Office of the Data Protection/Information Commissioner: Annual Report 2016

Annual Report

OVERVIEW

3. Our Mission
4. Governance Statement
5. Office Structure
6. Your Information Rights
7. Commissioner's Foreword

10. Our aims
11. Operational Performance

14. Guidance
15. Enforcement
16. International Liaison  
17. Online Safety  
18. European Developments  

20.  Freedom of Information  

22.  Financial Statements  

Our mission

Statement of Purpose

To fully discharge our statutory duties, as an independent body, to enhance information governance across the Channel Islands ensuring continued recognition as well- regulated jurisdictions.

To assist organisations meet their obligations; to regulate where the required standard has not been met and to ensure that individuals are confident and able to exercise their information rights.

Areas of Focus

Develop Educate Lead Influence Visible Enforce Regulate

DEVELOP – ensuring our staff are highly skilled and motivated, working effectively and efficiently across the Islands.

EDUCATE – working with key organisations and individuals to promote awareness and understanding of information rights and responsibilities.

LEAD – as the subject matter expert within the Channel Islands, ensuring the Islands' continued recognition on the European and international stage

INFLUENCE – seeking to embed information rights in all relevant areas especially new laws and policies across the private and public sector

VISIBLE – conducting our work in an open and transparent manner, ensuring relevant and useful information is proactively published on our website

ENFORCE – taking targeted and meaningful regulatory action in a fair and consistent manner

REGULATE – making effective use of our statutory powers to achieve consistency in approach across the Channel Islands

Governance statement

The position of Data Protection Commissioner and Information Commissioner are established in the Data Protection (Bailiwick of Guernsey) Law, 2001, the Data Protection (Jersey) Law 2005 and the Freedom of Information (Jersey) Law 2011. Under the terms of the EU Directive 95/46 the Commissioner must be independent of government and this has been enshrined in legislation. In Guernsey the sponsoring department for the Office is the Office of the Committee for Home Affairs. In Jersey the sponsoring department for the Office is the Chief Minister's Department. The Commissioner is accountable to the States for the exercise of statutory functions and is subject to States audit.

Risks

Risks are routinely assessed

1. Budgeting 2016 and beyond: The Offices have an agreed budget for 2017. Additional funding has been allocated to the Office to assist with GDPR preparation. Further detailed work will be required to establish the long term resource requirements, as well as income options. In addition, long term funding for FoI in the Jersey Office has yet to be agreed.
2. Implementation of GDPR: The GDPR no longer contains the requirement for data controllers to notify the processing of personal data to the supervisory authorities. The abolition of indiscriminate general notification obligations will need careful consideration as it will impact the way in which authorities are funded. How the Channel Island Offices continue to be funded within the context of EU reform, future cuts in government expenditure together with increasing workloads and expectations is now under detailed review.
3. IT strategy: The Offices have taken the extremely important step of moving away from government IT support. Independence is a crucial part of a successful data protection and freedom of information regulation and we must ensure our own data is held securely and independently. Preparation has started on the major internal IT reform needed to deliver GDPR.
4. Increasing pressure on resources: An important element of our work is to ensure individuals are informed of their rights and empowered to raise concerns. If we do this well, we are then faced with managing the volume of enquiries and complaints. Not only does our workload expand year on year, the increased complexity of cases is also noticeable. Managing the volume of work as well as expectations at the same time as the Offices are going through significant changes will be a challenge for us all.
5. Robust independence from government: In order for us to be an effective regulator and to deliver on the GDPR requirements, we need to ensure a workable and sustainable funding system as well as a clearer guarantee of independence across the Islands.

Office structure

The part time role of Office Manager/PA in Guernsey was the subject of review in light of Officer retirement' at the end of 2016 and the additional pressures to prepare for GDPR.

In coordination with the sponsoring department in Guernsey, it was agreed to create a full time position of Executive Officer in the Guernsey Office.

