Skip to main content

Office of the Information Commissioner: Annual Report 2018 of the Jersey Data Protection Authority

The official version of this document can be found via the PDF button.

The below content has been automatically generated from the original PDF and some formatting may have been lost, therefore it should not be relied upon to extract citations or propose amendments.

PDF version

Annual Report 2018

OF THE JERSEY DATA PROTECTION AUTHORITY

Fulfilling the obligations of the Authority under

Article 44 of the Data Protection Authority

(Jersey) Law 2018 and the Information

Commissioner under Article 43 of the Freedom  R.63/2019 of Information (Jersey) Law 2011.

St Catherine's Breakwater, St Martin

01 2018 HIGHLIGHTS & ACHIEVEMENTS

03 OUR ROLE AND AIMS

05 INTRODUCTION

View from the Chair | Information Commissioner Message

09 ORGANISATION

Who We Are | Office Structure

11 GOVERNANCE, ACCOUNTABILITY & TRANSPARENCY

The Data Protection Authority | Delegation of Powers | Board Structure | Board Meetings | Accountability Arrangements

14 SUMMARY OF DATA PROTECTION ACTIVITIES

Effective Data Protection | 2018 Operational Performance | Enforcement | Breach Reporting | Registration | Guidance

21 ANNUAL REPORT OF FREEDOM OF INFORMATION ACTIVITIES

Effective Freedom of Information | The Freedom of Information (Jersey) Law 2011 | 2018 Operational Performance & Appeals | Significant 2018 Decision Notices

26 INTERNATIONAL LIAISON

31 EUROPEAN DEVELOPMENTS

33 CORPORATE SOCIAL RESPONSIBILITY

35 FINANCIAL INFORMATION

Successfully

assessed and evaluated 141dbraetaaches

Helped Jersey organisations, charities, businesses, & community to prepare for Data Protection (Jersey) Law (2018)

6 tmeaemmbers appointed

Compliance & Enforcement Manager. Communication & Operations Manager, Finance Manager & 3 Case Workers

Reviewed and overhauled our internal compliance and enforcement protocols


184 data protection

related cases

investigated in 2018 – a 235% increase on 2017

Think GDPR campaign

reached over

16,000

users on the bespoke

website alone

Case handling procedures updated with a fresh emphasis on statistical analysis and performance measures

Personal Information Awareness Program commenced in autumn 2018

we reached 260+ Jersey secondary

school students

Established  Appointed Data financial controls  Protection Authority

in readiness for  Chair & non-executive full independence board members

Relocated to temporary offices


6We eng5ag 0ed with over

individuals

over the course of 21 presentations

Dr Jay Fedorak appointed as information Commissioner

national &

international 7 Commissioners

privacy

conferences

attended by

the Jersey Data Protection Authority's

role, vision, mission, promise & 2018 aims

OUR ROLE

The Jersey Data Protection Authority (the Authority)

is an independent statutory authority and its mission

is to promote respect for the private lives of individuals through ensuring privacy of their personal information by:

Implementing and ensuring compliance with

the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018, and influencing thinking on privacy and processing of personal information on a local and international basis.

In addition, the Authority is responsible for providing advice and guidance to island businesses and individuals, and making recommendations to the States of Jersey in response to international data protection legislative changes.

The Information Commissioner has the separate responsibility to:


OUR VISION

A prosperous close-knit island community that embraces a collaborative and innovative approach to data protection, providing a leading-edge model to other jurisdictions.

OUR MISSION

To provide the people of Jersey with a high standard of data protection.

OUR PROMISE

To promote the information rights of individuals through a practical and ethical approach to business practice and regulation that supports the delivery of public services, and promotes the social and economic interests of the island.


OUR 2018 AIMS

Priorities

To ensure our organisation, is one that staff are proud to work for and makes a real difference to Jersey.

To support Jersey's reputation as a well regulated jurisdiction.

What we want to achieve

To promote sound information governance to help organisations succeed, while protecting the privacy of the individuals.

To ensure that all those that handle personal information do so lawfully and responsibly.

