and have resulted in a net overspend in the non- staff budget.

Total Staff costs for the year were underspent at year end due to continued delayed recruitment as a

result of the pandemic and the global issues with recruitment.

Budget 2022 Actual 2022 Variance Budget 2022 Actual 2022 Variance

£796,956 £848,903 -£51,947 £1,651,430 £1,182,210 £469,220

The surplus generated in the year will be carried forward and utilised in 2023/4 to fund projects and initiatives that are underway.

12 https://www.kojima.je/

17 Audited

General Information

Financial

Members of the Authority

Jacob Kohnstamm  Chair

Clarisse Girot   Voting Member (resigned 23rd August 2022) David Smith  Voting Member

Statements

Gailina Liew  Voting Member

Paul Routier MBE  Voting Member

Helen Hatton   Voting Member

Paul Vane  Information Commissioner (non-voting member)

Registered Office

2nd Floor

5 Castle Street St Helier Jersey JE2 3BT

JERSEY DATA PROTECTION AUTHORITY (JDPA) Banker

HSBC

AUDITED FINANCIAL STATEMENTS 15-17 King Street St Helier

Jersey JE2 4WF

FOR THE YEAR ENDED 31 DECEMBER 2022 Independent Auditor

Baker Tilly Channel Islands Limited 1st Floor Kensington Chambers 46/50 Kensington Place

St Helier Jersey

JE4 0ZE

Authority Report  Statement of Authority s Responsibilities

The Authority present their report and the audited financial statements of the Jersey Data Protection Authority (JDPA) (The Authority ) for the year ended 31st December 2022.

Incorporation

The JDPA was incorporated in Jersey under the Data Protection Authority (Jersey) Law 2018 ( DPAL ) on 25 May 2018.

Corporate governance and delegation of authority

The JDPA, through the Authority, carries the ultimate responsibility for the discharge of the responsibilities under the DPAL. The JDPA operates under the name of the Jersey Office of the Information Commissioner (JOIC).

The JDPA is the guardian of independence, sets the organisation s strategic direction, holds the Commissioner to account and provides the Commissioner with advice, support and encouragement. It ensures that JOIC provides value for money and complies with appropriate policies and procedures with respect to human resources, financial and asset management, and procurement.

The JDPA has the authority to appoint (or re-appoint) the Commissioner or remove the Commissioner from office. The JDPA has very limited operational responsibilities and these do not include day-to-day operations, individual casework or most enforcement decisions. The Authority has the ability to delegate functions to the Commissioner, but cannot delegate the following functions: this power of delegation; the function of reviewing any of its decisions; the issuing of a public statement under Article 14 of the DPAL; the making of an order to pay an administrative fine; the preparation of the Annual Report. By an Authority Resolution of 7 January 2019, The JDPA delegated all of its functions to the Commissioner, in accordance with Article 10, except Reserved Functions . In performing the Reserved Functions the Authority will have the assistance of the Commissioner.

Results

The financial statements provide an overview of the Jersey Data Protection Authority s income and expenditure for 2022.

Going Concern

The JDPA is responsible for preparing the Authority s report and the financial statements in accordance with applicable law and regulations.

The Data Protection Authority (Jersey) Law 2018 requires the Authority to prepare financial statements for each financial period. Under that law, the Authority have elected to prepare the financial statements in accordance with United Kingdom Accounting Standards, including Section 1A of the Financial reporting Standards 102, the Financial Reporting Standard in the United Kingdom and Republic of Ireland ( FRS 102 1A ) (collectively, United Kingdom Generally Accepted Accounting Practice ( UK GAAP ). The Authority must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs of the Authority and of the surplus or deficit for that period.

In preparing these Financial statements, The JDPA is required to:

select suitable accounting policies and then apply them consistently;

make judgements and estimates that are reasonable and prudent;

state whether applicable accounting standards have been followed, subject to any material departures as disclosed and explained in the financial statements; and

prepare the financial statements on a going concern basis unless it is inappropriate to presume that the Authority will continue in business.

The voting members are responsible for keeping adequate accounting records that are sufficient to show and explain the Authority s transactions and disclose with reasonable accuracy at any time the financial position of the Authority and enable them to ensure that the financial statements comply with the Data Protection Authority (Jersey) Law 2018. They are also responsible for safeguarding the assets of The JDPA and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities.

The JDPA at the date of approval of this report confirm that:

So far the Authority are aware, there is no relevant audit information of which the JDPA s auditor is unaware; and

each Authority member has taken all steps that they ought to have taken as a member to make themselves aware of any relevant audit information and to establish that The JDPA s auditor is aware of that information.

The Authority consider, given the financial condition of the Authority, the use of the going concern basis is appropriate for the current period and at least 12 months from the date of signing these financial  statements.

