This content has been automatically generated from the original PDF and some formatting may have been lost. Let us know if you find any major problems.
Text in this format is not official and should not be relied upon to extract citations or propose amendments. Please see the PDF for the official version of the document.
R.87/2024
JERSEY OFFICE OF THE INFORMATION COMMISSIONER
Annual Report
Fulfilling the obligations of the Authority under Article 44 of the Data Protection Authority (Jersey) Law 2018 and the Information Commissioner under Article 43 of the Freedom of Information (Jersey) Law 2011.
THE CONTENTS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2023
HIGHLIGHTS PIsdnaeliveffroeserrtoed tmynasao a 1/5 of the etlisos nions
Island s young people
Expanded Youth
215 80%
& Community
Jerannouncsey formally ed as Engagement &
host nation for Outreach
Self Reported the 46th Global of attendees at JOIC events
Privacy Assembly
Data Breaches reported they benefitted
from the session
71% 1671
representatives from Our Privacy of Amicable Resolution data controllers attended Force superhero cases resolved informally JOIC events characters were
7366
shortlisted for a Global
Privacy Increase in complaints Assembly
Organisations registered rSubject Aeceived rcegarcess Rding unfequests and ulfilled Award inappropriate sharing of
personal information
THE
JERSEY DATA Our vision is tculturperinstinctivsonal data and privacy bece where, with individuals and ebo cry the preate an island otection of omes Twith JerGohighest standaro prvernment of Jerovidsee those who inty organisations and the d of persey with the sonal data eract Our values arthehoto be morw wy cre opereate than we our idate huge. Wentity and infore crely impords on a pageated our values tant torm e, o us, PROTECTION organisations taking a prapprthrbusiness planning. oughout their daily activities and oach to embed such proactivotection e protection. using them tbehaimprapply tflow throviourvo us all, rementough each ars and drivo guidinegaroure de cserdlea of our serecisions, seless of rontinuous vice. Ourank and valuesvicect e,
AUTHORITY every day.
V A L U E S V A L U E S
WE WE ARE
OUR ROLE ARE FAIR. COLLEGIAL.
We treat people equally, without favouritism or We share responsibility, including being honest and fair in
discrimination. We are impartial in our activities and our conduct towards others. We are willing to be judged on
free from bias or dishonesty. We are competent, reliable our performance. We work together to achieve our strategic
and respectful. Our decisions are open, honest and outcomes. A collaborative approach allows us to work effectively The Jersey Data Protection Authority (the Authority) is an independent rationalised by a sound evidence base to promote together or individually. We communicate clearly, actively
integrity and trust. listen to others, take responsibility for mistakes, and respect statutory body established to promote respect for the private lives of the diversity of our team. We demonstrate impartiality and
individuals through ensuring privacy of their personal information by: accountability.
Implementing and ensuring compliance with the The Information Commissioner has separate
Data Protection (Jersey) Law 2018 (the DPJL 2018) responsibility for regulating the Freedom of
and the Data Protection Authority (Jersey) Law Information (Jersey) Law 2011 (the FoI Law). This V A L U E S V A L U E S
2018 (the DPAJL 2018). includes encouraging public authorities to follow
WE ARE WE ARE
good practice in their implementation of that
Influencing attitudes and behaviours towards law (including adherence to the relevant code of
ENERGETIC. RESPECTFUL. privacy and processing of personal information, practice) and helping to promote transparency by
both locally and internationally. supplying the public with information about the law
Providing advice and guidance to Island and advice and guidance on how to exercise their We are enthusiastic and approach our We respect those we work and liaise with; this businesses and individuals and making rights. activities with vigour and vitality. means that we actively listen to others and behave
recommendations to the Government of Jersey considerately towards others. We have self-respect and in response to changes in international data make responsible choices in what we say and do, to protection laws. reach personal and organisational outcomes. We treat
others in the way we want to be treated.
02 Maopporximising ttunities technolo enhancogical and ece the Island s onomic
reputation as a safe place to host personal data and do business.
a. Jersey is a unique jurisdiction where regulation Proactively identifying relevant developments in the (including in respect of personal data) is already field of data protection, such as new and emerging entrenched in our society (particularly in the technologies, economic or social change, our finance sector). It will be critical for our economy deliverables in this area start at grassroots level, with
to ensure that Jersey remains at the leading edge; the aim of helping our stakeholders to ensure they STRATEGIC
monitoring international legislative frameworks, have solid foundations, minimise risk and are alert trading corridors and innovation to ensure Jersey to both future threats and opportunities. As a small
can act fast and seize opportunities that both grow but agile team, a key focus is on understanding the and preserve our already strong reputation for data emerging landscape, working collegially with key
OUTCOMES b. Our strenabled us tong relationships with ro participate in a major prelevant stakoject on the eholders an awareness of regulatory and legal changes which protection and privacy more widely. change agents and providing thought leadership to
facilitate positive change.
in the digital sector and Government of Jersey have This includes our ongoing responsibility to maintain feasibility of Data Stewardship services in Jersey. may impact on privacy and data protection in Jersey
These and similar concepts can provide exciting and to contribute to our ability to navigate new privacy opportunities for Jersey where the Island can be frontiers.
seen as a world leader. We are key stakeholders in
those discussions.
01 Athe highest standarchieving and maintaining d of data 03 Prby putting chilotecting our drfuturen and ye generoung ations
protection in Jersey. people first.
- Our purpose demands the highest standards of resources, to forging ahead with our outreach and a. Given the exponential advances and uses of c. Highlighting children is not at the exclusion of adult data protection for our citizens, and those who education programmes, to specific enforcement technology, it is critical, now more than ever, that populations within our community. We respect all interact with Jersey, remembering that our Laws initiatives, such as targeted audits, we are we take steps to educate children on how online members of our community whilst recognising that (like GDPR) have extra-territorial scope. committed to achieving and maintaining the behaviours can affect their opportunities in later some populations may be at higher risk and need highest standards of data protection. However, life and equip them with the tools to protect greater protection. Our role as regulator is to ensure
- It is also important to remember that as a we cannot do this alone. We will continue to themselves against the many harms associated that we target our support accordingly and apply fundamental human right, data protection is engage with all sectors of our community, such as with growing-up in a digital environment, including the Law in a fair and consistent manner, protecting intrinsically linked to well-being, mental health, charities, government, local businesses and youth educating on social media use, online gaming and those who need it most.
reducing inequalities and improving living groups (including both primary and secondary the darker sides of the internet.
standards. All of these areas are key elements schools) to reach young people. Our deliverables In working towards this outcome, our deliverables of the Island s collective strategy in the coming in this area support our aim to be an exemplar b. Equally, many of these young people will be our build on our already strong relationships with the years. and a source of leadership to our stakeholders. future digital innovators. It is incumbent upon us to Island s schools, through further development
This in turn helps them to understand their role help them embrace technological innovation in a and wider roll-out of our education programme. This outcome covers all areas of our organisation and their responsibilities, so that they too can safe way, and work with them to improve their own Through specific targeted outreach campaigns, we and those who we are here to serve and support. deliver the highest standards of data protection. broader skills so as to ensure that Jersey remains will continue to raise children s awareness of their From delivering proactive day to day guidance and not only a safe place to live, but also an exciting, data protection rights, whilst alerting them to the
attractive and progressive Island in which to do potential risks of their online and other activities. business.
Aside from the obvious challenges of emerging Finally, it would be remiss of me not to mention the recent technologies such as Artificial Intelligence and Facial positive adequacy finding of the European Commission in Recognition Technology, and how we prepare the Island to respect of third countries, including Jersey. Since Jersey s deal with them, there are also significant matters internally updated Data Protection laws came into force on 25 May which will be the focus of our attention for 2024. At the 2018, and with the assistance of the JOIC, the Government
top of that list is the matter of Jersey hosting the Global of Jersey have been working with the Commission to
Privacy Assembly Annual Conference in October. For our demonstrate that the Island s data protection framework Authority, and for the Island of Jersey, this is a huge honour accords with the standards of the GDPR, providing an
of momentous proportions. As our Authority has grown adequate level of protection for personal data transferred in size over the last six years, it has also grown in stature, from the European Union. Data flows to and from Jersey
becoming recognised for its work on an international
stage and participating in privacy discussions on a
CHAIR global scale. Few jurisdictions get the opportunity to " I am very thankful for the
host this prestigious event, so it is with great pride that
this coming year sees the conference coming to Jersey.
The conference will provide the platform for robust and fact that I was allowed
engaging conversation about issues facing many data
REPORT to be the chair of the
protection authorities.
The theme for the 2024 conference therefore centres Authority since 2018.
arthe found ocus of discussions will be on the eight pillarThe Power of I . I can mean many things, but s The Authority has come
of information, individuals, independence, integrity, alongwayinthefive
JacChairob K, Jersey Datohnstamma Protection Authority indigWvalues and enrichment of human live intenous, intend to explerculturore hoal, intw these international and innoeres, hoact with harms, w we can vation. years since its inception
rneed tpoespect the power. Wo hae will also discuss whether currve power of infwer and dignityormation and the individual s , and who eent rxeregulatcises the ory in 2018."
models are still relevant and fit for purpose, and what
the future regulator may look like.
On behalf of the Authority, it is once again my pleasure to are critical to Jersey s entire economy, and in particular present to the Minister and members of the States Assembly Fabout the dilor the last cemma of our financial rouple of years, I have repeatelations with the edly reported the Island s financability to transfer pere industrsonal data betwy which relies heaeen the EUvily on the . Receiving
our Annual Report for 2023. This fulfils our statutory Goa fundamental human right. The Avernment of Jersey, noting that data pruthority is a totection is otally a positivto Jersey and I must take adequacy assessment is of huge this opportunity te imporo thank our tance obligation under Article 44 of the DPAJL 2018. This will be independent statutory public authority with a mandate Government colleagues for their hard work in getting this
my last foreword, with my term as Chair coming to an end set in lain respect of their data prw, regulating both the privatocessing activities. We and public secte have ors dmaintain that adecision across the line. It is equally imporequacy status, especially givtant ten that thiro now d during 2024. cprivatonsiste sectently stator pred that the curroviding almost 100% of the fent situation of the unding of the cEurountries aropean standare subject tds. o continual monitoring against
Authority is neither acceptable nor fair. The Government
of Jersey has now recognised this unsatisfactory position To conclude, once again our Authority can expect a busy,
I am very thankful for the fact that I was allowed to be the Breitbarth brings in-depth knowledge and experience of and has provided commitment to the future funding but exciting year ahead with plenty of challenges to chair of the Authority since 2018. The Authority has come the General Data Protection Regulation (GDPR) from both of the Authority. Together with the Government, we are contend with. In my final year as Chair, I look forward
a long way in the five years since its inception in 2018; we a local and international law enforcement perspective. working towards a new model which will see a contribution to being involved with the continued development of have navigated through unprecedented change and seen Elizabeth Denham CBE needs little introduction, bringing from Government that reflects around 25% of the JOIC s the JDPA, and hope to see many of you in person at the major growth and development of the Jersey Office of the significant experience spanning 15 years as a data workload being attributed to Government-related data Conference in October.
Information Commissioner (JOIC) in terms of expertise, protection regulator. She was Information and Privacy processing matters. A review of the existing fee model is
capacity and headcount. In my last report, I made mention Commissioner for British Columbia before becoming the UK reaching a conclusion, and a proposal will be provided to Jacob Kohnstamm
of the departure of Clarisse Girot and David Smith. Whilst Information Commissioner and oversaw the introduction Government imminently. However, it is important to note Chair, Jersey Data Protection Authority
they were both significant losses to the Authority, I was of GDPR and the UK Data Protection Act 2018. With the that any change to our existing model will require a change
very pleased to welcome three new Authority Members in addition of this incredible technical expertise to the in legislation; as such we will need to follow due process
2023. A qualified lawyer, Stephen Bolinger brings extensive Authority, we are in good shape to face the challenges that and consult with the wider community of registered data
experience in privacy and data protection in the areas of lie ahead. controllers before the matter is placed before the States
technology, financial services and medical devices. As a Assembly for their consideration and approval. We remain
former employee of the Dutch Data Protection Authority hopeful that an acceptable long-term solution can be
and current in-house data protection counsel, Paul reached in the very near future.