To encourage public authorities to embrace openness and transparency in all their activities whilst respecting an individual's right to privacy.

Encourage public authorities to follow good   To ensure that individuals know their practice in their implementation of the Freedom  information rights and how to exercise them.

of Information (Jersey) Law 2011 and help to   To provide an effective and user-friendly promote transparency by suppling the public  registration service.

with information about the law.

To ensure our regulatory approach

is appropriate and fair.

To promote embedding information rights in new laws, technology and public policy.

VIEW FROM THE CHAIR

It is a pleasure for me, as chair of the Jersey Data Protection Authority, to reflect on 2018, which was my first year in the role.

The world of data protection has transformed almost  I felt honoured to accept the role of Chair of the

beyond recognition, since I first became involved, as  Authority in March 2018. After initially acting as Shadow head of the Dutch Data Protection Authority and Chair  Chair, I assume full responsibilities as Chair when the

of the European Data Protection Article 29 Working Party  new laws came into effect on 25 May 2018, the same day (a former independent advisory body of data protection  as the new European Data Protection Regulation (GDPR). authorities from EU Member States, now the European

Data Protection Board). Rapidly advancing technology  My first tasks were to assist in the recruitment of a new has created new challenges for regulators, businesses  commissioner and additional members to join me on and public authorities. It has also increased the risks  the Board of the Authority. I was delighted with the

to individuals of significant harm from the loss or theft  appointment of Dr Jay Fedorak in July 2018, who brought of their data. The evolution of the internet and new  twenty-five years of international experience to the post, forms of social media have resulted in vast amounts of  including having served as Deputy Commissioner of the personal data becoming public and remaining accessible  Office of the Information and Privacy Commissioner for indefinitely. British Columbia, Canada, since 2012.

I am pleased to report that Jersey is adapting to this change. Jersey has followed Europe in implementing a more comprehensive data protection law in early 2018 that addresses the risks that technological developments have posed. The States of Jersey adopted the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018.

These new laws created a new Data Protection Authority to provide oversight of the Office of the Information Commissioner, as part of its transition towards greater administrative independence from the Government of Jersey, in line with requirements of the General Data Protection Regulation (GDPR).


I am also proud of quality of the professionals who have agreed to join me as non-executive directors of the Board. These individuals include:

Clarisse Girot, who brings expertise and experience working in the field of data protection and privacy regulation in Europe and Asia and expertise in cross-border data flows

David Smith, who formerly served for many years as Deputy to the UK Information Commissioner

Gailina Liew, who has expertise in appointments, board governance and ethical implications of new technologies.

Their skills and knowledge will prove invaluable in guiding the Authority and the Office of the Information Commissioner through the challenges of Brexit and helping Jersey to retain the recognition of the European Commission for adequate data protection in accordance with the GDPR. The Board will benefit further from the recruitment of two additional non-executive directors: one who will be particularly knowledgeable in the Jersey financial environment and another individual to bring local political awareness to the table.

The general task of the Board is to provide administrative and operational oversight of the Jersey Office of the Information Commissioner. It is not involved directly

in the activities of the Office in delivering services. Rather, it ensures that the Office remains accountable

to the people of Jersey and properly fulfils its mandate to deliver services. The Board establishes a governance framework to ensure the Office operates efficiently

and effectively in an ethical manner, according to the Principles of Public Life' (formerly known as the Nolan Principles).

The Board also provides advice to the Office, employing its expertise in data protection, governance, and local knowledge of Jersey government and industry.

The Data Protection Authority Law permits the Board, as the Authority, to delegate most of its functions to the Commissioner. However, there are certain powers that it cannot delegate. The most important is that it

is the Board, not the Commissioner, who will determine whether to issue a fine for a contravention of the Law and how much that fine would be. This will ensure that there is due process and careful deliberation (with the benefit of the combined expertise of the Board) prior to the issuing of any fines. Another is that only the Board has the power to publicise the details of a particular


investigation. As disclosing the details of an investigation can cause organisations harm to their reputations, the Board will ensure that we will publicise cases only where it is clearly in the public interest from the perspective

of promoting compliance. Finally, the Board retains the responsibility for issuing an annual report.