Auditor

The Comptroller and Auditor-General exercised her power under Article 43(3)(a) of the Data Protection  Jacob Kohnstamm Authority (Jersey) Law 2018 (as defined by the Comptroller and Auditor General (Jersey) Law 2014), to  Chair

appoint Baker Tilly Channel Islands Limited as auditor of the authority for the 5 years from the year

ended 31st December 2018 to 31st December 2022. 29th March 2023

Jacob Kohnstamm Chair

29th March 2023

Independent Auditor s Report

To the relevant Minister of the Government of Jersey (the Minister ) on behalf of Jersey Data Protection Authority and the Comptroller and Auditor General

Opinion

Our Application of Materiality

Materiality for the financial statements as a whole was set at £37,000 (PY: £29,000), determined with reference to a benchmark of total revenue/expenses, of which it represents 1.8% (PY: 1.8%).

In line with our audit methodology, our procedures on individual account balances and disclosures were performed to a lower threshold, performance materiality, so as to reduce to an acceptable level the risk that individually immaterial misstatements in individual account balances add up to a material amount across the financial statements as a whole.

We have audited the financial statements of Jersey Data Protection Authority (the Authority ), which comprise the statement of financial position as at 31 December 2022, and the statement of comprehensive income and retained earnings for the year then ended, and notes to the financial statements, including a summary of significant accounting policies.

In our opinion, the accompanying financial statements:

give a true and fair view of the financial position of the Authority as at 31 December 2022, and of its financial performance for the year then ended in accordance with United Kingdom Accounting Standards, including Section 1A of FRS 102, The Financial Reporting Standard applicable in the UK and Republic of Ireland ( UK GAAP ); and

have been prepared in accordance with the requirements of the Data Protection Authority (Jersey) Law 2018 (the Law ).

Basis for Opinion

We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs) and applicable law. Our responsibilities under those standards are further described in the Auditor s Responsibilities for the Audit of the Financial Statements section of our report. We are independent of the Authority in accordance with the ethical requirements that are relevant to our audit of the financial statements in Jersey, including the FRC s Ethical Standard, and we have fulfilled our other ethical responsibilities in accordance with these requirements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Key Audit Matters

Key audit matters are those matters that, in our professional judgement, were of most significance in our audit of the financial statements of the current period and include the most significant assessed risks of material misstatement (whether or not due to fraud) identified by us, including those which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team. These matters were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters.

Identified audit risk per the  Key observations communicated to those Key audit matter

Audit Planning Letter charged with governance

We have obtained an understanding of

the process, from initial registration or

renewal through to the income being

recognised and received, including Revenue walkthroughs and detailed controls Revenue recognised during the  testing.

reporting period may be materially

misstated. We also undertook substantive

Revenue derived from registrations  analytical procedures to assess the

Accounting policies in Note 3 made with the authority and renewals,  completeness of the reported income.

or grant income, being materially

Note 4 and Note 6

misstated. We have reviewed the agreements, Revenue for the year was correspondence and conditions

£2,495,671 (PY: related to funding received from £2,591,378) Government of Jersey (GOJ), to ensure

that the appropriate level of income is recognised in the reporting period.

We have no issues to report from our testing.

Performance materiality was set at 70% (PY: 70%) of materiality for the financial statements as a whole, which equates to £26,000 (PY: £20,000). We applied this percentage in our determination of performance materiality because we have not identified any significant corrected misstatements or material uncorrected, misstatements in the prior year audit. We also based the percentage on results and experience in the prior year audit and understanding of the entity therefore we deem the likelihood and effects of misstatements to be low.

We have reported to the Audit and Risk Committee any uncorrected omissions of misstatements exceeding £1,000 (PY: £1,000), in addition to those that warranted reporting on qualitative grounds.

Conclusions relating to Going Concern

In auditing the financial statements, we have concluded that the Board of Member s use of the going concern basis of accounting in the preparation of the financial statements is appropriate.

Based on the work we have performed, we have not identified any material uncertainties relating to events or conditions that, individually or collectively, may cast significant doubt on the Authority s ability to continue as a going concern for a period of at least twelve months from when the financial statements are authorised for issue.

Our responsibilities and the responsibilities of the Board of Members with respect to going concern are described in the relevant sections of this report.

Other Information

The other information comprises the information included in the annual report other than the financial statements and our auditor s report thereon. The Board of Members are responsible for the other information contained within the annual report. Our opinion on the financial statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we do not express any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial statements or our knowledge obtained in the course of the audit, or otherwise appears to be materially misstated. If we identify such material inconsistencies or apparent material misstatements, we are required to determine whether this gives rise to a material misstatement in the financial statements themselves. If, based on the work performed, we conclude that there is a material misstatement of this other information, we are required to report that fact.