Your information rights

The Data Protection (Jersey) Law 2005 and the Data Protection (Bailiwick of Guernsey) Law, 2001 give citizens important rights including the right to know what information is held about them, how that information is going to be handled, and the right to correct information that is wrong. The Data Protection Laws across the Channel Islands help to protect the interests of individuals by obligating organisations to manage the personal information they hold in a fair and lawful way.

The Freedom of Information (Jersey) Law 2011 gives people a general right of access to information held by most public authorities in Jersey. Aimed at promoting a culture of openness and accountability across the public sector, it enables a better understanding of how public authorities carry out their duties, why they make the decisions they do and how they spend public money by requiring the disclosure of information in those areas.

The Code of Practice for Access to Public Information – Guernsey

In July 2013, the States of Guernsey agreed the Code of Practice on Access to Public Information. The Code contains the following core principles:

• A presumption of openness
• A corporate approach
• A culture of openness
• Proactive publication; and
• Effective record management.

The mechanism for requesting does not replace the process of applying for personal data under the Data Protection (Bailiwick of Guernsey) Law, 2001. Unlike this Law, our Office has no statutory functions with regards appeals/complaints. All such matters are dealt with by the relevant service area and may be referred to the Policy and Resources Committee.

Commissioner's foreword

This is my sixth report as Data Protection Commissioner for the Channel Islands.

2016 was certainly a landmark year for data protection. After four years of lengthy debate, negotiation and preparation, the General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14th April 2016. It entered into force twenty days after that and will be directly applicable in all EU member states two years from that date, on 25th May 2018. It replaces the Data Protection Directive 95/46/EC (the Directive).

The GDPR marks the most significant reform of European data protection regulation in decades and is set against the backdrop of this digital era that sees data collected and used in ways and at speeds unimaginable only a few years ago. It comes after many years of discussion and negotiation and is designed to equip individuals and regulators with strengthened rights.

Whilst directly applicable to EU Member States, the GDPR is also important for the Channel Islands. Both Jersey and the Bailiwick of Guernsey implemented legislation in response to the Directive and are currently recognised as adequate' jurisdictions for those purposes. It is clearly vital for the Islands to retain this position, to protect the free flow of data and 2016 saw agreement by both governments to work together in implementing equivalent legislation to come into force at the same time as the GDPR.

There are two powerful drivers for Channel Islands data protection reform. Firstly, the need to ensure that we, as citizens, are all provided with appropriate legal protections and remedies in this digital era. Secondly, the desire to retain the current adequacy status of the Islands allowing unfettered data flows. With data increasingly important to all business, government and domestic activity, providing a safe and strong regulatory environment must be recognised as a key requirement for a successful economy.

Once high level political agreement had been reached on reform, both governments committed to an implementation plan with the Islands working together to make best use of resources and with an understanding of the importance of a harmonised Channel Island approach. This reform moves data protection into a new, exciting but hugely challenging realm. High level engagement and commitment across the Islands would not have been possible without the support and vision of a number of key individuals. In particular I would like to thank Mark Lempriere, Chief Secretary at States of Guernsey Committee for Home Affairs and Senator Philip Ozouf of the States of Jersey. In addition, the expert input of the Channel Islands Brussels Office has been invaluable and will continue to be so as we progress with our adequacy review. I am clear that we are at an absolutely crucial point for the Islands. To embrace the enormous opportunities that data offers to our economic and social wellbeing requires those in key positions to engage with a raft of issues; intellectual, political, legal, social and ethical. Each one of these areas plays a vital role and this must not be seen as a zero sum game. The Channel Islands has a unique opportunity to approach this new era in an enlightened way, one which embraces the opportunities without sacrificing the rights and freedoms of the individuals that make up its society. Change is never easy and this project will be no exception. My Office is ill equipped to deal with the current increasing workload so it is

clear that implementing the standards GDPR will require will also mean a transformation in what we do and how we do it. If we do that well, it will benefit our economies, our citizens and our reputation.