Despite their constitutional independence, Jersey and Guernsey are similar culturally and economically. Many companies have a presence on both islands. Therefore, we believe that it is valuable for the data protection regimes to have close alignment. While the two islands have different laws and regulators, it is important that we interpret similar data protection terms consistently. We must ensure that we hold companies with offices

in both islands to the same standards of compliance. Finally, it is likely that there will be cases involving the personal data of individuals of both islands that will require us to collaborate on our investigations. To this end, we have established open lines of communication between the two Offices and two Boards including meeting periodically. We are in the process of developing a memorandum of understanding to guide our close relationship into the future.

I wish to acknowledge the dedication of the team in the Office who have built the foundations of a strong regulator in the face of a remarkable series of changes. During the course of the last year, there has been new laws, a new mandate, a new governance structure, a new Commissioner, six new employees, an office move, a restructuring of the Jersey government, a tripling of the Office caseload and the uncertainty of a looming Brexit. Adapting to just one of those changes requires effort. Managing all of them requires extraordinary fortitude, resilience and flexibility. Our team has risen to these challenges with enthusiasm, professionalism and commitment. Their dedication, combined with the


support of the broader community, has established the framework for providing the people of Jersey with a high standard of data protection.

I wish to recognise and thank Deputy Commissioner Paul Vane for providing a continuity of leadership throughout the course of this turbulent year. In particular, he fulfilled the position of Acting Commissioner during the six months between the departure of Emma Martins and the arrival of Jay Fedorak. He ensured a successful launch of the new data protection regime through a programme of public education and made the hiring decisions that built the foundations of the new office team. He exceeded expectations. His vast experience of data protection and other types of regulation in Jersey and his established network of relationships excellently complements Jay Fedorak's international experience, ensuring the people of Jersey benefit from both.

I am very pleased with our new team, on the Board and in the Office, and the leadership of the Commissioner and Deputy Commissioner. Like Jersey, we are small compared to other jurisdictions. Nevertheless, also like Jersey, I believe we have the potential to exercise a level of influence locally and internationally beyond our size.

Jacob Kohnstamm

Chair, Jersey Data Protection Authority

INFORMATION COMMISSIONER MESSAGE

I am pleased to present this annual report to fulfil two objectives.

The first is for the Jersey Data Protection Authority to meet its obligation under article 44 of the Data Protection Authority (Jersey) Law 2018 to produce a report on its activities during each fiscal year. The second is to meet

my obligation as Information Commissioner to prepare a report on the exercise of my functions under the Freedom of Information (Jersey) Law 2011. These functions are in addition to the data protection responsibilities that the Authority has delegated to me, and the Authority has no formal role under the Freedom of Information Law. Nevertheless, we have integrated the two reports of the purposes of convenience and cost savings.

The year 2018 was a dynamic and challenging one both in the world of data protection and Jersey generally.

As Chair Kohnstamm has indicated, there were significant changes to the Jersey Office of the Information Commissioner in terms of personnel, structure, oversight and resources. The Government of Jersey strengthened our data protection laws to keep up with GDPR; the new international standard. There has been a transition in the Jersey public services and change to the Jersey economy, with growth in the digital sector. On top of all of this, the looming prospect of Brexit and its possible implications for Jersey have created uncertainty and anxiety.

This makes it an exciting and professionally rewarding time to be in Jersey. I am pleased to report that members of the community here that I have met have been supportive both personally and professionally. Many employees of businesses and government in Jersey demonstrate a comprehensive appreciation of the

value of data protection. They are very receptive to the message of our Office that effective data protection, implemented the right way, is good for business and good for public services. It increases public confidence and respect for brand, while reducing financial and


reputational risks. While there always is room for improvement in implementation of the new laws, and

I am sure that we will come across some less cooperative organisations, Jersey is fortunate to have a solid base of good will and good faith in data protection compliance. However, data protection compliance is a journey not a destination. It did not stop on 25 May 2018. It is ongoing and requires diligent oversight of the security of data assets and ensuring that employees continue to follow proper policies and procedures.