I am often asked what is it you do? And why is it so This is why in 2023 the JDPA has increased its activity on
important? The truth is there are serious privacy questions an international scale to ensure we remain relevant and at out there which, if not answered, have the potential to the forefront of discussions on international developments cause significant harms and prejudice to individuals, in data protection. As well as chairing the Global Privacy
communities and countries. For example, how do you apply Assembly working group on data sharing for the public
data protection regulation to Artificial Intelligence so that good, we are also represented on working groups on ethics it ensures public trust, confidence and protects data whilst in data protection and artificial intelligence, international not stifling innovation? How do you navigate the myriad development, humanitarian aid and crisis management, of privacy issues arising from humanitarian disasters and international enforcement cooperation and digital
global conflicts such as the war in Ukraine, the current education. These are all opportunities to collaborate
unrest in Gaza, or the privacy issues arising from the Covid and have a voice at a global level, increasing knowledge INFORMATION health data, and financial services, for example? How " Our collective purpose is
pandemic? How do you ensure multiple regulatory
perspectives are aligned and not in conflict when
dealing with online harms, cyber security, competition, COMMISSIONER'S
FOREWORD data protection laws; we must also be thought leaders, to impcitizensrov ae thnd ense livurese J ofer our sey
do organisations deal with the complexities of data
sharing or the safe transfer of data across borders where
cultures are different, and privacy rules either differ or
are non-existent? These are just a handful of some of
the complex issues data protection authorities across is a safe place to live and the world, including the JDPA are having to deal with
daily. In my view, the role of the regulator is no longer do business."
simply to ensure that organisations are compliant with
experts in our field and policy influencers to ensure
our future generations are afforded the best protection and expertise, and working with other data protection of their fundamental human right to privacy. To do authorities to grapple with some of these increasingly that properly, and arguably to fully meet our statutory complex issues. An example of the success of these
obligations, our Authority must be an integral part of the collaborations is our participation in an international Paul Vane BA HONS SOC POL CRIM OPEN solution. We must be involved in discussions around new enforcement action relating to data scraping by social
Information Commissioner and emerging technologies, have a seat at the table of media companies, which resulted in us co-signing a joint
policy-making discussions where there is an impact on statement with 11 other data protection authorities and
the data protection and privacy rights of individuals, and issuing an open letter to all social media companies. As a
have a voice on a global stage on future privacy enhancing group, we are now working with the social media sector to It is with great pleasure that I present my initiatives. ensure similar privacy-invasive practices do not continue.
second foreword as Information Commissioner More locally, we have increased our collaboration with the
The importance and power of collaboration, especially in other Crown Dependencies, Guernsey and the Isle of Man
for the Bailiwick of Jersey. I would be lying an Island such as Jersey, cannot be underestimated when through the Islands Data Governance Forum, and you will
addressing some of these issues. Jersey provides a unique also recall from my foreword last year that Jersey and our if I said writing a foreword is easy. Trying to opportunity to get the right people around the table very office will be the host nation for the 46th Global Privacy
a few short paragraphs is far from easy! quickly and mocan be seen with our inproject with Digital Jerve at pacseve. An eolvy. Experement in the data stxamplts from Jere of this in action sey and fewar urdship ther for Jersey to showcase all it has to offer and provide an Assembly Annual Meeting in 2024. This is not only a huge
compress a busy year s worth of activities into privilege for our office, but it presents another opportunity afield, including our office, were able to work through some excellent platform for ongoing and future collaboration.
enormously complex issues to get to a position where a We have been working hard in terms of conference
data trust could be tested in a safe environment. While we planning and programme development and look 2023 has been another incredibly busy, yet productive large organisation with unlimited resources. The opposite await the conclusion of the testing phase of this project, forward to welcoming many delegates from
year for our small team as we continue to embed our is true. I always feel extremely proud to receive feedback, the outcome could be of significant economic value to the around the world in October 2024.
vision to create a culture in Jersey where privacy becomes particularly from other nations, about how much we Island whilst ensuring personal data is provided the very
instinctive. So, I will do my utmost to summarise our achieve with such a small budget and only 19 staff. It is highest levels of protection. In short, it could be a game- Despite our continued
activities and share a snapshot of some of the key areas indicative of the passion and drive of every single member changer, not only for Jersey but around the globe. successes, we are operating
we have been working on over the last 12 months, together of the team to succeed, protect and create better outcomes However, this is not the only opportunity for Jersey. in uncertain times
with the frustrations where due to resource and budget for the people of Jersey. We strive to be an effective and Providing the ideal test bed for new products and services, and 2023 has seen
limitations we have been restricted from completing efficient regulatory authority, whilst balancing carefully Jersey has the ability to be a world leader in many some significant
mandated activities at the planned level. our resources, always seeking to adapt and work smarter innovative projects. Digital healthcare is another example, challenges.
to achieve as much as possible. We are a progressive and and it is not difficult to understand the crossovers between The economic
Before I go any further however, I must congratulate my forward-thinking regulator, always looking to the future data protection and the provision of digital and online situation is
team for the hard work and energy each and every one as we try to grapple with the complexities of regulating health services to emphasise how important it is for our impacting
has given over the last year in helping to progress our privacy in a rapidly changing environment. office be involved in those discussions. negatively
vision and strategy. When you assess the output from our on business
office, it is easy to think from the outside that we are a
95% grcfis cfor 2023, far morull impact of the Mease trowth with organisations dontinuing intading. Wo 2024. We hae than eoneve seen 330 dyVve arer befal re-repore yegistoret tt which has the e and the tre-ro see the ering as theegistrations end y
potential to impact significantly on administered
entities in Jersey, and consequently our registration
fee income.
DELIVERABLES DELIVERED Although wplan dfinancial uncelivere haablertainty arising fres it shoulve achieved 95% of our 2023 business d be notom the lack of Goed that the continuing vernment
OF 2023 BUSINESS PLAN
funding contribution to our office has resulted in the
scaling back of our activities. Some deliverables were
not achieved to their full potential or targets fully met.
Recruitment was delayed to utilise the staff savings for
budgetary purposes. Education and outreach were scaled
back on activities in areas such as providing support to
vulnerable areas of our community through community
groups, plans to engage with parent teachers associations
and Project Trident students were put on hold, and the
rolling out of additional courtroom challenges and privacy
debates has been delayed until 2024. In terms of talent
management and succession planning, we did not attend future economic prosperity that Jersey remains adequate training face-to-face, opting for on-line courses to achieve in terms of having an effective data protection regulatory cost savings, but at the expense of valuable networking regime. A satisfactory conclusion to the Government
and the richness of the training dialogue between funding issue is therefore of paramount importance and delegates. must be resolved quickly if we are to remain an effective
and efficient regulatory authority.
Although there has been progress in our discussions with
Government in respect of our continued funding, the To conclude, I am hopeful that we can look forward to a continued uncertainty year on year is of major concern. successful year ahead with greater stability and further Whilst we fulfilled our mandate at a basic level, as set out examples of working together to achieve common goals. in the DPAJL 2018, we have not had appropriate capacity It is too easy to forget that whilst we operate in different, to monitor the wider developments insofar as they impact and sometimes competing environments, our collective on protection of personal data. Thus, we risk becoming purpose is to improve the lives of our citizens and
a reactive rather than proactive regulator. The knock-on ensure Jersey is a safe place to live and do business. It effect should we not see imminent change is that we will is incumbent upon all of us as individuals, businesses, be susceptible to a reduction in staff skills and morale Government and regulators to look much further ahead due to training cuts, an increased risk of staff turnover, to ensure we provide a safe, sustainable and prosperous insufficient skilled resources to further data protection Island for our future generations. I look forward to technology and innovation in our contribution and delivery continuing to work together to achieve that outcome. to the Outline Economic Strategy for Jersey, and a risk of
a reduction in networking following lower attendance at Paul Vane
international fora. It is also challenging to form a resilient Information Commissioner
and considered long-term financial plan when funding
discussions remain un-concluded, creating uncertainty
throughout the organisation.
The European Commission has recently concluded its positive assessment of Jersey as having an adequate level of protection for the rights and freedoms of individuals in respect of their personal data. However, this position is not guaranteed, and all third countries are subject to continuous assessment from the Commission. As such, and for all the reasons I set out in my opening paragraphs, we must make certain for the good of the Island and its
The Chair and voting members are appointed by the Minister. The Information Commissioner is the Chief Executive and:
a is responsible for managing the other employees of the Authority.
b is in charge of the day-to-day operations of the Authority.
c has the functions conferred or imposed on him or her by the Law and any other enactment.
The Information Commissioner, on behalf of the The Authority s activities regularly involve collaboration Authority, undertakes the functions of the Authority with local and international partners, sharing expertise under the DPAJL 2018 and the DPJL 2018 other than in data protection, regulation and financial services. The the issuing of a public statement under Article 14 and Authority has established positive working relationships the making of an order to pay an administrative fine with local Government, public authorities, private sector under Article 26 of the DPAJL 2018, or any other function stakeholders and international partners characterised specified by the Authority by written notice to the by collaboration and respect. The Authority is strongly Information Commissioner. purpose driven, thus both the strategic outcomes and
business planning processes are more than just words The Authority is established to undertake a variety on a page. The Authority and in turn data protection
of key activities which includes promoting public are pivotal in helping to engender trust and confidence
awareness of risks and rights in relation to processing, in the Jersey economy. By safeguarding personal and
especially in relation to children and to raise awareness sensitive information, we contribute to the foundation of
for controllers and processors of their obligations under trust upon which Jersey s economy thrives. THE JERSEY and the States of Jersey on any amendments that the
the data protection laws. It is also incumbent upon the
Authority to report to Government on the operation
of the data protection laws and to advise the Minister
DATA PROTECTION
Authority considers should be made to the laws. AUTHORITY All of the Aindinfluencepende.ently and fruthority s fee frunctions must be perfom direct or indirect eormed xternal
The Authority is a statutory body which oversees the protection of personal data. The Authority consists of the Chair, and as
per Article 3 of the DPAJL 2018 no fewer than 3 and no more than 8 other voting members and the Information Commissioner as an ex officio and non-voting member.
AUTHORITY STRUCTURE AND AUTHORITY REPORT
GOVERNANCE,
ACCOUNTABILITY The Achair and fivAs memberuthority is currs are non-ee appointxently cecutived bomprised of a non-ee vy the Ministoting memberer, the Chair s. xecutive The Ministin RThe A.169 pruthority meets at lesenter appred tovo the Stated this reast fequest on 13 Noes Assemblyour times per annum. . 1vember 2023
& TRANSPARENCY wrappointingArthe tticlotyeare term of office 3(5) of the DPo the Minists or such shorMembere of appointer in June 2022 ts AJL 20tfer period as the Ministor a 18 also sets out the dur4-yed Aearuthority Mtermo request he cof officemberer thinks fit e. Givonsids:ation of en thater that rrmeetings. ecommendations takelevant matters can be aden back to the main Adressed fullyuthority , and The Authority operates sub-committees to ensure
(5) Each voting member is appointed for a term of 5 in a particular case and is eligible for reappointment
up to a maximum period of service of 9 years.
Since the Authority s inception, the Minister appointed
Authority Members on a 3-year term. To allow for
THE DATA PROTECTION AUTHORITY maximum contribution and stability, a 4-year term was
deemed as more suitable, allowing sufficient time to deliver the best value, without risking a lack of diversity
in thinking.
The Authority has responsibility to: The Authority also provides an advisory function to the
JOIC. With a balance of expertise in data protection,
Ensure that the JOIC remains accountable to the governance, and local knowledge of the Jersey
people of Jersey, in properly fulfilling its mandate and Government and industry, the Authority provides strategic
delivering quality services to its stakeholders. guidance to the JOIC with respect to fulfilling its mandate
Ensure that the JOIC provides value for money and effectively and efficiently.
JDPA Chair & 6 Voting Members
complies with appropriate policies and procedures
with respect to human resources, financial and asset
management, and procurement. This includes formal
approval of any single item of expenditure in excess of Information Commissioner
10 per cent of the operating budget for the JOIC.