The Channel Islands now have dedicated senior policy Officers working on the reform project with this Office. At the same time we are engaging with stakeholders and strategic partners to help communicate the changes and work together to deliver them.

This involves drafting new legislation to reflect the GDPR requirements. It also includes a full review of the way our Office is structured and resourced to ensure that we are in a strong position to deliver on the new duties that the GDPR requires. If we are going to apply increased accountability requirements to data controllers and processors we must also apply those to ourselves. With our new powers will come new responsibilities and we will build those into the new regulatory structure.

GDPR is certainly high on our priority list and we will be using all available platforms to communicate the forthcoming changes. Whilst those organisations that take their current legal obligations seriously in respect of data protection compliance will be well positioned to respond to the GDPR, we also recognise the need to ensure businesses are supported as much as possible during this time of change.

I am clear that the benefits of a high quality data governance regime, whatever business you are in, go beyond a fear of regulatory action if you fail. Ensuring individuals have trust and confidence in your brand relates so much to the way in which you handle their personal data. The high profile data breaches we see in the media with alarming frequency highlight the very real damage that can result. Business relationships are built on trust. Data protection is a condition of trust and therefore a condition of growth. Good data protection is therefore so much more than doing what the law tells you to do. It is recognising that personal information is the single most valuable non-consumable asset possessed by an organisation and should be treated as such.

Whilst this is true for both public and private sector alike, different pressures exist for public authorities and we need to be alive to those. Unlike the private sector, there are no market forces at play and public authorities are often collecting and using our personal information in a way that is mandated by law. This broad and compulsory nature of data processing carries with it a special responsibility and this is recognised in the GDPR which includes a requirement for all public bodies to have a data protection Officer. This dedicated, skilled resource is a very significant element of the GDPR and will, I think, herald an era where data professionals are increasingly recognised and valued. Indeed, it is a field in which we have a track record in the form of compliance professionals in the finance industry. It is an area in which I think the Channel Islands could excel by developing and supporting data professionals who work to enhance processing standards and build on the existing high quality compliance standards of the Islands.

It is worthy of note that both the States of Guernsey and States of Jersey have committed to working internally to review and improve on the skills in this area. If citizens are going to trust government with big projects such as e-Gov, getting the data handling right must be the priority and must be built in to the project from the outset.

We used Data Protection Day in January as an opportunity to highlight the changes GDPR will bring, specifically targeting small businesses who are unlikely to have the resources  available  to  larger  organisations  to  prepare  themselves.  As  the  project develops we will continue to provide as much assistance and guidance as possible to data controllers and processors to enable them to continue preparations.

As a small jurisdiction, it is important for us to work as effectively and efficiently as possible and the annual meeting of small data protection authorities continues to provide a valuable platform for us to share experiences and resources where appropriate. This year it was held in June and hosted by Malta. Unsurprisingly the main topic of conversation was GDPR and there was much discussion about how the smaller authorities were starting to prepare. Whilst there is divergence in certain areas, there is also much common ground. The Channel Islands can, I believe, benefit from taking a clear, focused and autonomous route to high quality data protection regulation that does not detract from the real benefits of sharing experiences and thoughts in a trusted and knowledgeable environment.

With so much attention on the new Regulation it would be easy to neglect the current duties we all have both in respect of data protection and freedom of information. But ensuring the current legal framework benefits from effective and independent oversight continues to be our priority. Working across the Islands provides my staff and I with the opportunity to broaden our knowledge and harmonise our approach. I am extremely proud  to  head  up  teams  across  the  Channel  Islands  who  first  and  foremost  see themselves  as  a  unified  Office  working  in  often  challenging  and  high  pressured circumstances. With an increasing and an increasingly complex workload it is clear that major reform is now required if we are going to be fit for purpose in the GDPR era.

We are at a turning point for data protection with it taking on a truly global significance. If the Channel Islands want to be considered as an attractive, well regulated jurisdiction in this new data-driven world, we need a clear vision and roadmap to take us forward understanding that it will be an essential foundation for encouraging and fostering innovation and productivity whilst ensuring the  highest standards of protections for individuals.