The new data protection laws give new rights to individuals and new responsibilities to businesses, government, and our office. Our focus in 2018 was

to make individuals and organisations aware of the new laws and to build up the capacity of our Office to meet our new responsibilities. Prior to 25 May, we educated the public and business about the new laws and compliance with them. The greater level of awareness that we

created resulted in a growing workload with more complaints from individuals and more self-reported

data breach notifications from organisations. By the

end of the year, our workload had almost tripled compared to 2017.

We began the year with only four employees, including the Commissioner. With the support of the Government and States of Jersey, we received enough funding to increase our staff complement to nine by year-end.

This required an extensive recruitment initiative. As a result, we outgrew our existing office space, necessitating a move to a new location. It was a challenge to juggle these administrative responsibilities, while ensuring service quality in the handling of individual cases. It was owing to the support of my talented team that we were able to succeed.

Jersey is taking a more active role on the international stage, and we are playing our part. We participate

in several international Data Protection and Freedom

of Information forums and are more active than we have in the past. I have taken advantage of opportunities

to speak to create awareness of the strength of our

data protection regime in Jersey. I am hoping that international regulators, governments and businesses will conclude from my presentations that Jersey is

a safe place to invest and conduct business involving personal data.

While I am pleased with the level of interest in data protection, I am surprised with the level of awareness of rights under the Freedom of Information Law. I issued a significant decision notice relating to a request for

the employment contract of the Chief Executive of the Government of Jersey, but we only received three other appeals. The purpose of the Freedom of Information Law is to make public authorities more accountable

to the public. This supports good public policy decision-making. The awareness that information

is eligible for disclosure gives politicians and officials greater incentive to make decisions that follow established policies and procedures and serve the


public interest. Individuals and the media can play

an important role is preserving our democratic system of government by scrutinising their decisions and activities, including through requests for information.

If they are dissatisfied with the response they receive

to their request, they can request a reconsideration

and then an appeal to our Office. We have the ability to compel public authorities to disclose information where the Law requires. We also provide a valuable service when we confirm a public authority has responded appropriately. I encourage individuals to request information on public policy issues that they consider to be important and to appeal to our Office when they are dissatisfied or unsure about the response they receive.

We look forward to further collaboration with

the community to promote the information rights of individuals in 2019. We plan to develop further resource materials to assist with compliance and increase our public education programme.

Jay Fedorak PhD

Information Commissioner Jersey, Channel Islands Commîns d'l'Înformâtion d'Jèrri, îles d'la Manche

Organisation

WHO ARE WE ORGANISATIONAL STRUCTURE

The Jersey Data Protection Authority includes the Office

of the Information Commissioner. The Authority is the independent office responsible for overseeing the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018. The Office of the Information Commissioner is also responsible for overseeing the Freedom of Information (Jersey) Law 2011.

The Data Protection (Jersey) Law 2018 gives citizens important rights including, but not limited to, the right to know what information public authorities and companies hold about them and how they handle that information, and the right to request correction of their information. The Data Protection Law in Jersey helps to protect the interests of individuals by obligating organisations to manage the personal information they hold in a fair, lawful and transparent way, as well as being accountable to their customers and to themselves for their actions.

One of our primary functions is to make individuals aware of their rights and to ensure public authorities and companies aware of their responsibilities. Another is to conduct investigations into complaints by individuals about public agencies or companies concerning

the management of personal data. We also manage

the process of registration of public authorities and companies under the Data Protection Law. In addition

to investigating complaints that individuals bring to our attention, we can proactively investigate or audit general compliance with the laws.


The Freedom of Information (Jersey) Law 2011 gives people a general right of access to information held

by most public authorities in Jersey. Aimed at promoting a culture of openness and accountability across the public sector, it enables a better understanding of how public authorities carry out their duties, why they make the decisions they do and how they spend public money by requiring the disclosure of information in those areas.