DELEGATION OF POWERS Operations Director External Legal Counsel
Human Resources
There are other powers and functions that the Authority The Authority has delegated all these other powers and Consultant
may exercise under the DPAJL 2018, functions to the Information Commissioner. Compliance &
most notably: Enforcement Head of
There are certain functions that the DPAJL 2018 stipulates Manager Finance that the Authority must perform itself, and which cannot
Enforcing the Law. be delegated to the Information Commissioner. The
Promoting public awareness of data protection issues. most important functions are that only the Authority
Promoting awareness among controllers and or public statements for contraventions of the law. While ECnogmaLgemeaumdneitnyt Com&mPuRn Lic ea at dions &C oPmolpicliya Ln ec ae d CaSseenwioorrker TAeccchonuincitasn processors of their obligations. the JOIC will make the official finding in each case as to
Cooperating with other supervisory authorities. whether a contravention has occurred, it is the Authority
can decide whether to issue administrative fines and/ Operational
that will determine whether a fine will be applicable and Community Office & Operations 6 x Accounts
Monitoring relevant developments in data protection. the value of that fine. Similarly, it is only in cases where Youth Worker Communications Coordinator Caseworkers Officer Assistant / JDPA Secretary
Encouraging the production of codes. because of their gravity or due to some other exceptional
circumstances that the Authority will issue a public
Maintaining confidential records of alleged
statement, where it is in the public interest to do so.
contraventions.
18 1 /assemblyreports/2023/r.169-2023.pdf 19
VOTING AUTHORITY MEMBER PAUL ROUTIER MBE
TENURE AUTHORITY
Paul joined the Authority on 1 August 2019 for a period of three years and was reappointed
for a second term which is due to expire on 1 August 2025. MEMBERS
VOTING AUTHORITY MEMBERDAVID SMITH
TENURE
David joined the Authority in October 2018 for a period of three years and was reappointed for a second term of a further two years until his retirement on 28 October 2023.
CHAIR OF THE AUTHORITY
JACOB KOHNSTAMM VOTING AUTHORITY MEMBERSTEPHEN BOLINGER TENURE
Jacob has been Chair of the Authority since May 2018. His current period of office expires on TENURE
28 October 2024. Stephen joined the Authority on 1 May 2023 for a first term that is due to expire on
30 April 2027.
VOTING AUTHORITY MEMBER HELEN HATTON VOTING AUTHORITY MEMBERPAUL BREITBARTH
TENURE TENURE
Helen joined the Authority on 1 August 2019 for a period of three years and was reappointed Paul joined the Authority as of 1 May 2023 for a first term that is due to expire on 30 April for a second term which is due to expire on 1 August 2025. 2027.
VOTING AUTHORITY MEMBER GAILINA LIEW VOTING AUTHORITY MEMBERELIZABETH DENHAM CBE
TENURE TENURE
Gailina joined the Authority in October 2018 for a period of three years and was reappointed Elizabeth joined the Authority as of 1 May 2023 for a first term that is due to expire on 30 for a second term which is due to expire on 28 October 2024. April 2027.
Further details regarding the Authority members external appointments can be found at https://jerseyoic.org/team
AUTHORITY GOVERNANCE SUB-COMMITTEES REPORT AUDIT & RISK COMMITTEE (ARC)
The voting members who comprise the ARC are:
Helen Hatton (Chair)
David Smith (left on 28 October 2023 meeting date)
Paul Breitbarth (joined ARC on the 12 July 2023 meeting date)
Christine Walwyn (Co-opted accountant, Non-voting)
The Authority is committed to ensuring a high standard of
governance and all members are expected to conduct themselves The Ais to: udit & Risk Committee s mandate is to advise and make recommendations to the Authority. The purpose of the ARC in accordance with the Seven Principles of Public Life. Assist the Authority in its oversight of the integrity Provide input to the Authority in its assessment of
of its financial reporting, including supporting the risks and determination of risk appetite as part of the Authority in meeting its responsibilities regarding overall setting of strategy.
financial statements and the financial reporting
Assist the Authority in its oversight of its risk
systems and internal controls.
management framework.
Monitor, on behalf of the Authority, the effectiveness and objectivity of external auditors.
Accountability
Openness Selflessness GOVERNANCE COMMITTEE
The voting members who comprise the Governance Committee are:
Gailina Liew (Chair)
Jacob Kohnstamm
Seven Elizabeth Denham CBE (joined at Governance Committee meeting on 29 June 2023) Honesty Principles Integrity
of Public Life The Gothe Authorityvernanc. The purpose of the Goe Committee s mandatve is ternanco advise and make Committee is te ro:ecommendations to
Keep the Authority s corporate governance arrangements under review and make appropriate recommendations to ensure that the Authority s arrangements are, where appropriate, consistent with best practice corporate governance standards.
Review the balance, structure and composition of the Authority and its committees. Its role also encompasses the selection and appointment of the Authority s senior executive officers and voting members of the Authority and
Leadership Objectivity giving full consideration to succession planning and the skills and expertise
required to lead and manage the Authority in the future.
Evaluate the performance of Authority members on a regular basis as described more fully later in this report.
2023 AUTHORITY MEMBERS' REMUNERATION
The Authority Voting Members received, in aggregate,
£73,807.80 in remuneration in 2023. REMUNERATION & HUMAN RESOURCES COMMITTEE (R&HR)
Further details regarding the Authority Voting Member remuneration can be found at page 71.
The voting members who comprise the R&HR Committee are:
Paul Routier MBE (Chair) JDPA PERFORMANCE EVALUATION Jacob Kohnstamm AND REAPPOINTMENTS
Stephen Bolinger (joined R&HR on 3 November 2023 meeting date)
The Remuneration & Human Resources Committee is mandated to advise and make recommendations to the Authority,
with the purpose of: The Governance Committee has established a comprehensive
performance evaluation process for the Authority, consisting of
Assisting the Authority in ensuring that the Authority Overseeing arrangements for appointments (including the following components:
and Executive retain an appropriate structure, size and recruitment processes) and succession planning.
balance of skills to support the organisation s strategic
Assisting the Authority by reviewing and making
Assisting the Authority in meeting its responsibilities policies and framework for all staff. 1
outcomes and values.
recommendations in respect of the remuneration Annual Peer Review
regarding the determination, implementation and
oversight of remuneration arrangements to enable the Each voting member conducts a peer review, assessing recruitment, motivation and retention of employees the performance of every other member. The focus is generally. on evaluating performance against the key attributes
expected of a board member.
Each Sub-Committee Chair reports back to the Authority, making recommendations for consideration.
The following table sets out the number of full Authority and Sub-Committee meetings held during 2023 and the
number of meetings attended by each voting Authority member.
2 Annual Self-Assessment of Skills
Full Authority Audit and Risk Governance Remuneration & In 2023, the Governance Committee, with support
Human Resources Individual voting members undertake an annual
self-assessment, evaluating their competence across from the JOIC Executive, initiated a scoping exercise Jacob Kohnstamm 4 - 2 2 a broad spectrum of skills, knowledge, and experience to identify suitable partners to undertake an external
essential for fulfilling the Authority s mandate. review of the Authority.
Helen Hatton 4 5 - - A local organisation was appointed, and a framework was chosen to evaluate key areas of the Authority s
Gailina Liew 4 - 2 - effectiveness, such as governance, communication,
3 in Q4 2023, and the results will be available in early leadership, and culture. The process commenced
Paul Routier MBE 4 - - 2 Independent External Review
2024, reported in the next Annual Report. Due to David Smith 3 5 - - An independent external review of overall Authority the addition of three new members in May 2023,
(retired from Authority & ARC 28 Oct 2023)
effectiveness, to be conducted every three years. the annual skills assessment and peer review is Stephen Bolinger scheduled for early 2024.
(appointed to Authority from 1 May 2023 & 3 - - 2
R&HR 22 May 2023)
Paul Breitbarth DIVERSITY OF THE JDPA
(appointed to Authority from 1 May 2023 & 3 2 - -
ARC from 12 July 2023)
Elizabeth Denham CBE
(appointed to Authority from 1 May 2023 & 3 - 2 -
Governance from 29 June 2023) The Authority is comprised of 7 members, 43% of JDPA members were female and 57% were male in 2023. Members range
in age from early 40s to early 70s and represent four different nationalities. Authority members bring a diverse range of C(Cho-roispttiende mWemablwer y o nf the JDPA Audit & Risk - 6 - - experience, formal education and professional qualifications, including expertise in data protection, law, governance, IT,
Committee from 11 November 2022) sciences, business, education and teaching.
The strategic outcomes are subject to a number of risks and relevance to the strategic outcomes. We continue and uncertainties that could, either individually or in to monitor political and legislative developments and combination, impact the operational performance of our assess the opportunities and threats to enable us to team. regulate effectively. Risks are identified and scored against
likelihood and consequence parameters to generate a risk We identify and manage these and other risks through matrix that is regularly monitored and used to guide the
our risk management framework which is based on the Authority s strategic thinking and actions.
Authority s low appetite for risk.
The following table identifies the principal risks and Risks are overseen by the Audit and Risk Committee, mitigating actions. The risks are categorised into five main
who monitor risk movements and mitigating actions areas:
1 Legal & Regulatory 4 Strategic 2 Operational 5 Political 3 Governance
Since our previous 2022 report our principal risks have been reviewed in light of the political situation in the Ukraine, the Middle East and the current pressures on the financial economy here and in the UK.
PRINCIPAL & EMERGING RISKS
The Authority s primary obligation is to fulfil statutory responsibilities as the independent body promoting respect for private lives. The Authority s strategic outcomes support us in the fulfilment of our mandate.
PRINCIPAL & EMERGING RISKS
RISK DESCRIPTION HOW WE MANAGE THE RISK SUMMARY OF
Authority Talent Management and Retention. Annual JDPA skills review. PRINCIPAL RISKS
Manage stakeholder communications and mapping plan
Poor Stakeholder relations impacting on inclusion in and listen to and measure feedback.
projects and island decisions.
RISK DESCRIPTION HOW WE MANAGE THE RISK Genuine engag ement and relationships.
Understand our compliance obligations and what this
Internal compliance failing to comply with the Data looks like on a practical level.
Protection Authority (Jersey) Law 2018 in terms of case Monitor how we implement and sustain our obligations.
management, process and reasonableness of decisions made. Put in place effective and ongoing training, staff feedback, RISK DESCRIPTION HOW WE MANAGE THE RISK
internal audits and reviews.
JOIC focus is on outcome-based regulation. Greater accessibility & availability of technology in all areas,
impacts on ability to keep abreast of developing changes in Horizon Scanning. Perception industry and Government perception that our Enforcing appropriate and proportional enforcement personal information processing. Impact on detriment to the Stakeholder management.
effectiveness as a regulator is based on our fining actions. sanctions. individual and reputation of JOIC.
Maintaining consistent and compliant investigation, inquiry and audit processes.
Measuring impact of resources in relation to Business Plan and Statutory Obligations.
Developing relevant management information on data Consider most effective options for gathering information RISK DESCRIPTION HOW WE MANAGE THE RISK protection trends. The absence of relevant and timely and tracking progress / improvement. Outcomes based
information impacts on service performance, informed accountability who is better off?
decision making and relevant strategic outcomes.
Maintain liaison with Government to progress fee Horizon scanning.
discussions to contribute financially to the provision of Create baselines for most vital areas to track.
Revenue. data protection regulation in Jersey.
Any changes or absence of fee monies or Government funding Monitor operational costs and revenues closely.
impacts on our ability to fulfil our regulatory functions. Monitor entity numbers, liaise with Statistics Unit for
Economic uncertainty impacts on the number of entities trading data analysis. Detailed project and financial planning.
in Jersey and registering with the Authority. Monitor number of entities deregistering as the economy Hosting GPA International Conference in October 2024. Collaboration with the GPA.
changes.
Managing financial and reputational risk.
Stakeholder relationships to gauge industry movements.
Embedding succession planning throughout the
organisation.
Talent Management, Retention and Succession Planning.
Building skills and knowledge through personal and
Maintaining a capable and knowledgeable team. It is essential professional development.
that the statutory functions of the Jersey Data Protection
Authority are fulfilled to the highest standard to maintain Human Resources strategy aligns with our strategic RISK DESCRIPTION HOW WE MANAGE THE RISK
outcomes.
credibility and trust.
Striving for diversity and inclusion throughout our operational and HR activities.