Emma Martins  

Data Protection Commissioner for Guernsey  Information Commissioner for Jersey  

Our aims

Priorities

• To be a well-led and managed organisation, one that staff are proud to work for and that makes a real difference to the Islands.
• To ensure that the Channel Islands are recognised on the European international stage as well regulated jurisdictions, both now and once the EU Regulation is implemented.

What we want to achieve

• To raise the profile of information governance, highlighting the role it plays in successful organisations while protecting the privacy of the individuals with which the organisation deals.
• To ensure that all those that handle personal information do so lawfully and responsibly.
• To encourage government organisations to embrace openness and transparency in all their activities whilst respecting an individual's right to privacy.
• To ensure that individuals are aware of their information rights and are confident in exercising them.
• To provide an effective and efficient notification service that is consistent across the Channel Islands.
• To ensure  there  exists a  pan-Island  mechanism for purposeful, targeted  and meaningful regulatory activity.
• To reach a point where information rights are embedded in new laws, technology and public policy.
• To be a model of good regulation :-
  • Transparent
  • Accountable
  • Proportionate
  • Consistent
  • Targeted
  • Independent

Operational performance

Complaints (Jersey)

Who did people complain  What did people complain

about? about?

Retailers Unfair Processing Public Authorities Data Used for Other Excessive Data

Other

Inaccurate Data Leisure Retained Too Long

Legal Rights not Complied Health Poor Data Security Overseas transfers

Hospitality

Other Finance Privacy of Electronic

0 5 10 15 20 25 0 10 20 30

A total of 52 data protection related complaints were recorded in Jersey during 2016, representing a 20% increase on the 43 complaints recorded in 2015. Complaints about unfair processing saw a significant rise from the previous year, however the pattern of complaints by subject shows a similar trend to 2015. As expected, Jersey's biggest sectors received the most complaints, but there has been a notable increase in the number of complaints involving the health sector.

Complaints (Guernsey)

Who did people complain

about?

Retailers Public Authorities Other

Leisure Legal Health Hospitality Finance

0 5 10 15 20

What did people complain about?

Unfair Processing Data Used for Other Excessive Data

Inaccurate Data Retained Too Long Rights not Complied Poor Data Security Overseas transfers Other

Privacy of Electronic

0 5 10 15

A total of 42 complaints were recorded in Guernsey during 2016 representing a small increase in the number of cases recorded in 2015. A perceived lack of compliance with the rights of data subjects remains a key area of concern for individuals, forming roughly a quarter of all cases. Complaints about subject access requests form the bulk of this category; usually due to requestors receiving less information than they expected or were entitled to. Organisations should have clear procedures in place regarding subject access requests, covering such areas as the acknowledging of requests, the identification of relevant personal data and responding in a timely manner. Organisations should also be aware that existing timescales are subject to change under the reform package and take this opportunity to review processes accordingly.

For the first time, a separate entry has been included in the chart for cases involving marketing by electronic means; subject to separate legislation in the Bailiwick but within the remit of this Office. As has been noted also by our UK counterparts, the Information Commissioner's Office, unsolicited marketing by telephone and email is a greater concern to individuals than ever before and the regulator needs to evolve to respond to this. It is hoped that the data protection reform currently underway will provide further powers and sanctions to assist in addressing the misuse of individuals' details for marketing purposes.

Breach Reporting

It is of note that whilst there is currently no requirement to notify either Office of a data breach, eight of the 42 cases in Guernsey during 2016 were breaches reported by the organisation rather than by an affected individual. We are happy to receive such reports and, where appropriate, provide guidance as to next steps that an organisation should consider if an incident occurs. A key feature of the impending data protection reform is mandatory breach reporting with organisations being compelled to report a  data breach within 72 hours of discovery and it is encouraging to see organisations embracing this reporting requirement in advance and putting in place processes and procedures to capture issues and deal with them appropriately. This self-reporting also accounts for the increase in data security issues dealt with compared with 2015 and gives something of an indication as to how the reform will impact this Office.