Our primary function being to fulfil the second stage

of the appeals function - a person dissatisfied with

a decision of a scheduled public authority may appeal

to the Information Commissioner. The office fully reviews each appeal submitted and undertakes a thorough analysis of the first appeal, all case material and where applicable drawing on precedents and the public interest test. The Information Commissioner will serve a notice

of the decision in respect of the appeal on the applicant and on the scheduled public authority.


Office Structure January 2018

States of Jersey

Acting Information Commissioner

Director of Policy

& Compliance

Office Manager/PA

The diagram above shows the team structure at the beginning of 2018 the diagram to the right shows the structure as at the close of 2018.

Office Structure December 2018

Board Chair

Non-Executive Non-Executive Non-Executive Non-Executive Non-Executive Director Director Director Director Director*

Information Commissioner Deputy Information Commissioner

Operations and Compliance and Communications Manager Enforcement Manager

Finance Casework team Manager (P/T)

Admin Snr. Case Snr. Case worker worker

Office &

Facilities Case Manager worker

*Not yet recruited


The EU Data Protection Directive 95/46 required that supervisory authorities be independent and effective. The GDPR extended these requirements to include

the power to issue fines and sanctions. Prior to 2018,

the Office of the Information Commissioner was a non-ministerial department of the Government of Jersey and subject to Government oversight. From 25 May 2018, the Information Commissioner became accountable to the independent Data Protection Authority in accordance with the new Data Protection Authority Law.

The data protection laws give the Authority and the Commissioner greater responsibilities with respect

to public education, conducting investigations,

receiving reports of breaches and consulting with public authorities and companies. This has led to a growth in workload that requires additional resources. The office has grown from three staff members at the beginning

of the year to nine at the end of 2018. Our broader range of skills and resources has facilitated further public education. Growth in the casework team has enabled the office to keep up with the growing demand of complaints.

Governance,  Accountability

& Transparency

The Data Protection (Jersey) Law 2005 established the position of Data Protection Commissioner and the Freedom of Information (Jersey) Law 2011 established the function of Information Commissioner.

From 25 May 2018, the Authority will appoint future Information Commissioners under the Data Protection Authority (Jersey) Law 2018.

THE DATA PROTECTION AUTHORITY DELEGATION OF POWERS BOARD STRUCTURE

The general purpose of the Authority is to provide administrative and operational oversight of the Office of the Information Commissioner:

It performs a non-executive function and does not participate in the daily activities of the Information Commissioner.

It provides direct independent oversight

of the Office of the Information Commissioner, replacing the States government in this function.

The board has the public responsibility to:

Ensure that the Office of the Information Commissioner in Jersey remains accountable to the people of Jersey, in properly fulfilling its mandate and delivering quality services to its stakeholders.

Ensure that the office provides value for money and complies with appropriate policies and procedures with respect to human resources, financial and asset management, and procurement. This includes formal approval

of any single item of expenditure in excess of ten percent of the operating budget for Office of the Information Commissioner.

The Authority also provides an advisory function to the office. With a balance of expertise in data protection, governance, and local knowledge of Jersey government and industry, the Authority provides strategic guidance to Office of the Information Commissioner with respect to fulfilling its mandate effectively and efficiently.

At times, the board may also provide strategic advice with respect to the handling of particular cases.


There are other powers and functions that the Authority may exercise under the Law, most notably:

enforcing the Law

promoting public awareness of data protection issues

promoting awareness of controllers and processors of their obligations

cooperating with other supervisory authorities

monitoring relevant developments in data protection

encouraging the production of codes

maintaining confidential records of alleged contraventions

The Board has delegated all of these other powers to the Commissioner. It reserves the right, however, itself to exercise those functions in particular cases, at its discretion.

There are certain functions that the Data Protection Authority Law stipulated that the Authority must perform without delegating to the Commissioner. The most important is that only the board can decide whether

to issue fines for contraventions of the Law. While the Office of the Commissioner (OIC) will make the official finding in each case as to whether a contravention has occurred, it is the Authority that will determine whether a fine will be applicable and the value of that fine.