We have nothing to report in this regard. Responsibilities of the Board of Members

As explained more fully in the statement of Authority s responsibilities set out on page 83, the Board of Members are responsible for the preparation of financial statements that give a true and fair view in accordance with UK GAAP, and for such internal control as the Board of Members determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error.

In preparing the financial statements, the Board of Members are responsible for assessing the Authority s ability to continue as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis of accounting unless management either intends to liquidate the Authority or to cease operations, or has no realistic alternative but to do so.

The Board of Members are responsible for overseeing the Authority s financial reporting process.

Auditor s Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor s report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

The extent to which our procedures are capable of detecting irregularities, including fraud, is detailed below:

Enquiry of management to identify any instances of non-compliance with laws and regulations, including actual, suspected or alleged fraud;

Reading minutes of meetings of the Authority;

Reading compliance reports and key correspondence with regulatory authorities;

Review of legal invoices;

Review of management s significant estimates and judgements for evidence of bias;

Review for undisclosed related party transactions;

Using analytical procedures to identify any unusual or unexpected relationships; and

Undertaking journal testing, including an analysis of manual journal entries to assess whether there were large and/or unusual entries pointing to irregularities, including fraud.

A further description of the auditor s responsibilities for the audit of the financial statements is located at the Financial Reporting Council s website at www.frc.org.uk/auditorsresponsibilities.

This description forms part of our auditor s report. Other Matters which we are Required to Address

We were appointed by Comptroller and Auditor General on 4th March 2020 to audit the financial statements. Our total uninterrupted period of engagement is 4 years.

The non-audit services prohibited by the FRS s Ethical Standard were not provided to the Authority and we remain independent of the Authority in conducting our audit.

Our audit opinion is consistent with the additional report to the audit committee in accordance with ISAs.

Use of this Report

This report is made solely to the Minister in accordance with Article 43 of the Data Protection Authority (Jersey) Law 2018. Our audit work has been undertaken so that we might state to the Minister those matters we are required to state to them in an auditor s report and for no other purpose. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Authority and its Minister, as a body, for our audit work, for this report, or for the opinions we have formed.

Sandy Cameron

For and on behalf of Baker Tilly Channel Islands Limited Chartered Accountants St Helier, Jersey

Date: 29 March 2023

FOR THE YEAR ENDED 31 DECEMBER 2022 FOR THE YEAR ENDED 31 DECEMBER 2022

Statement of Comprehensive Income and Retained Earnings  Statement of Financial Position

2022  2021 Notes

£ £

Income from activities 4 2,244,728 2,091,353 Operating expenses 5 (2,099,564) (1,619,896) Surplus on ordinary activities 145,164 471,457

Other income

Government grant  6 250,000  500,000 Interest 943 25

Surplus on ordinary activities 250,943 500,025

The JDPA turnover and expenses all relate to continuing operations. There are no recognised gains or losses other than those shown above.

The notes on pages 90-95 form part of these Audited Financial Statements

TOTAL ASSETS 2,041,895 1,598,699

The financial statements on pages 88 to 95 have been prepared in accordance with the Data Protection Authority (Jersey) Law 2018 and Section 1A of Financial Reporting Standard 102.

The notes on pages 90 - 95 form part of these Audited Financial Statements

The accounts were approved and authorised for issue on 29th March 2023 by the Authority and signed on its behalf by:

Jacob Kohnstamm Chair

Notes to the Financial Statements  Notes to the Financial Statements (continued)

for the year ended 31 December 2022 FOR THE YEAR ENDED 31 DECEMBER 2022

1. General Information

The Jersey Data Protection Authority (JDPA) (the Authority ) was created by the Data Protection (Jersey) Law 2018 on 25 May 2018 and is responsible for the registration and regulation of Data Protection

in Jersey. This law transferred all responsibilities for registration and regulation of Data Protection prescribed as the duty of the Minister or other States bodies to this new Authority. The Authority is a body corporate and its registered office is 2nd Floor, 5 Castle Street, St Helier, Jersey, JE2 3BT.

Basis of accounting

The financial statements have been prepared on the going concern basis, under the historical cost convention. The Authority has applied the small entities regime under FRS 102(1A), which allows qualifying entities certain disclosure exemptions. The Authority has taken advantage of the exemption from preparing a statement of cash flows under paragraph 7.1b.

Functional and presentational currency

The financial statements are prepared in Pounds Sterling (GBP or £) which is the functional and presentational currency of the Authority.

2. Statement of compliance

The financial statements have been prepared in compliance with Section 1A of Financial Reporting Standard 102 (FRS 102) The Financial Reporting Standard applicable in the UK and Republic of Ireland issued by the Financial Reporting Council and the Data Protection Authority (Jersey) Law 2018.