We recognise that breach reporting will be an additional duty for data controllers under the new Laws. It is our aim to ensure the process is as straight forward as possible whilst ensuring meaningful engagement and the highest levels of data security. Work has started to plan a new reporting system for our own Office and we are also talking to government and the Channel Islands Financial Services Commissions to ensure a consistent approach in this area.

We are clear that we want breach reporting to be viewed as positively as possible by all parties; it will provide the regulator with accurate information about data security incidents and allow organisations affected to enter its constructive communications aimed at support and learning. Whilst there may be occasions where regulatory action is taken as a result of a breach, any punitive sanctions will be targeted based on non- compliant activity that is deliberate, willful, negligent, repeated or particularly harmful. Failure to report a breach that comes to our attention later will also carry with it the risk of formal sanction.

Notifications (Jersey)

New Notifications Total Notifications

500 2550

2517 450 397 396

400 2500

350

300 2450

250

200 2400 2388

150

100 2350

50

0 2300

2015 2016 2015 2016

Notifications (Guernsey)

New Notifications  Total Notifications

350 2015 2013

297

300

2010

250

200 2005

150 129 2000 1998

100

1995

50

0 1990

2015 2016 2015 2016

With regard to notifications, both Islands recorded significant increases is both the number of new notifications received and the total of live notifications active at the end of 2016. This is encouraging and demonstrates the required attention being paid to data protection compliance by local organisations.

Guidance

Guidance documents

Most of the existing guidance was reviewed and updated during 2015 and 2016, and as such no new guidance has been published on either of the Commissioner's websites. However, work has already started on the task of preparing guidance in advance of the implementation of GDPR, and these will be published as and when they become available.

Awareness sessions

The  Commissioner  and  her  staff  are  regularly  invited  to  undertake  speaking engagements  and  provide  awareness  sessions  to  industry  representatives  and professional bodies. During 2016, a total of 66 sessions were delivered across the two Islands, and a breakdown of those sessions is detailed below.

There  was  an  increase  in  awareness  sessions  undertaken  by  both  the  Jersey  and Guernsey  Offices,  in  large  part  due  to  the  impending  data  protection  reform, commencing in May 2016 with the adoption of the GDPR. As a result of the decision in the EU, the awareness sessions evolved as the year progressed to encompass the GDPR and how this would impact upon the Channel Islands. It is envisaged this upswing will continue into 2017 and beyond, as States of Jersey and States of Guernsey progress with their implementation plans and organisations continue to prepare for the new Laws due in May 2018.

Awareness Sessions 2016

Other 15%

Health Finance 2% 27%

Legal 6%

Professional

Bodies

9% Public Sector

41%

Finance Public Sector Professional Bodies Legal Health Other

Enforcement

Two formal undertakings were issued in 2016 in relation to Guernsey complaints. Both formal undertakings relate to failures to ensure processing was fair in accordance with the First Data Protection Principle and required the review of the relevant processes to improve procedures and ensure compliance in the future.

No enforcement notices were issued by the Guernsey Office and no investigations were undertaken in relation to the Section 55 offence of unauthorised disclosure.

Whilst Jersey experienced a significant increase in the number of complaints received during 2016, none of them resulted in any enforcement action being pursued by the Commissioner, either through enforcement notices or formal undertakings. One long standing criminal investigation is continuing in relation to the  Article  55  offence  of unlawful obtaining of personal data.

It remains the case that much of the workload across the two Offices relate to general enquiries, the breadth and depth of which varies significantly. Where formal complaints are made we make every effort to work with all parties towards a successful resolution. We recognise that this is not always possible, and we have also observed an increase in cases where there are complex interlinked issues regarding employment grievances or legal proceedings in a family or civil context. Such matters are very resource-intensive and highlight the need for careful consideration of GDPR obligations for our Offices.