The board is currently comprised of a non-executive chair and three non-executive directors, which the Chief Minister appointed in accordance with the Law in October 2018.

BOARD MEETINGS

The board held its inaugural meeting in October 2018. The first meeting focussed on establishing protocols and procedures to ensure that the Board and Office of the Commissioner are fit for purpose. Protocols discussed included:

draft corporate governance protocol

code of practice

disclosure of interests

appointment of auditors

strategic plan

delegation of powers

BOARD MEMBERS REMUNERATION

For 2018 the chair of the Jersey Data Protection Authority was paid £750 per day for his services and the non-executive board members were paid £600 per day.

ACCOUNTABILITY ARRANGEMENTS

To function as an effective regulator and to implement the Data Protection (Jersey) Law 2018 requirements, the Authority requires workable and sustainable funding and demonstrable independence. The implementation of the Data Protection Authority (Jersey) Law 2018 and the establishment of an overarching Board structure helps to achieve this level of independence.

Jersey Finance Centre, St Helier

Summary of 2018 Data Protection Activities

Benefits of effective data protection

The Jersey Laws applies to both the public and private sectors.

It helps redress imbalance between the indidividual and the state, but also between the individual and companies that collect, process and communicate their data to third parties.

It preserves democracy, but also protects the individual in the face of massive technological change and generate trust in the digital economy.

2018 OPERATIONAL PERFORMANCE

Complaints

The significant increase in numbers of cases in 2018

has in part been due to our ongoing work to ensure individuals know their rights and empowered to raise concerns. We continue to focus energy where possible on this important aspect of our role. Managing the volume of work as well as expectations at the same time as the OIC is going through significant changes continues to challenge us. Our compliance and enforcement team approach each complaint with the same objectivity and thorough process.


We received 184 data protection related complaints during 2018, representing a 235% increase on the

55 complaints recorded in 2017. As expected, Jersey's biggest business sectors received the most complaints, but there has been a notable increase in the number

of complaints involving the health sector. The significant rise in complaints regarding financial institutions

is noteworthy as is the volume of complaints

involving retailers.

With the change of the law, we are unable to make direct comparisons, but we will be able to provide appropriate comparable statistics for future years.


We continue to foster constructive relationships with the data controllers and data subjects to ensure that we can all learn and benefit from the lessons learned' from the complaints. A significant portion of the workload continues to involve responding to general enquiries, the breadth and depth of which varies significantly. Where we receive formal complaints,

we strive to work with all parties towards a mutually satisfactory resolution. This is not always possible. One reason is that there has been an increase in cases where there are complex interlinked issues regarding employment grievances or legal proceedings

in a family or civil court.

Who did people complain about?

Retailers Public Authorities Other Leisure and Travel Legal Profession Health Sector Hospitality Financial Institutions Uncategorised

2016 [52] 2017 [55] 2018 [184]

Plemont Bay, St Ouen

ENFORCEMENT

The Authority did not issue any formal undertakings  The Authority can determine if an administrative fine or enforcement notices in 2018. We were able close  is required according to Article 26 of the law and will all of our cases without the need to resort to formal  consider:

enforcement action.

the nature, gravity and duration of the

There was one case where we had to resort to issuing  contravention.

a formal information notice for us to obtain information

whether the contravention was intentional

necessary to conduct the investigation because

or neglectful.

the organisation declined to provide it informally.[1]

The organisation complied with the notice. As the   the action taken by the controller or processor investigation is continuing, we are unable to provide  to mitigate the loss or damage or distress

any further details. suffered.

the degree of responsibility of the person

The majority of our 2018 work centred on guiding data

concerned and the technical and organisational controllers and processors through compliance with

measure implemented for the purposes of data the new legislative requirements. Additionally we

protection.

commenced developing our Regulatory Action Policy

and fining regime.  previous contraventions.

the degree of cooperation with the Authority.

The new 2018 law provides for substantive fines and

sanctions for contraventions of the Data Protection   the categories of personal data.