Achieving proportionate and relevant accredited security Maintaining constructive dialogue with the Department of Monitor relationship.
standards. the Economy. Changes in personnel and availability of key
Asset management, software and hardware security. Testing, maintenance, asset replacement, training. personnel impacts our working relationship. Proactive approach to maintaining regular dialogue.
Migrating platforms to the cloud, developing enhanced CRM and management information.
Critical applications are only accessible through secure Frequent reviews. portals requiring layered authentication.
We undertake Disaster Recovery exercises to test Government funding for Government data protection Provide activity data.
Cyber threat and Information Security. The Authority recognises systems. activities. Protecting our independence as a key priority. that it is a target for cyber threats. We employ industry best practices as a fundamental part Reviewing grant and working agreement.
of our cyber security policies, processes, software and
hardware.
Cyber awareness training is ongoing within our team.
Change to AML Legislation and Administered entities in Jersey. This will be carefully monitored. Political unrest and wars in Ukraine and Israel-Gaza. Monitor and liaise with stakeholders. Impact on number of entities operating in Jersey.
Monitor MoneyVal report.
OUR APPROACH TO MEASURING PERFORMANCE
Measuring performance in the business world is not a concerned with the number of cases closed, audits level playing field. Profit-driven organisations, providing undertaken, or campaigns run; we also strive to shift products or services for a fee, find it easier to measure attitudes and behaviours towards our vision of a their performance compared to non-profit organisations culture where privacy is instinctive and islanders are focussed on changing attitudes and behaviours. Problems empowered to assert their rights. Our measurement often arise from applying industrial model thinking to model will aim to also find evidence of progress in these change agent services. In the change agent model, the more nuanced areas and determine is anyone better number of clients served is not the end product; it is a off? as a result of our efforts.
means to achieve a change in attitudes, behaviours and
culture, which is the true end goal of the work. Therefore, We already include performance measures in many
the performance measurement method must support and of our activities, and we recognise we can expand our enable the work of the change agent service. efforts further to include a consistent approach across all
areas of our service. The following sections highlight our In terms of JOIC s role as a change agent, our method enforcement activities, case data, breach data, outreach for measuring and monitoring progress toward our and engagement activities and most importantly the strategic outcomes must consider both the quantitative impacts and effectiveness.
and qualitative effects of our service. We are not only
2023 ENFORCEMENT PERFORMANCE ACTIVITIES
REPORT The Omaking a parxford English Dictionarticular situation happen or be acy cites enforcement as cepted , This policy seeks tbusinesses to oper o prate and innoomote the best prvate in the digital agotection for e.
the process of making people obey a law or rule, or personal data without compromising the ability of the DPAJL 2018 sets out our range of corrective powers.
ANNE KING Data protection enforcement occurs across a spectrum. It helps to engender trust and build public confidence in
Enforcement is not all about fines; it is a graduated series how Jersey s public authorities manage personal data. Operations Director of responses to engender a change in behaviour which
better protects the integrity of both data subjects and
data controllers generating compliance and, importantly,
Part 2 of the DPAJL 2018 sets out the General trust. Enforcement outcomes are lessons learnt to be
Functions of the Authority which focusses on shared.
the administration and enforcement of our data The APolicy uthority s R2 , introducegulated in 2020, is based on fivory Action and Enfore kcement ey
protection laws, promoting public awareness of principles of enforcement, which supports the outcomes-
risks, rules, safeguards and rights and promoting based approach:
the obligations of controllers and processors 1. Proportionality
2. | Targeted |
|
|
3. | Accountability |
|
|
4. | Consistency |
|
|
5. | Transparency |
|
|
under the laws.
In performing these general functions, it is important for us to understand and measure our impact and effectiveness, allowing us to manage our resources and finances effectively.
2 https://jerseyoic.org/media/l5sfz1s0/joic-regulatory-action-and-enforcement-policy.pdf
AUTHORITY SANCTIONS
A REPRIMAND D PUBLIC STATEMENT
The Authority has several tools in its enforcement suite, This is a formal acknowledgment that an As with everything it does, the Authority approaches namely: organisation has done something wrong and the issuing of Public Statements on a proportionate
is being rebuked for its conduct. This remains basis and will only issue a Public Statement where, on the record of an organisation and could be because of the gravity of the matter or for other considered if further incidents occur in the future. exceptional reason, it would be in the public interest Generally, reprimands are issued in tandem with to do so. It does not identify all parties involved in or certain other Orders, but this is not always the otherwise report on every enforcement action taken case. For example, whilst there may have been a because that is not what the law provides for. There technical contravention of the DPJL 2018 for which is a strict test that must be met and the Authority
A - Reprimand
B - Warning |
|
|
C - Order |
|
|
D - Public Statement |
|
|
the organisation was responsible, they might have reserves this power for the most serious cases.
taken steps to put things right and rectify the
E - Administrative Fine
issues that contributed to the contravention and a
formal rebuke may suffice.
E ADMINISTRATIVE FINE
B WARNING C ORDER The Authority Law provides for substantive
administrative fines and sanctions for
contraventions of the DPJL 2018, but it is our intention to use these as a sanction of last resort.
We may issue a Warning when the Authority The Authority can make a variety of Orders but
considers that any intended processing or other we make sure these are proportionate to the In determining whether to impose an Administrative act or omission is likely to contravene the DPJL actual contravention and actually address and Fine in accordance with Article 26 of the DPAJL 2018, 2018. A Warning is designed to avoid such a remediate the issues identified. During 2023, the the Authority will consider:
contravention. We have not had occasion to issue Authority issued a range of Orders including:
any Warnings. The nature, gravity and duration of the
Ordering a controller to delete data captured by contravention. the specified contraventions.
Whether the contravention was intentional or
Ordering a controller to provide staff members neglectful. with appropriate, relevant and role specific data
The action taken by the controller or processor
protection training. Requiring the controller to INFORMATION NOTICE
to mitigate the loss or damage, or distress
report back to the Authority within a stipulated
suffered.
timeframe, confirming that training had been
provided, who it had been provided to and with The degree of responsibility of the person
a copy of the course materials, this for review by concerned and the technical and organisational As part of our investigation process and powers under the Authority. measure implemented for the purposes of data Schedule 1 of the DPAJL 2018, we have the power to
protection. issue an organisation with an Information Notice. This
Registering with the Authority.
imposes a legal requirement to provide us with any
Previous contraventions.
Keeping a controller under effective supervision information we consider necessary to assist us in any for a period of time whilst they update data The degree of cooperation with the Authority. investigation or inquiry. protection policies, procedures and IT systems
The categories of personal data. An Information Notice requires we give the data
and requiring an update report at the end of that
period. In issuing a fine, the Authority will consider the need controller 28 days to provide the requisite information.
for it to be effective and proportionate, as well as to This is a lengthy and formal process. Often upon
Directing that a controller should respond to a be a deterrent. To date it has not been appropriate receipt and analysis of the requested information, previously unanswered subject access request or to issue any fines. we have further questions which results in a follow up any other data subject right under the DPJL 2018 Information Notice. It will be clear that such exchanges within a certain timeframe (including providing It should be noted that the Authority does not have can take a number of months. previously withheld information). the power to fine a public authority as detailed in
Keeping a controller under supervision whilst Part 4 Article 26. (9) of the DPAJL 2018, this includes Therefore, we tend to use the Information Notice for they undertake a wholesale review of both public the States Assembly, the States of Jersey Police, a the more complex/serious cases or where there is and employee privacy notices. Minister etc. reluctance from a data controller to engage with us at an early stage.
COMPLAINTS AND INQUIRIES
Part 4, of the DPAJL 2018 sets out Enforcement The above process is
by the Authority detailing how we approach almost identical in terms
Complaints and Inquiries. of an inquiry although
such obviously does not
Upon receipt, each complaint and self- involve a data subject in the
reported data breach is evaluated to same way.
determine whether or not to investigate
or conduct an inquiry, as appropriate. The As part of our formal
Authority undertakes this evaluation as soon investigation and inquiry
as is practicable and in any event within eight process, we have the power
weeks for complaints and as soon as possible to issue a formal Information
for self-reported data breaches. Notice to compel the production
of information and the recipient
In the case of a complaint, once the initial will usually have 28 days to
evaluation has taken place the complainant respond.
is advised in writing whether or not a formal
investigation will take place. The complainant In the majority of cases such
has a 28-day window of appeal at this stage correspondence is requested and
if the Authority decides it would not be responded to directly by email. This is appropriate to carry out a formal investigation generally quicker and more efficient as and it may reject complaints if they fulfil most controllers are willing to cooperate certain criteria set out in the DPAJL 2018. fully with the investigation. This often
makes for a good relationship between Once the investigation is underway we our office and the organisation we are
provide updates at least every 12 weeks. Any investigating.
investigation must conclude whether the law
has been contravened (Article 23 of the DPAJL We would make use of the more formal 2018) and, if so, must decide whether or not Information Notice where we were
to impose any formal sanction (although it experiencing resistance from a controller to does not have to do so). We will then notify provide us with the information requested. the data controller or data processor of the
proposed determination which sets out the
findings and includes details of any sanctions
it is minded to impose, and they are afforded
28 days to provide any representations on
those draft findings and/or sanctions.
We must take into account any representations made before issuing our final determination which will be sent to
the data controller or data processor and to the complainant. Both parties have a 28-day period to appeal that final determination to the Royal Court of Jersey but can only do so if our decision is considered unreasonable in the circumstances of the case.
The DPJL 2018 applies to personal data meaning any information relating to an identifiable, natural, living person who can be directly or indirectly identified in particular by reference to an identifier.
The definition provides for a wide range of personal this we pride ourselves on making every touch point with identifiers to constitute personal data, including a complainant, an enquirer, an organisation reporting name, identification number, location data or online a breach or a registration enquiry, an informative and identifier, reflecting changes in technology and the way positive experience aimed at fostering a constructive organisations collect information about people. Personal and educational relationship. We also facilitate learning data is at the very heart of most organisations. Data and information exchange, helping us to understand the protection legislation is in place to help ensure that all challenges faced by industry and the frustrations faced of us are provided with appropriate legal protections and by complainants. That said, we do not shy away from remedies in today s highly digitised world. exercising our enforcement powers where warranted, or
where the organisation at fault has demonstrated wilful Data protection holds organisations entrusted with neglect or a repeated pattern of behaviour.
personal information accountable, setting standards
for how that information is used and as a last resort to Jersey s economy is dominated by finance activities, provide a framework for enforcement where rules are accounting for almost 40% of economic activities and breached. employing over 20% of the working population[3].
Our vision is to create an Island culture whereby privacy Other significant industries in terms of employment are becomes instinctive with individuals and organisations hospitality, public sector, education, health, wholesale, taking a proactive approach to privacy and data retail and construction.
protection by it being embedded throughout their daily
activities and business planning. In striving to achieve
INVESTIGATION
2023 PROCESS
CASE Each cevaluatomplaint and self-red using a standar epord framewted data brork as set out in Peach (SRDB) is art The cstage if the Aomplainant has a 28-dauthority decides it wy windoulod not be apprw of appeal at this opriate DATA & 4 of the DPtco contronduct an Inquiravention of the DPAJL 2018. The JOIC will also use this fry on its oAJL 2018, which wwn initiativ e mae int y lo a likamewearn ely ork tcOnco carromplaints if thee the iny out a fvestigation is undormal iny fulfil cvestigation and it maertain criterway the JOIC preria set out in the Lay r oeject vide w. about from a whistle-blower or by observing a behaviour
ENFORCEMENT rorganisation. The inbeen a cinelating tvestigatontro the use of pere or cavention of the laonduct an inquirvestigation will idsonal infw.y, as apprormation bentify if theropriaty an e. The e has updatmust c(Arwhether or not tdetticlermination which sets out the findings and includes at le 23 of the DPoncludeast ee whether the Lao impose anver AJL 20y 12 w 18) and, if soeeks. The iny fw has been cormal sanction (although , must dvestigation ontr ecidavened e es Upon receipt, each complaint and self-reported data it does not have to do so). The JOIC will then notify
breach is evaluated to determine whether or not to the data controller or data processor of the proposed Authority undertakes this evaluation as soon as is details of any sanctions it is minded to impose, and they
practicable and in any event within eight weeks for are afforded 28 days to provide any representations on
STEPHANIE MACNEILL complaints and as soon as possible for self-reported data those draft findings and/or sanctions.
breaches.