International liaison

Representatives  of  the  Channel  Islands  Office  attended  the  Spring  Conference  of European  Data  Protection  Authorities. These  events  are  great  opportunities  for developing knowledge and sharing thoughts, concerns  and  practice  about  current  legislation  and  the  impending reform. By taking time to consider the bigger  picture  the  Office  is  able  to  incorporate  relevant  information  into its own practices  and  pass it on to  organisations in  the  Channel Islands.  With so many  businesses from the Channel Islands operating in an  international arena, we need to be able to understand  and  respond  to  the  challenges  and  diversity  that  presents.  Spring conference, Budapest 2016

For  a  number  of  years  now,  Jersey  and  Guernsey  have  played  an  active  role  in discussions  between  the  British,  Irish  and  Islands'  Data  Protection  Authorities. Representatives of the regulators from the UK, Ireland, the Channel Islands, the Isle of Man, Gibraltar, Malta and Cyprus meet annually to discuss the challenges facing each justification, to share best practice and ensure cooperation where appropriate. The annual meeting was held in Malta this year and covered a range of topics including GDPR, the Law Enforcement Directive and the EU-US Privacy Shield.

This was followed up in October with a GDPR specific meeting hosted by the UK's Information  Commissioner's  Office  to  which  representatives  of  the  Department  of Culture, Media and Sport were invited. Coming some four months after the Brexit vote, the  meeting  considered  the  various  challenges  facing  data  protection  authorities including those outside the EU, for which ongoing adequacy is going to be a priority.

2016 also saw Guernsey and Jersey join the Global Privacy Enforcement Network (GPEN) an international network of enforcement agencies set up to share knowledge, practical experience and dialogue about issues relating to privacy and the flow of data between jurisdictions. The Islands are by some way the smallest members of the network in geographic and population terms – other members include the US, the UK, the EU, Korea and Germany. But having successfully applied for membership, regulators in the Islands will  have  access  to  a  global  network  of  expertise  and  practical  experience.  As jurisdictions  handling  significant  amounts  of  data,  and  with  a  successful  finance economy, playing our part in these arenas is increasingly important.

Online safety

The Office has continued to support the multi-agency online safety committees, whose remit is to work to protect children and young people using digital and internet services. Representatives  attended  meetings  in  both  Jersey  and  Guernsey  to  ensure  that information rights form part of the work undertaken under these groups to safeguard and empower children in a world where digital presence seems a priority.

Across Europe, one day each year is dedicated to recognising the messages of various bodies and agencies that strive to make the internet a positive, supportive and safe environment for children and young people. The Guernsey Online Safety Committee has historically run an event to mark this day but this year efforts were stepped up to demonstrate how technology can inspire creativity and is providing the jobs of the future as well as embracing the traditional safety messages. The Office provided assistance in the organisation, staging and support for the day. Rebadged as Digital ACE (standing for Aspire, Create and Empower), the event was a huge success, attracting many more people than had attended in previous years and providing content for children, young people and their parents and we were delighted to be involved.

The internet has become an increasingly essential element of children's lives from a very young  age.  There  are  opportunities  and  benefits  for  these  children  in  relation  to education and development. There are also significant risks around inappropriate and harmful content or interactions as well as exposure to aggressive, targeted marketing activities. There is no single solution if we are seeking to improve the rights of children online. New rules in the GDPR will be an important element. Our Office will continue to work with data protection Officers working in education to prepare and deliver on the new standards. It is a complex picture though involving more than just legislative controls. How we educate children in the importance of protecting their data and themselves online needs to be done in conjunction with government and technology initiatives.

European developments

The European Commission put forward its EU Data Protection  Reform  Package  in  January  2012.  More  than  90%  of  Europeans say they want the same data protection rights  across the EU – and for these rights to apply regardless of  where their data is processed.