3. Summary of Accounting Policies, Estimates and Significant judgements

The principle accounting policies applied in the preparation of these financial statements are set out below. These policies have been consistently applied to all years presented, unless otherwise stated or a new or amended accounting standard is applied.

The preparation of financial statements requires the use of certain accounting estimates. It also requires management to exercise its judgement in the process of applying accounting policies. Accounting estimates involve management s judgment of expected future benefits and obligations relating to assets and liabilities (and associated expenses and income) based on information that best reflects the conditions and circumstances that exist at the reporting date. There have been no changes to the accounting estimates from the previous financial period.

Operating Expenses

Expenses are accounted for on an accruals basis.

Employment benefits Pension costs

As the Authority is an admitted body, past and present employees have been eligible to accrue post- employment benefits under the provisions of two possible defined benefit pension schemes, namely the Public Employees Contributory Retirement scheme ( PECRS ) or the Public Employees Pension Fund ( PEPF ).

The assets are held separately from those of the Government of Jersey and the responsibility to discharge accrued liabilities are held by those Funds. The Authority is not responsible to fund any deficit or to maintain the specific level of the pension assets to meet pension liabilities. In light of this, the scheme is accounted for as though it is a defined contribution scheme, with the annual cost to the authority taken to be equal to the employer s pension contributions payable to the scheme for the accounting period. The contributions are charged to operating expenses as and when they become due.

Contribution rates are determined on a triennial basis by an independent qualified actuary, so as to spread the costs of providing benefits over the members expected service lives. The main purposes of the valuations are to review the operation of the scheme, to report on its financial condition and as noted, to confirm the adequacy of the contributions to support the scheme benefits. Copies of the latest annual accounts of the scheme, and Government of Jersey, may be obtained from 19-21 Broad Street, St Helier JE2 3RR or online at: http://www.gov.je/Working/WorkingForTheStates/Pensions/ PublicEmployeePensionFund/Pages/PublicServicePensionPublications.aspx

Interest receivable

Interest receivable is accounted for on an accruals basis.

Government Grant

Grants are recognised in other income in the year the related costs are incurred by the Authority for which the grant is intended to compensate. For grants which are received by the Authority for compensation for expenses or deficit which have already been incurred, the grant is recognised in income when it is received or receivable.

Tangible assets

Going concern Tangible assets consists of office equipment which is stated at historical cost less accumulated

The Authority consider, given the financial condition of the Authority, the use of the going concern basis  depreciation. Cost includes all costs directly attributable to bringing the asset to working condition is appropriate for the current period and for 12 months from the date of signing these accounts. for its intended use. Depreciation is calculated on the straight-line method to write-off the cost of

equipment to their estimated residual values over their expected useful lives as follows:

Provisions

Provisions are recognised when the Authority has a present legal or constructive obligation, as a result  - Office equipment 3 years

of past events, for which it is probable that an outflow of economic benefits will be required to settle the  - IT equipment 3 years

obligation in future and the amount of the obligations can be reliably estimated. The useful lives and depreciation methods used are reviewed regularly and any adjustments required

are effected in the charge for the current and future years as a change in accounting estimate. Gains and Economic useful lives of intangible and tangible fixed assets losses on disposal of equipment are determined by reference to their carrying amounts and are taken

The Authority s fixed assets are depreciated on a straight-line basis over their economic useful lives.  into account in determining net profit. Repairs and renewals are charged to the statement of profit or Useful economic lives of equipment are reviewed by management periodically. The review is based on  loss and other comprehensive income when the expenditure is incurred. The carrying values of the the current condition of the assets and the estimated period during which they will continue to bring an  plant and equipment are reviewed for impairment when events or changes in circumstances indicate economic benefit to the Authority. the carrying values may not be recoverable. If any such indication exists, and where the carrying

Revenue recognition values exceed the estimated recoverable amounts, the plant and equipment are written-down to their Registration fees recoverable amounts. One full year of depreciation is charged in the year of aquisition. Items with a

value in excess of £1000 whether singularly or in aggregate are capitalised.

Under the terms of Data Protection Authority (Jersey) Law 2018 registrations made to the Authority

are valid for one year. The registration fees are non-refundable and fall due each year on 1st January.  The Authority s policy is to review the remaining useful economic lives and residual values of property, Income from registrations is recognised when it is earned. plant and equipment on an ongoing basis and to adjust the depreciation charge to reflect the remaining

estimated useful economic life and residual value.

Notes to the Financial Statements (continued)  Notes to the Financial Statements (continued)

FOR THE YEAR ENDED 31 DECEMBER 2022 FOR THE YEAR ENDED 31 DECEMBER 2022 Intangible assets

Externally acquired intangible assets (Website and software) are initially recognised at cost and subsequently amortised on a straight-line basis over their useful economic lives of 5 years. The carrying amount of each intangible asset is reviewed periodically and adjusted for impairment where considered necessary.