Compliance and Enforcement Manager
In the case of a complaint, once the initial evaluation has taken place the complainant is advised in writing whether or not a formal investigation will take place.
2023 ACTIVE REGISTRATIONS BY ORGANISATION
The JOIC must take into account any representations
made before issuing its final determination which will be
sent to the data controller or data processor and to the AS AT 31 DECEMBER 2023
complainant. Both parties have a 28-day period to appeal
that final determination to the Royal Court of Jersey.
As parwtthe ro ce haompel the precipient will usually havt of our fe the poormal inwoduction of infer to issue a fvestigation and inquirve 28 daormal Information and ys to rormation Noticespond. y process, e 11% 1.6%
3.1%
(The above process is almost identical in terms of an
Inquiry although an inquiry does not involve a data 3.1%
subject in the same way. The Authority may conduct an
2018.) 4 Irpneecgrrisesotaensraeel diinnt fehonarttmitpaiertosiocenss 3.9% 26.5% inquiry on its own initiative into the application of the
Data Protection Law as per Part 4, Article 21 of the DPAJL
In the majority of cases such correspondence is
requested and responded to directly by email. This is
generally quicker and more efficient as most controllers 4.1%
Wfor the purpose of pre would make use of the morocessing pere formal infsonal information ormation 330 7366 15% are willing to cooperate fully with the investigation. This
often makes for a good relationship between JOIC and the
organisation we are investigating. 4.3%
REGISTRATIONS
notice where we were experiencing resistance from a
controller to provide us with the information requested.
The number of entities registered with the Authority 6.1%
increased by 11%, from 6,634 in 2022 to 7,366 in 2023.
This growth is net of deregistrations, as organisations Organisations
cease trading, in total we had 330 deregistrations in 2023. 7.6%
ceased trading
We recognise that the following sectors are not yet fully and therefore
rrepretail, health, and beautyesented in on our public R. We will fegistrocus ry - construction, egistration deregistered 7.6% 9.9%
activities in these sectors.
Financial & Professional Services - 1953 Technology & Telecommunications - 227 Real Estate & Property Management - 1103 Education & Childcare - 225 Construction, Trades & Services - 732 Legal Services - 118
Health & Wellbeing - 558 Media & Communications - 139
Leisure & Fitness / Hospitality / Tourism - 557 Public Authority / Regulators - 123 Manufacturing / Whole Sale - 452 Agriculture & Fishing
Professional Bodies - 315 Utilities & Delivery Services
Charities - 300 Animal Husbandry & Welfare
Social Clubs & Associations - 289 Faith, Worship & Religion
Schedule 4 of the DPAJL 2018 details the process of Complaints. Complaints are received from individuals Jersey s economy is a blend of business activities, the public
enforcement by the Authority in the event it receives a concerned about the use of their personal sector is the largest single employer on the Island, with over
The Authority receives a broad range of contacts. We Self-Rbreach unleportess the bred Data Breach is unlikeaches. Undely ter the DPo result in a risk JL, data representing 40% of Jersey s economic output6. 215 toof tbarl enaucmhebse r complaint (which can lead to a formal investigation) or information, non-response to a subject access request 7,000 public servants, the retail sector employs circa 7,000
conducts an inquiry. or other rights which have not been fulfilled. people with the Agriculture and Fishing sector employing
over 1800 people. Construction, trades and services has
in excess of 5,500 employees. Jersey s finance sector is
classify them into the following categories: controllers are required to report certain breaches the largest industry, employing more than 13,500 people[4] reported in 2023
to the JOIC within 72 hours of becoming aware of the
Enquiries. These rmor2023 we c e romplespondex questions ared tango 119 ge from simpleneround guidancal enquiries. e questions Count e matter %s. In CountThe charself-report bel%ted data brow highlights the number of cCount eaches per sect%or. Complaints and ount % Public AStatutc23 brin 2023. Fomplaintseaches (10%) of the oor uthorities (including appointy) is the larginancrepre and Presentingest emplofessional Ser38%veroall 215 brofyer and attrour caseled Rviceaches res wegulatoad.act ered 30 e the sourTheeporors and y tred teporo us cte ed 38%
regarding our location and career opportunities to the to the rights and freedoms of the individual.
of our caseload of 19 complaints (24%) of our compliance caseload. They
REQUEST reported 88 breaches to us. Of note were 19 (9%) breaches were complaints REGISTRATIONS FOR AMICABLE RESOLUTION COMPLAINTS SRDB from the Charitable Sector and 18 (8%) from Health and about Public
Wellbeing. Authorities
Since the introduction of the DPJL 2018, the number of
97 1 0 0 0 0 2 1
Agriculture and Fishing complaints has fluctuated year on year, with the self-
reported data breaches averaging 210 per annum.
Animal Husbandry and Welfare 57 1 0 0 1 1 0 0
Charities 300 4 1 7 2 3 19 9
Construction, Trades and Services 732 10 1 7 1 1 2 1
Complaints and Inquiries Amicable Resolution Self-Reported Data Breaches Education and Childcare 225 3 0 0 1 1 20 9
Faith, Worship and Religion 47 0 0 0 0 0 1 1 2018 -
Financial and Professional Services 1953 27 4 27 19 24 88 41 2019 145 - 256
Health and Wellbeing 558 8 0 0 3 4 18 8
2020 140 - 229
Legal Services 118 2 0 0 0 0 10 4
2021 90 - 232
Leisure and Fitness/Hospitality/ 557 7 0 0 1 1 8 4
Tourism/Travel/Entertainment 2022 58 25 188
Manufacturing, Wholesale and
Retail 452 6 0 0 3 4 8 4 2023 81 15 215
MAdvedia, Certisingommunication and 147 2 1 6 0 0 2 1
Professional Bodies/Professional
Associations/Professional 315 4 0 0 5 6 2 1
Consultancy
The introduction of the Amicable Resolution process in
Public ARegulatoruthoritys and Statut/Sectoror, Appointy Bodies ed 116 2 6 40 30 38 23 10 2022 provides the opportunity for matters to be resolved
amicably with the data controller. Throughout 2023 the
RManageal Estatemente and Property 1103 15 0 0 1 1 3 1 appetite for amicable resolution remained strong amongst
complainants and data controllers. Of the 15 Amicable
Social Clubs and Associations 289 4 0 0 0 0 4 2 Resolution cases opened in 2023, 10 were completed and
deemed successful in terms of both parties being satisfied
TCechnolommunicationsogy and Tele- 227 3 2 13 0 0 2 1 with the outcome. One case was partially unsuccessful and
two were deemed unsuccessful and all three cases turned
Utilities and Delivery Services 73 1 0 0 0 0 3 2 into formal complaints.
Sectaligned tor not fo an industround. (CCTy sectV issues not or) 0 0 0 0 13 16 0 0
TOTAL 7366 100 15 100 80 100 215 100
2023 CASE DATA & ENFORCEMENT 2COMPLAINT0 S OPENED PER QU22 ARTER BY TYPE
Complaints generally relate to a mix of topics but The complaints received regarding sharing personal TOTAL predominantly focus on right of access requests, and information are mostly due to employers over-sharing
unauthorised disclosure of personal data. Right of access information, the blind copy function not being used when Uncategorised at time of submission 9 complaints include a lack of response, refusal to respond, sending group emails, information being shared without
delays and excessive redaction. Unauthorised disclosure a basis between controllers and ex- employees using Direct marketing 1 ranges from personal data being shared on social media personal information without authorisation.
(e.g. Facebook) to being shared with unauthorised third I asked for access to/copies of my personal information and I ve not 15
received it/they have withheld it from me
parties. Complaints also included excessive collection, The complaints we have investigated have resulted in
lack of required transparency information (including a number of sanctions issued, including Reprimands, I asked for my information to be rectified/erased/sent to
privacy notice), holding inaccurate personal data and Orders and Words of Advice. The Orders covered a range another controller and my request has been refused 5 concerns over security. We also received a number of of topics from training, policy reviews, implementation
domestic CCTV complaints. of policies, registering with the Authority and ensuring a I don t think my personal data is being/has been kept safe 4
relevant person is identified within the Data Controller
In relation to the 2023 complaints received, there has as a Data Protection Lead or Data Protection Officer. The My information has been shared and it shouldn t have been 18 been an increase in the following two categories: release of further personal information to complainants
Other 4
also formed a significant volume of Orders along with
I asked for access to/copies of my personal the request to delete personal information inaccurately Someone has collected my personal data, but I didn t give it to them 2 information, and I ve not received it/they have involved in contraventions.
withheld it from me. TOTAL 58
The complaints received in 2023 were noticeably more
My information has been shared and it shouldn t have
complex in their nature, compared to previous years. At
been.
the end of 2023, of the 81 complaints received, 75% were
have doubled from 15 complaints in 2022 to 30 such and of those complaints reported to us in 2023, 50% were 2COMPLAINT0 S OPENED PER QU21 ARTER BY TYPE
The first of these refers to dissatisfaction raised by the still ongoing. As per Part 4, Art. 20(1) of the DPAJL 2018,
complainant upon receipt of the information they request the Authority upon receiving a complaint has 8-weeks in
as part of the right of access. Complaints of this nature which time to determine whether or not to investigate a
complaint . Part 4, Art. 20(2) of the DPAJL 2018 sets out the
complaints in 2023. Data Controllers and Processors are basis upon which we investigate or reject the complaint
reporting they are experiencing a substantive increase in TOTAL the number of the right of access requests, often citing tipped into a formal investigation.
frustration as the spirit of the law is lost in the high Uncategorised at time of submission 20 volume of requests and often commenting that such are Following the structured investigations, the Authority
being used for allegedly unlawful/collateral purposes. issued a blend of Orders, Reprimands and Words of Direct marketing 5
Advice. We monitor the implementation of the Orders
We often see overredacting when responding to data to ensure the Data Controller/Processor responds I asked for access to/copies of my personal information and I ve not
subjects, failing to respond to requests or declining to appropriately to the correct standard and within a received it/they have withheld it from me
share certain aspects of information expected by the defined time frame. Depending on the complexity of the I asked for my information to be rectified/erased/sent to
applicant. Orders, the implementation process can take several another controller and my request has been refused 3 2COMPLAINT0 S OPENED PER QU23 ARTER BY TYPE TOTAL TMOyT AinLformation has been shared and it shouldn t have been 9022
months. Of the complaints we formally investigated and
closed during 2023, the data controllers involved received I don t think my personal data is being/has been kept safe 13 multiple Orders per determination.
Someone has collected my personal data, but I didn t give it to them 9
Uncategorised at time of submission 4
Direct marketing 2 Data protection is intangible the following precis of
some investigation and enforcement actions highlight I asked for access to/copies of my personal information and I ve not the reality of the mishandling of personal information
received it/they have withheld it from me 30 and the potential impact on the data subjects and the
data controllers. These cases bring to life the reality of I asked for my information to be rectified/erased/sent to
our mandate, powers and remedies.
another controller and my request has been refused
I don t think my personal data is being/has been kept safe 7 My information has been shared and it shouldn t have been 25 Other 1 Someone has collected my personal data, but I didn t give it to them 3 TOTAL 80
COMPLAINT - HEALTH
& WELLBEING SECTOR
A customer raised a concern that a staff member had viewed the customer s record without a lawful basis to do so. This was raised on more than one occasion to the manager. The document filing system includes an ability to restrict access by staff members, but the manager did not know that such a functionality existed and took no other meaningful steps to ensure that the customer s information was not accessed, nor any audit carried out.
SUMMARY OF FINDINGS, CONTRAVENTIONS AND ORDERS
FINDING 1 ORDER 1
Contravention of Art.6(1)(a) and (d) of the DPJL 2018 Data controller to implement training in relation
to the use of the document filing system. Specific
role related training to be provided to all staff so
they are aware of the functionality of the system
FINDING 2 relevant to their specific role, whether clinical or INQUIRY FOLLOWING
Contravention of Art.8(1)(f) of the DPJL 2018 administrative. DISCOVERY OF A FLY-TIPPED ORDER 2 BUSINESS NOTEBOOK'
FINDING 3 Data controller to implement a bespoke data
protection training package so that all staff are The notebook, found in a bin, contained details of a meeting and background information between an individual
Contravention of Art.14(1)(a) of the DPJL 2018 fully converse with their obligations under the and a professional.