The  General  Data  Protection  Regulation  (GDPR)  is  viewed  as  an  essential  step  to strengthen citizens' fundamental rights in the  digital age and  facilitate  business by simplifying rules for companies in the Digital Single Market. A single law will also do away with the current fragmentation and costly administrative burdens. The Directive for the police and criminal justice sector protects citizens' fundamental right to data protection whenever  personal  data  is  used  by  criminal  law  enforcement  authorities.  It  will  in particular ensure that the personal data of victims, witnesses and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.

On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonised data protection framework across the EU. The European Parliament's Civil Liberties Committee and the Permanent Representatives Committee (Coreper) of the Council then approved the agreements with large majorities. The agreements were also welcomed by the European Council as a major step forward in the implementation of the Digital Single Market Strategy.

On 8 April 2016 the Council adopted the Regulation and the Directive. And on 14 April 2016, the Regulation and the Directive were adopted by the European Parliament.

On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018. The Directive enters into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018. This included introduction of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). It also included Directive (EU) 2016/680  of  the  European  Parliament  and  of  the  Council  of  27  April  2016  on  the protection  of  natural  persons  with  regard  to  the  processing  of  personal  data  by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. The Channel Islands have committed to implementation of the requirements of both the Regulation and the Directive in 2018.

Privacy Shield Overview

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were  designed  by  the  U.S.  Department  of Commerce, and  the European  Commission and Swiss  Administration,  respectively,  to  provide companies on both sides of the  Atlantic with a mechanism to comply with data protection requirements when transferring personal data  from  the  European  Union  and  Switzerland  to  the  United  States in  support  of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-

U.S. Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination). On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.

The  Privacy  Shield  program,  which  is  administered  by  the  International  Trade Administration  (ITA)  within  the  U.S.  Department  of  Commerce,  enables  U.S.-based organisations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organisation will be required to self-certify to the Department of Commerce and publicly commit to comply with the Framework's requirements. While joining the Privacy Shield is voluntary, once an eligible organisation makes the public commitment to comply with the Framework's requirements, the commitment will become enforceable under U.S. law. This is an area we expect to come under increasing scrutiny and key developments will be added to the news pages of the Offices' websites.

Freedom of Information

The Freedom of Information (Jersey) Law 2011 provides public access to information held by Scheduled Public Authorities (SPAs). It creates a legal basis which entitles members of the public to request information from SPAs. The Law covers any recorded information that is held by a SPA in Jersey. SPAs are listed within Schedule 1 of the Law as:

1. The States Assembly including the States Greffe
2. A Minister
3. A committee or other body established by resolution of the States or by or in accordance with standing orders of the States Assembly
4. A department established on behalf of the States
5. The Judicial Greffe
6. The Viscount's Department
7. Andium Homes Limited (registered as a limited company on 13th May 2014 under Registration number 115713).
8. The States of Jersey Police Force
9. A Parish (effective from 1st September, 2015)

Recorded  information  includes  printed  documents,  computer  files,  letters,  emails, photographs, and sound or video recordings. It is defined in the Law as meaning information recorded in any form.'

The Law does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a SPA holds about them, they should make a subject access request under the Data Protection (Jersey) Law 2005.

In Guernsey, the Commissioner attended a meeting of the Committee for Home Affairs to discuss the Island's approach to freedom of information. We welcome the opportunity for constructive dialogue in this area and in light of our responsibilities in Jersey under the Freedom of Information (Jersey) Law 2011, have experience of delivering regulation in this area which may be helpful for Guernsey when considering options for the future. The Law came into force on 1 January 2015. A total of 736 requests were received by the Central FOI Unit during 2016, a slight increase upon the previous year's total of 691. Responses  to  FOI  requests  are  published  on  the  States  of  Jersey  website (www.gov.je/Government/FreedomOfInformation/Pages/index.aspx ).

In respect of the Office of the Information Commissioner, only one appeal under the Freedom of Information (Jersey) Law 2011 was submitted to the Commissioner during 2016, a decrease from the first full year of FOI which saw a total of four appeals made.