Data Protection (Jersey) Law 2018.
ORDER 3 SUMMARY OF FINDINGS, CONTRAVENTIONS AND ORDERS FINDING 4
Data controller to provide evidence of the review
Contravention of Art.21(1) of the DPJL 2018 and subsequent implementation of policies, FINDING 1 ORDER 1
procedures and training as stated in Orders 1
and 2. Contravention of Art. 6(1)(d) of the DPJL 2018 Controller to produce a policy and procedure FINDING 5 surrounding the issuing, use, retention, and
A Reprimand was also issued. disposal of handwritten notes.
Contravention of Art.21(2)(b) of the DPJL 2018 FINDING 2 ORDER 2
Contravention of Art. 8(1)(f) of the DPJL 2018 Controller to implement a training package so that all staff are fully converse with the new policy and procedure. A schedule to be produced to ensure all relevant staff receive appropriate FINDING 3 training.
Contravention of Art. 15(1)(a) and (b) of the DPJL 2018 ORDER 3
Controller to provide evidence of the
implementation of the new policy and procedure FINDING 4 and training as stated in Order 1 and Order 2.
Contravention of Art. 21(1) of the DPJL 2018 A Reprimand was also issued.
PUBLIC
A SELF-REPORTED DATA BREACH - LEADING STATEMENTS TO AN INQUIRY
During 2023 we issued three Public Statements.
LEGAL SERVICES SECTOR - A SENSITIVE DOCUMENT DISCLOSED
TO NON-RELATED PARTIES, IN FULL WITHOUT REDACTION. 1. Government of Jersey: Customer and Local Services (CLS) (April 2023)
The data controller disclosed an extremely sensitive document to the incorrect client (via Outlook autofill). The controller Following a formal investigation against Customer & Local Services (CLS), the Authority found that CLS had contravened failed to appreciate the sensitivity and potential risks and made assumptions about the recipient in terms of actual access Art.8(1)(a), Art.14(1)(a), Art.14(1)(b), Art.27(1) and Art.28(3)(a) of the DPJL 2018 in that it failed to respond appropriately to to the document and had not taken sufficient steps to mitigate the risks. certain requests for access to information held by an individual.
The data controller made various improvements to their systems as the Inquiry was in train, including training and also CLS were sanctioned with one formal Reprimand in accordance with Art.25(1)(a) DPAJL 2018 and three Orders, which acted on all recommendations made including advising affected parties. ranged through from a wholesale review of data protection policies and procedures to delivering relevant and timely
training for their team and improving technical and organisational measures. CLS were given formal Words of Advice
regarding their approach to the original subject access request. We ensured the Orders were carried out within a SUMMARY OF FINDINGS, CONTRAVENTIONS AND ORDERS prescribed timeframe to an acceptable standard.
- Brenwal Limited (Brenwal) (November 2023)
FINDING 1 The Order imposed required the data controller
to provide evidence of the implementation of the Following an Inquiry commenced on 8 February 2022 pursuant to Art.21 of the DPAJL 2018, the Authority determined that
Contravention of Art. 8(1)(f) of the DPJL 2018 Document Management System. Brenwal Limited had contravened Art.8(1)(a) and Art.12(1) of the DPJL 2018.
A Reprimand was also issued. The Authority found that Brenwal should not have carried out covert monitoring of Employee A. It was not necessary and they had no lawful basis to do so which was a contravention of Art.8(1)(a). The Authority also found that
FINDING 2 Brenwal lacked the relevant
transparency information
Contravention of Art. 15(1)(a) and (b) of the DPJL 2018 required by Art.12(1) and
that Brenwal should have,
in advance, made their staff
aware that they could be FINDING 3 subject to monitoring.
Upon publication of a Public
Contravention of Art. 20(6)(a) of the DPJL 2018
Statement, we now publish the infographic (pictured) to clarify the breach, the decision and most importantly, the lessons learned for the data protection community.
Brenwal received a formal Reprimand and four Orders, which ranged from delivering
relevant and timely training
for their team, a wholesale review of data protection policies and procedures with particular focus on their public and employee privacy notices, and the deletion of all data captured by the contraventions. Brenwal were required to demonstrate to the Authority they had fulfilled the Orders within a prescribed timeframe to an acceptable standard.
- JRSY Laser Limited (JRSY Laser) (December 2023)
Following an investigation commenced in September 2021 pursuant to Art.20 of DPAJL 2018, the Authority determined BREACH
that JRSY Laser Limited (JRSY Laser) had contravened Art.6(1)(b), Art.6(1)(c) and Arts.8(a)(b) and (f) of the DPJL 2018. REPORTING
The Authority found that JRSY Laser should not have shared the information about the data subject s treatments
(medical data), nor the fee dispute with either the data subject s employer or the receptionist and there was no lawful
basis for sharing that
information. The processing Under the DPJL 2018 in the case of a personal data breach, the controller must,
of the data subject s without undue delay and, where feasible, not later than 72 hours after having
information in this way was become aware of it, notify the personal data breach in writing to the Authority
also incompatible with the (Article 20).
original purpose for which
it was collected. The sharing In relation to breaches we also have an obligation under Art 11 1. (e) of the DPAJL
of the information was 2018 to promote the awareness of controllers and processors of their obligations
therefore in contravention of under this Law and the Data Protection Law .
Art.8(1)(a) and Art.8(1)(b) of
the DPJL 2018.
2023 SRDB CASES OPENED BY ORGANISATION TYPE
JRSY Laser were sanctioned
with one formal Reprimand
in accordance with Art.25 (1)(a) DPAJL 2018 and three
Orders, which ranged Financial & Professional Services - 88 from registering with the Public Authority - 23
Authority, to allocating a Education - 20
Data Protection Lead within
the business, to undertaking relevant and timely training for their team. JRSY Laser had to demonstrate to the Authority Charities - 19
they had fulfilled the Orders within a prescribed timeframe to an acceptable standard. Health & Wellbeing -18
3.7% Legal Services - 10
Leisure & Fitness / Hospitality / Tourism - 8 We introduced the new infographic (pictured above) as part of 4.7% 40.9%
requested easy to follow, top-level information about the breaches 8.4% 215 Real Estate & Property Management - 2
Manufacturing / Whole Sale - 8
our continuous improvement programme and following feedback
from several parties including the data controllers and media who Social Clubs & Associations - 4
and Authority findings. As part of our review we decided to include CASES OPENED Utilities & Delivery Services - 2
a lessons learned section to educate the public and other Data
Agriculture & Fishing - 2 Controllers/Processors about what they must/must not do should
they be faced with similar issues. The new high level summary Construction, Trades & Services - 2 infographic has received a positive response and resulted in increased 8.8% Professional Bodies - 2
media coverage. Media & Communications - 2
Professional Bodies - 2
9.3% 10.7% Technology & Telecommunications - 2
Faith, Worship & Religion - 1
Investigating self-reported data breaches represented a open a formal Inquiry. Four Inquiries were commenced significant proportion of our Compliance and Enforcement following the submission of self-reported data breaches in caseload during 2023. 2023, the entities involved were from a mix of Government
Departments, Health and Wellbeing, Leisure and Fitness/ The chart above highlights that 40.9% of the breaches Hospitality/Tourism/Travel sectors. At the time of writing,
reported to us were from the financial and professional one of these Inquiries is ongoing and one has resulted in a services sector. It should be noted that this sector has a breach determination with 9 contraventions, 5 Orders and culture of reporting and monitoring breaches throughout a Reprimand. One Inquiry resulted in close monitoring and their activities. the implementation of updated data protection policies
and procedures. The fourth Inquiry focussed on the
Due to the severity, nature of the data (for example, special
creation and implementation of a newly drafted Acceptable category data) and the possibility of repeat breaches
Use Policy in terms of mobile phone use.
following the submission of a self-reported breach, we may
From our records it is evident that over 50% of the Most reported breaches do not warrant the conducting
rights and freedoms of natural persons . However, we are of a formal sanction. However, the Authority may ENFORCEMENT reported breaches were unlikely to result in a risk to the of a formal regulatory response and/or the imposition
to help shape our guidance and advice. compliance. It is important to note that failing to report a AUDITS
not discouraging organisations to report breaches as this impose an Administrative Fine in a case of deliberate,
enables us to understand the breach landscape in Jersey wilful, negligent, repeated or particularly harmful non-
breach, where required, could result in a severe penalty.
As previously noted, we take every opportunity to
educate and support any organisation reporting a Enforcement audits contribute to our Strategic
breach. Breaches can be traumatic for organisations to Outcome - Achieving and maintaining the
manage and can carry serious reputational damage for highest standard of data protection in Jersey .
businesses. The JOIC team works sympathetically, yet The primary purpose of an enforcement audit is
professionally, when responding to breach reports. to provide the Authority with an insight into the
extent to which the audited entities are complying 2023
with the particular areas audited and highlight any
deficient areas in their compliance.
We will be executing risk-based enforcement audits,
commencing with a virtual desk-top approach and if
Self Reported Data Breaches Opened necalso be undessary, derevtaking reloping intemedial audits to a face-to-faco tre audit. Wack progre will ess and per Quarter, by Breach Type Q1 Q2 Q3 Q4 TOTAL the effectiveness of implementing the recommendations.
Article 22(7) of the DPAJL 2018 details our power to conduct Destruction - - - 1 1
or require data protection audits .
Lack of Availability / Access - 1 1 3 5 (1) The Authority may
Loss - (a) conduct a data protection audit of any part of the
operations of the controller or processor; or
Unauthorised Access 11 11 12 19 53 (b) require the controller or processor to appoint a person
approved by the Authority to
Unauthorised Disclosure 51 35 41 22 149
- conduct a data protection audit of any part of the
TOTAL 64 50 54 47 215 operations of the controller or processor, and
- report the findings of the audit to the Authority.
(2) The Authority must specify the terms of reference of any audit Specifically: carried out under sub-paragraph (1).
149 self-reported data breaches were due to (3) The controller or processor concerned must pay for an audit unauthorised disclosure (emails sent and received required under sub-paragraph (1)(b).
in error) but in all circumstances, the breaches were
appropriately mitigated, presenting no risk to the data
subject. In 2023 we conducted one very complex and detailed face to face audit.
We are finalising the audit report with the data controller in the first quarter of
Of the remaining 66 incidents there were a number of 2024. Thereafter we will publish the lessons learned to help the broader data lall cirmitigatost data and other prcumstanced, presenting no risk tes, the brocesses leaches wo the data subject.eading tere appro bropriateaches. In ely 149
different issues including malware, phishing attacks, protection community.
SRDBs due to emails sent and received in error.
Communications, Engagement and Outreach activity for 2023 was focused around winning the hearts and minds of Islanders with our vision to create an Island culture whereby the protection of personal data and privacy becomes instinctive.
Through specific, targeted campaigns, we engaged with the We delivered personal information safety sessions to Jersey community to embrace a collaborative and innovative more than 2500 young people in primary and secondary approach, in line with our strategic outcomes to achieve and education, youth clubs and scout groups, whilst 1671 maintain the highest standards of data protection in Jersey individuals attended JOIC events, including our Let s Go DPO and protect Islanders including those more vulnerable and sessions. It is pleasing that feedback from our outreach future generations. sessions shows 80% of attendees benefitted from attending
and we continue to monitor and respond to, attendee
We raised awareness of local data protection law, feedback.
obligations and individual rights and increased our
education offering for young people, to include youth clubs
and scout groups Islandwide.
YOUTH &
EDUCATION OUTREACH
Given the rapid advances in technology, it is critical we take " Kelly and Sue created a rapport COMMUNICATIONS, stcan affeps to educatect their oppore childrtunities in laten about how online behaer life and proviourvide them s with the students from the moment
with the tassociated with a digital enools to protect themselvvironment, including social es against the harms they arrived and the session was ENGAGEMENT media, online gaming and the darkOur engagement with children and yer sidoung peoples of the inte was ernet. highly engaging and interactive.
strengthened during 2023 with the addition of a Community Our students loved it."
& OUTREACH Ywenablprivacy douth Working red us torkebatelationships with Island secero d. This appointment built on stres, assemblies and bitevelop our Young Privacy Ambassadesize sessions. It also ondary schools and ong, existing or
Programme with more in-depth workshops including
enabled us to enhance our work with the Government of
Jersey Education Department to develop an approach for
SARAH MOORHOUSE Key Stage 2 staff to support the rollout of age-appropriate
personal information safety sessions for children and young
Communications & Public Relations Lead people.
The Community Youth Worker s activities also included personal information safety sessions at youth cafes, as well as guidance sessions with local youth work professionals, to reinforce our key messages.
" Given our experience of working with the team at JOIC, I would highly recommend them to other schools."
CONNECTING WITH ARE YOU A PRIVACY SUPERHERO?
OUR COMMUNITY DespitPrivacy Superhere being a regulatoes The Privacy For, we are far frorce wom reregular and our e officially The Privacy Fmore accessiblore fce was cror Islandeatered ts and spark a privacy o make data protection launched during Data Protection Week 2023. conversation, reminding Islanders when they are
When working to create an Island culture whereby Unfortunately, budget requirements and delays in providing their personal information in exchange for the protection of personal data and privacy becomes recruitment meant outreach activities had to be scaled On a mission to inspire all sectors of our community goods and services, to take a moment to follow this
instinctive, establishing a trusted connection with all back towards the end of the third quarter. We were, to share responsibility for protecting their personal advice and be a privacy superhero:
information, our Privacy Superheroes exist to help drive a
sectors of our community is essential. however, pleased to provide data protection guidance
change in culture and behaviour and encourage islanders
workshops and seminars to a number of community
of all ages to take more control of their personal
As a fundamental human right, data protection is groups, including those more vulnerable, providing
information and privacy and become real life privacy
intrinsically linked to wellbeing, mental health, reducing information about the principles and spirit of local
superheroes.
inequalities and improving living standards. Therefore, data protection law, as well as raising awareness about
educating and empowering our community, including individual rights and JOIC tools, resources and support
adult populations and those that may need greater available. These were complemented with drop-in H Have the courage to ask why someone wants your personal information. protection, to understand how to protect their personal sessions at Jersey Library, community pop-up stands in
information, was the focus of our community outreach St Helier, attendance at Jersey family attractions such as
E | Educate your peers about protecting their personal information. |
|
R | Remember you have rights under the Data Protection (Jersey) Law 2018. |
|
O | Optimise your privacy settings to help you stay safe online. |
|
activities for 2023. aMaizin Adventure Park and a presence at Government of
Jersey s Children s Day.
The Privacy Superhero campaign also urges the international awards for 2023, which gave more than 130 Island s data protection community to play their part data protection authorities from around the world the to ensure they look after the personal information of opportunity to submit their examples of good practice staff, customers and volunteers in line with local data in privacy and personal data protection. The shortlist protection law and contact us if guidance or advice is included submissions from the Australia, Mexico, required. Bermuda and Philippines data protection authorities and
the judging panel, the Global Privacy Assembly Executive We were delighted our Privacy Superhero campaign Committee, commented competition for 2023 was very
was shortlisted in the Education and Public Awareness strong .
category of the Global Privacy Assembly s (GPA)
" The assembly was entertaining and informative. One particular highlight was the JOIC chant
and the superhero character, which added a fun element but did not overshadow the importance of
the key message around keeping personal information safe."
BRINGING LAW TO LIFE' CONNECTING WITH COURTROOM CHALLENGE
ORGANISATIONS
Our Courtroom Challenge initiative to bring data protection
law to life continues to increase in popularity and attract In line with our strategic outcome to achieve and maintain
interest from sixth form providers. Primarily offered to the highest standard of data protection in Jersey, we take
students in years 12 and 13, the challenge gives young people a pro-active approach to promoting awareness of the
the opportunity to be involved in a mock privacy trial court obligations of local data protection law to the data protection
case requiring attendees to explore certain aspects of data community, via a mix of in-person events, webinars and
protection law whilst developing life skills and personal workshops.
values. Whilst we would have liked to have run more, we
Our outreach efforts are tailored to suit the requirements of
delivered two courtroom challenges to local schools during
small, medium and large organisations as well as charities, clubs
2023, with further sessions booked for 2024.
and associations and aim to provide guidance and support to
Session objectives include: attendees on their data protection journey, navigating the law.
These sessions provide the opportunity for us to highlight our
To bring privacy and data protection law to life. mandate, philosophy and expectations and give attendees the
To equip young people with the decision-making tools to opportunity to engage, ask questions and enhance levels of
make a judgement when it comes to privacy and personal understanding.
information. Guests from a broad range of industry sectors attended our
To increase respect for personal information, among Data Protection Week 2023 Privacy by Instinct roundtable
young people. discussion to hear more about our vision and consider an The content was
Island whereby our community is empowered to make informed engaging and
To help young people to understand privacy in an ethical privacy decisions versus a surveillance society whereby
context. individuals are commercialised. The event explored how, as an relevant to my
To create a team of young privacy ambassadors ready to " This experience has been Island, organisations could work together to drive cultural and role
be curious, question and feel empowered. behavioural change.
Student benefits include: invaluable for our students.
The work of the JOIC LET'S GO DPO! att I will ensurend more ofte to en
Learning tinteracts with ro interpreal lifet data pre. otection law and see how it is highly valued by our and rhave aneach out if I y queries
Prapplications, curriculum vitaes, rNetwoviding eorking with industrxtra-curricular ey, meeting JOIC staff and kxperiencefere fencor UCAS es and inter ey views. organisation." Set up tworking within data o provide those
professionals who may be able to assist with career path protection in Jersey I certainly took guidance. the chance to network,
Developing presentation and communication skills. identify and explore away useful common experiences and pointers
engage with our office in The JOIC s Let s
a safe and confidential Go DPO sessions
environment, our Let s Go are very well
DPO network now comprises 100 loyal members and is growing
in popularity. Topics for the 2023 interactive Let s Go DPO! delivered
events included a focus on data protection impact assessments
and a workshop and question and answer session exploring
subject access requests, to celebrate the five-year anniversary I will ensure to
of the Data Protection (Jersey) Law 2018.
attend more Attendee feedback indicates members benefit from the face to often and reach
facwith JOIC senior le nature of these sessions and opporeaders, as well as the chanctunity fe tor discussion o explore out if I have any common themes. queries
BOARD SUPPORT SQUAD MEDIA &
PUBLIC
The Boarprsubject mattovide organisations the oppord Supporer expert Squad initiativts from our offictunity te, launched te in a safo work with e o RELATIONS and confidential environmental to stress the data
protection practices in their organisation, gained
further momentum throughout 2023. JOIC senior The focus of our media coverage, liaison and public leaders met with Island leaders in person to explore relations for 2023 was increased awareness of our
how executives are held to account when it comes to established brand and to continue publishing highly data protection, as well as risk appetite, considering engaging content to convey our key messages. With the impact any regulatory action could have on an Feedback from all sessions campaigns aimed at both organisations and individuals, organisation. These sessions help Boards and Non- we provided regulatory and enforcement updates and Executive Directors to navigate the data protection has been positive and we interviews with our senior leaders, as well as links to landscape and understand both board and manager look forward to providing guidance notes, checklists, toolkits, videos and other data protection risks and responsibilities. resources available on our website.
further sessions during 2024.
Social media engagement and performance was monitored (individual tracking was not activated)
to enable us to shape and improve future content. Our social media presence enabled us to update our audiences in real time and local newspaper and magazine coverage allowed for more in depth features and interviews highlighting our mandate and philosophy, compliance guidance, the announcement of new members appointed to the Jersey Data Protection Authority and community engagement and awareness updates.
We also worked with local media organisations to issue scam warnings and specifically, the importance of staying vigilant and safeguarding personal information. These warnings were increased during the final quarter of the year following Storm CiarÆn.
STAKEHOLDER 46TH GLOBAL COLLABORATION PRIVACY
We continue to engage with local, national We were pleased to take part in the Islands ASSEMBLY
and international stakeholders to support Data Governance Forum s Data Protection
our vision to be an exemplar and source and Cyber Security Conference as well as
of leadership. This approach helps us to partner with Jersey Cyber Security Centre
cascade our key messages to ensure those for their cyber incident response exercises
that are processing personal information held as part of Cyber Security Awareness
understand their responsibilities under Month. We also provided face to face
the law and are equipped with the relevant data protection guidance to local sports " As Jersey's Information Commissioner, tools and guidance required to support organisations as part of Jersey Sport s I am honoured and extremely proud
them in delivering the highest standards of Support for Sport event.
data protection. thatmyoffice,andourIsland,hasbeen
Local stakeholder collaboration during WTask Fe are parorce and membert of the Jersey Cs of the Jeryber Security sey selected to host the Global Privacy Assembly 2023 includPrivacy briefing fed a No Nonsense Guidor small to medium e to Fagraud Prencies that wevention Fork torum, a grogether t oup of lo protect the ocal Meeting for 2024. Whilst this is primarily enterprises run in partnership with Jersey Jersey community from frauds and scams. a data protection and privacy conference,
Chamber of Cfor Health and Social Carommerce, a De Prata Providoterection s The JOIC senior leadership team continues this is a real opportunity to showcase webinar held in partnership with Jersey tro attequest tend speako provider engage regulatements on ory expertise Jersey and everything our Island has
Carpare Ctnerommission and a session run in ship with Jersey Finance exploring tooffer.I verymuchlookforwardto
the imporensure Jertancsey re of data premains a safote placection te to o live and guidancand privacy themes and encorganisations te aro adound data propt a privacy firourotection age st welcoming my international
and do business. approach in all their activities. counterparts to our beautiful island."
Paul Vane BA HONS SOC POL CRIM OPEN NATIONAL & INTERNATIONAL Information Commissioner
WORKING GROUPS
Our team continues to dedicate time to contribute to Enforcement Working Group, the Digital Economy Working We are honoured the future of international data models are still relevant
national and international working groups to discuss Group, the Digital Education Working Group, the Ethics in protection and privacy regulation will be discussed and fit for purpose,
shared themes, collaborate and foster key working Data Protection and Artificial Intelligence Working Group in Jersey in 2024, as we host the 46th Global Privacy asking what the future
relationships. and the International Development, Humanitarian Aid Assembly, one of the largest and most prestigious events of data protection and
and Crisis Management Working Group. in the global privacy calendar. privacy regulation looks like
We are proud members of the British, Irish and Islands and how do we safeguard
Data Protection Authorities (BIIDPA) regional network of We are members of the Global Privacy Enforcement The The Power of i is the overarching theme for the our future generations.
privacy commissioners that meets annually, with open Network, a group of privacy enforcement authorities that conference, centred around the core pillars of Individuals,
collaboration throughout the year. discuss the practical aspects of privacy law enforcement Innovation, Information, Integrity, Independence, The conference aims to create a roadmap for the future,
co-operation, share best practice and support joint International, Intercultural and Indigenous. both short-term and long-term, to improve individuals The Information Commissioner sits on the executive enforcement initiatives and awareness campaigns. ability to self-manage their data, achieve greater equity
committee of the Global Privacy Assembly, an Our senior team also attends and contributes to the The conference will highlight and explore the significance in data sharing, and foster better behaviours and culture international forum that seeks to provide data protection International Conference of Information Commissioners of the eight themes, which are intrinsically linked to around the use of personal data.
and privacy leadership at international level by and the International Association of Privacy encompass the harms, values and enrichment of our
connecting more than 130 privacy authorities around Professionals. human lives. It will establish and explore how we can The 46th Global Privacy Assembly will take place from the world. The Information Commissioner also chairs the respect and balance the power of information with Monday 28 October 2024 to Friday 1 November 2024 Global Privacy Assembly s Data Sharing for Public Good Involvement with these working groups acknowledges our the need for citizens across the world to have power, and we re delighted to be working with local partners working group and JOIC senior team members contribute commitment to support a global regulatory environment control and dignity over their personal information. The to showcase Jersey to an international audience. More to other GPA working groups such as the International with consistently high standards of data protection. discussions will question whether current regulatory information is available at www.gpajersey.com.
As proud members of the Government of Jersey s Eco Active business network, we are committed to taking action to manage our impacts on the environment.