FOI Appeals Received

2015 4

2016 1

0 5

It is noted that whilst there was a 6.5% increase in the total annual number of FOI requests received between 2015 (691) and 2016 (736) the number of formal appeals to the Commissioner fell from four in 2015 to one in 2016. In considering the low number of appeals the Commissioner supports the view of this being partly influenced by greater communication between requestors and SPAs as well as greater public awareness of the Law. In addition, this also reflects the work of both the central FOI Unit and the Office towards increased transparency across scheduled public authorities.

The Commissioner is also aware of the intention to consider amendment and further development of the Law and looks forward to an opportunity to contribute towards this work for the benefit of the public and increased transparency of government. However, in doing so, it should be recognised that any amendment and development may result in the need for discussion regarding the resourcing and skilling of FOI practitioners engaged across the process.

In final consideration of the FOI Law it has to be noted that significant effort is extended by the Commissioner's staff in providing informal advice and assistance to both members of the public and SPAs at various stages of the FOI process prior to any formal appeal. This includes time taken for discussion, advice and mediation aimed at provision of information to the public along with greater public understanding of the machinery and workings of government. Whilst such work cannot necessarily be easily recorded, the benefits are recognisable in increased public awareness and improved transparency which is to be welcomed.

Financial statements (Jersey)

Income and Expenditure Account for the year ended 31 December 2016

2016  2015 Note  £  £  £  £

Income:

Registry fees  125,452  119,575 Guernsey re-charge  105,968  n/a

Total income  231,420  119,575

Contribution from the States of Jersey  308,900  273,700 Carry forward for FoI implementation/costs  n/a  100,000

Net income  540,320  493,275 Operating expenses:

Manpower costs:

Staff salaries, social security and pension  356,128  203,368 contributions

Supplies and services:

Total costs (to include but not limited to)  125,462  86,114

IT development, maintenance & software Books & publications

Legal fees

Conference and training fees

Pan-Island travel

Meals and entertainment

Public Relations

Public relations  768  5,132 Administrative costs:

Total costs (to include but not limited to)  11,227  16,589

Printing and stationery Telephone charges Postage

Other administrative costs

Premises and maintenance:

Total costs (to include but not limited to)  43,976  34,539

Utilities (incl. Electricity and water) Rent

Finance costs:

Bank charges  2,759  593

Total operating expenses  540,320  346,335 Excess of income over expenditure  0  146,940

Financial statements (Guernsey)

Income and Expenditure Account for the year ended 31 December 2015

2016  2015 Note  £  £  £  £

Income:

Registry fees  89,960  88,301 Total income  89,960  88,301 Contribution from States of Guernsey  116,000  112,000 Net income  205,960  200,301 Operating expenses:

Manpower costs:

Staff salaries, social security and pension  116,528  146,408 contributions

Supplies and services:

Total costs (to include but not limited to)  22,905  32,664

IT development, maintenance & software Books & publications

Legal fees

Conference and training fees

Pan-Island travel

Meals and entertainment

Public Relations

Public relations  2,770  250 Administrative costs:

Total costs (to include but not limited to)  4,475  4,892

Printing and stationery Telephone charges Postage

Other administrative costs

Premises and maintenance:

Total costs (to include but not limited to)  4,039  3,254

Utilities (incl. Electricity and water) Rent

Finance costs:

Bank charges  0  0

Total operating expenses  150,717  187,468 Excess of income over expenditure  55,243  12,833

Spreading the word' - GDPR leaflets on chairs at a Channel Islands' conference in early 2016.

Brunel House  Guernsey Information Centre

Old Street  North Esplanade

St Helier  St Peter Port

Jersey JE2 3RG  Guernsey GY1 2LQ

T. +44 (0) 1534 716530  T. +44 (0) 1481 742074

E. enquiries@dataci.org  E. enquiries@dataci.org W: www.dataci.je  W: www.dataci.gg