As Eco Active members, we have an Eco Active Champion within our office dedicated to drive action and change and are committed to:
1 Improving efficiency.
2 Preventing waste.
3 Reducing the risk of causing pollution or other negative environmental impacts.
We strive to improve energy efficiency and awareness among staff and take a proactive approach to office recycling. Staff are encouraged to take part in beach clean sessions, review their modes of transport to move to more ecofriendly practices and improve their energy awareness at home as well as work.
We are committed to:
Conducting regular Having energy saving Using 100%
reviews and office walk lighting in place across recyclable printer
arounds, to identity our workplace and paper. ENVIRONMENTAL, each day.
where energy switching off computers,
can be saved. monitors and communal
equipment at the end of SOCIAL AND
GOVERNANCE
Our organisational development approach aims to create a flexible and innovative organisation, capable of addressing challenges and identifying opportunities in the ever-changing field of data protection.
In recent years, this has become more challenging due Our people and organisational development initiatives to the ongoing impact of Covid, economic fluctuations, are vital to developing our workforce and enhance and shifts in the workforce, influenced by generational our overall organisational effectiveness. This section changes. describes our main initiatives in 2023 and how these align
with our core values and strategic outcomes.
WORKFORCE COMPOSITION
JERSEY DATA PROTECTION AUTHORITY
T2023 and thewo VElizabeth Denham CBEoting My wemberelcomed thrs left the Jeree new Vsey Doting Mata Protemberection As: uthority in M+embers1
Stephen Bolinger
Paul Breitbarth, and
PEOPLE &
ORGANISATIONAL All thrknoregulation. wledgee membere, skills and es were rxperiencecruited fe in data pror their eotxtection and ensive DEVELOPMENT The Aincluding the Chairbefwerore male. In tuthority ende in 2023. otal, 43% of JDPed 2023 with a head. This was one morA members we member than the ycount of 7 memberere female and 5s, 7% ear
JERSEY OFFICE OF THE INFORMATION COMMISSIONER
As at the end of 2023 there were nineteen (18.4 FTE)
permanent employees within the JOIC. This represented a
10% increase in headcount on the year before. 90% TOutrschools and cwo new reach toleam in 2023, tes wommunity grere phased into enabloups. In to the Ce greatotal, 90% of the JOIC s ommunications and er engagement with
employees were female and 10% were male in 2023. The
JOIC senior leadership team is comprised of 4 permanent Female employees emplexternal coyees, 75% fonsultants. The aemale and 25% malverage lenge, supporth of serted bvice of a JOIC y 2
employee in 2023 was 3.5 years.
PEOPLE & ORGANISATIONAL DEVELOPMENT PEOPLE & ORGANISATIONAL DEVELOPMENT
EMPLOYEE DEVELOPMENT EMPLOYEE ENGAGEMENT
As the JOIC is a relatively young and specialised organisation, our emphasis on employee development has remained a top Key to fostering employee motivation and retention is a proactive approach priority. Constrained budgets in 2023 posed challenges in providing learning experiences, particularly for off-Island courses to employee engagement (or satisfaction). In 2023, our focus was on
and conferences, crucial for enhancing knowledge and networking. To overcome this we explored alternative methods, understanding what employees enjoy about working for the JOIC and where including online attendance. Throughout this period, we committed considerable time and effort to foster a culture of they would like to see improvements. We also facilitated employee feedback learning and continuous improvement. Key initiatives included: on policies and procedures related to hybrid working and our health and
wellbeing offering. Regular employee engagement helps to develop the organisational culture and reinforce the JOIC s values. We are Fair, Respectful,
JOIC s in-house learning and wellbeing programme: Energetic and Collegiate. The full employee engagement survey takes place every 2 years.
This delivered over 20 short sessions covering various relevant themes, from technical insights to professional
development and wellbeing.
SUCCESSION PLANNING
Leadership Development: In anticipation of the Authority Chair s retirement in 2024, we established a
succession planning process tailored for use within the Authority. The aim In November 2023 we launched a new development programme for 5 JOIC employees at the start of their leadership of this process is to aid the Authority in maintaining an optimal structure, journey. The Shine Programme is a bespoke programme, based around 12 organisational outcomes such as personal size, and skill balance. It will also support the organisation in maintaining responsibility, resilience, adaptability, decision-making, productivity and performance and delivering change. continuity and effectiveness, even when members depart due to completed
tenure, resignation, or retirement.
The programme is a key initiative, designed to cultivate and retain key talent. It deploys methodologies such as coaching, action learning, and reflective practice. Through these approaches, participants enhance their capacity to fulfil their role responsibilities and effectively lead others.
Role specific training and qualifications:
It is especially important, for both employee morale and expertise, that employees continuously develop their knowledge and skills. Formal qualifications studied during 2023 included the PDP Practitioner Certificate in Data Protection, Practitioner Certificate in Freedom of Information, Association of Chartered Certified Accountants, Foundations in Accountancy, Level 5 Chartered Management Institute and Level 3 in Education and Training. We also provide in-house bespoke training.
Strategic financial planning builds resilience and enables continuity of service allowing stability through the organisation and providing clarity on the direction of travel to deliver the business and strategic objectives. This is important for any organisation but is of particular importance to an independent, public regulatory authority with a mandate to deliver.
The delivery of our statutory mandate along with the good strategic financial plans when funding discussions Authority s contribution to maintaining Jersey s Adequacy take a long time to conclude, balancing budgets and status and the Outline Economic Strategy for Jersey controlling costs are only one part of the Authority s requires timely and fair annual financial contributions public obligation, the Authority also needs to focus on from Government of Jersey. outcomes in the community to be able to measure its
impact and determine its effectiveness as a regulator. These contributions were not forthcoming during the More certain levels of funding will lead to improved
2023 financial year which impacted on planned activities services for the members of the community who will and business plan deliverables. It is challenging to form benefit from them the most.
FINANCIAL SUMMARY 2023
Budget Area Budget to Q4 Actual to Q4 Variance Income £2,609,813 £2,439,474 -£170,339 Staff £1,722,669 £1,575,088 +£147,581
Non-Staff £887, 144 £1,133,798 -£246,654 FINANCE
Total Variance -£269,412 OVERVIEW INCOME
Budget Area | Budget for the full year 2023 | Actual as at 31.12.23 | Surplus/ Deficit |
Grant | £250,000 | £155,419 | -£94,581 |
Fees | £2,359,813 | £2,275,510 | -£84,303 |
Interest | £0 | £8,545 | +£8,545 |
CLAIRE LE BRUN
Head of Finance
FINANCE OVERVIEW FINANCE OVERVIEW
GOVERNMENT FUNDING REMUNERATION AND STAFF
As of the end of the fourth quarter, a partial grant was It has been difficult to be fully effective in delivering The below table shows the Authority remuneration and time commitments for the Members which remains unchanged received solely for the Freedom of Information (FoI) on the statutory obligations when the funding level from the previous year. The rate was subject to an external review during 2021. The findings were submitted to the mandated activities provided to the Government of Jersey is uncertain. JOIC worked efficiently throughout the Minister, who approved the following:
by the Information Commissioner and the FoI team which financial year to prudently manage its spending which
is made up of JOIC employees. The grant was paid under had the effect of reducing the year end deficit seen in the
a new Partnership Agreement which is focussed solely on financial summary. Time Annual Remuneration per FoI funded activities. Role Commitment Day Rate Authority member for the
relevant contribution The Data Protection grant remained unpaid in 2023,
with discussions continuing into 2024 over the level of
Authority Chair 18 days p.a £950 £17,100 contribution to be provided by the Government of Jersey.
*Committee Chair and
15 days p.a £750 £11,250
Voting Member
Voting Member 12 days p.a £750 £9,000
REGISTRATION FEE INCOME
There are no other payments made to the Authority Members. Authority Members are independent contractors and do not constitute an employee for the purposes of the Employment (Jersey) Law 2003 or other local legislation.
Fee income totalling £2,275,510 has been received which There were 6,634 entities registered with the Authority
represents 96.4% of the budgeted fee income set for the in 2022. In 2023 the number of entities registered Total Staff costs for the year were underspent at year end.
year (2022: £2,244,480, 102% of budget). increased by 11% to 7,366. It should be noted that some
registrations are fee exempt.
The budgan income target that was set at the staret of an additional 7% in rt of the yegistrear includation fee ed The below table shows a comparison of fees in each fee Budget 2023 Actual 2023 Variance income compared to the prior year and this target band at year end for 2022 and 2023.
proved difficult to reach partly due to the number of
deregistrations (330 deregistrations during 2023). £1,722,669 £1,575,088 £147,581
Current year 2023 Prior year 2022 % +/-
There were 21 roles recorded in the 2023 budget with 19 of these in post at year end. Recruitment was delayed through the Full time equivalent employees fee £524,010 £491,930 +6.52% year to utilise the staff savings to offset the variances created through a reduction in funding in the year.
Past year revenues fee £90,400 £81,650 +10.72% Staff costs include the Information Commissioner s salary*
Proceeds of crime fee £110,050 £113,350 -2.91%
Commissioner Salary 2022 Commissioner Salary 2023 % increase on 2022 Administration services fee £1,506,600 £1,515,800 -0.61%
Special category data fee £44,450 £41,750 +6.47% £143,693 £152,208 5%
Total £2,275,600 £2,244,480 +1.39%
* The figures above include employer Social Security and Pension contributions. The grade offered to the Information Commissioner is 10.3 on the JOIC pay scale and this was increased by 5% for cost of living from 1 January 2023.
NON-STAFF COSTS
Operations were under constant review to enable costs to be kept under control. Budgets were revisited and prudent spending controls were put in place to minimise the year end deficit created through reduced funding. This action, whilst necessary, put added pressure on an already tight budget which was set conservatively with value for money at the forefront of all budget decisions to enable objectives and deliverables to be met in a timely, cost-effective manner throughout 2023.
Budget 2023 Actual 2023 Variance £887,144 £1,133,798* -£246,654
*includes project expenditure which falls outside of the operating budget. Operating budget variance +£44,697 Had spending continued as budgeted, JOIC would have had significant losses to report at year end.
While JOIC were able to take some preventative measures to offset the reduced funding, this approach to planning and operations is not sustainable. A commitment for future funding from Government spanning several financial periods is being sought in 2024.
AUDITED ACCOUNTS
P1
Key audit matter | Identified audit risk per the Audit Planning Letter | Key observations communicated to those charged with governance | ||
Revenue Revenue recognised during the reporting period may be incorrectly allocated or materially misstated. • Accounting policies in Note 3 • Note 4 and Note 6 Revenue for the year was £2,439,474 (PY: £2,495,671). | Revenue derived from registrations made with the authority and renewals, or grant income, being materially misstated. |
| We have obtained an understanding of the process, from initial registration or renewal through to the income being recognised and received, including walkthroughs and detailed controls testing. We undertook substantive analytical procedures to assess the completeness of the reported income. We have reviewed the agreements, correspondence and conditions related to funding received from the Government of Jersey (GOJ), to ensure that the appropriate level of income is recognised in the reporting period. In addition, we have reviewed post balance sheet minutes of the Members of the Authority and correspondence to ratify the 2023 government grant approval which was subsequently agreed to the supporting invoiced. Freedom of Information (FoI) grant audit procedures: We have obtained an understanding of the FoI grant through discussions with management and review of the agreement. We have agreed receipt of grant to Bank and recalculated the clawback mechanism assessing if this will be applicable in 2023 for accuracy of the amount disclosed in the financial statements. We have assessed the correlating expenses, including assumptions made, for the FoI grant for reasonableness and performed a re-calculation. We reviewed the disclosure requirements for the FoI grant under FRS 102 and discussed requirements with a Technical Director. We have no isssuues to report from our testting. |
|
+44 (0) 1534 716 530
2nd Floor, 5 Castle Street, St. Helier , Jersey, JE2 3BT
www.jerseyoic.org
[3] https://www.policy.je/papers/jerseys-economy
38 4 https://www.jerseylaw.je/laws/enacted/Pages/L-04-2018.aspx. 39
[4] https://www.gov.je/LifeEvents/MovingToJersey/WhyChooseJersey/pages/businessandindustries.aspx
40 6 https://www.jerseyfinance.je/working-in-finance/#:~:text=Working%20in%20Finance,a%20variety%20of%20different%20sectors 41