(Jersey) Law; it is our intention to use these as a position  In ordering any fine, the Authority must take

of last resort. Our vision is to work collaboratively with  into account the need for fines to be effective; the community to educate and guide data controllers,  be proportionate; and have a deterrent effect. processors and data subjects to reduce breaches,

complaints and contraventions. Our sanction process

must be seen to be fair, reasonable and proportionate.

Archirondel Tower, St Martin

BREACH REPORTING

The Data Protection (Jersey) Law 2018 specifies that In the case of a personal data breach, the controller must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach in writing to the Authority

in the manner required by the Authority, unless the personal data breach is unlikely to result in a risk

to the rights and freedoms of natural persons'.

The breach obligations in the law go onto specify that the notification must:

  1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
  2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.
  3. describe the likely consequences of the personal data breach.
  4. describe the measures taken or proposed

to be taken by the controller to address

the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.


The controller must document any personal data breaches, including the facts relating to the personal data breach, its effects and the remedial action taken, in such detail as will enable the Authority to verify compliance with this Article.

If the personal data breach is likely to result

in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subject(s):

  1. without undue delay.
  2. in clear and plain language describing the nature of the personal data breach.
  3. giving the information referred to in paragraph (3)(b) to (d).

Mandatory breach reporting is a new obligation

for data controllers and processors under the 2018

law and our aim is to ensure that the reporting process is as straight forward as possible. The mandatory breach reporting aligns Jersey with modern global data protection standards. We have collaborated with industry throughout the year to maintain constructive communications so that we can all learn from breach occurrences, ensuring meaningful engagement and the highest levels of data security for the public.


Since early in 2018, we have emphasised that reporting breaches can benefit both affected individuals and

the organisations involved. Our caseworkers can assist organisations in containing breaches and mitigating

the resulting harms. Breaches can be traumatic for members of staff and carry serious reputational damage for businesses. Our team works sympathetically, yet professionally, when reporting officers contact our office.

While there may be occasions where breaches warrant a regulatory response, such as a decision notice or fine, we will reserve the most punitive sanctions for cases of deliberate, wilful, negligent, repeated or particularly harmful non-compliance. Failure to report a breach we become aware of from other sources could also result in a severe penalty.

Reports also provide our office with information about data security incidents, allowing us to identify systemic issues.

We received 141 self-reported data breaches in 2018 for the full year: 20 breaches reported from 1 January to 24 May and 121 breaches reported to our office after 25 May.

REGISTRATIONS

The Data Protection Authority (Jersey) Law 2018 clearly  While registration does not directly improve the

obliges data controllers and processors to register with  protection of personal data, it does create transparency our office; about how organisations manage their data, giving them

a greater level of awareness of their obligations and

  1. A controller or processor established in  an incentive to comply. It also helps to inform the public Jersey must not cause or permit personal  about which organisations manage personal data.

data to be processed without being registered  At the close of business on the 31 December 2018,

as a controller or processor under this Article.  we had 4,501 live registrations for Jersey organisations.

  1. An application for registration made

We recognise that the registration process can be

to the Authority must:

challenging and time-consuming, particularly for small

  1. include the fee as specified by the  and medium sized organisations, clubs and associations. Authority.  In 2018, we commenced a review of the registration system, including the required fields, to simplify the
  2. be in a form and manner required

process, reduce the amount of information required and by the Authority; and Article 18 Data

reduce the administrative burden for controllers and Protection Authority (Jersey) Law 2018

processors. We anticipate that a new registration model Page - 16 L.4/2018.

will be completed by quarter 3 of 2019.

  1. include any information required by the Authority.
  1. Upon receipt of an application made in accordance with the Law, the Authority must register the applicant as a controller or processor as the case may be.
  2. The Authority must:
  1. maintain a register of controllers for the purposes of this Law.
  2. publish any such information as the Minister may by Order prescribe.
  1. A person who contravenes paragraph (1) is guilty of an offence.

Jersey Finance Centre, St Helier

GUIDANCE

We launched a bespoke Think GDPR' website and  Think GDPR website hosted a wealth of guidance developed comprehensive guidance documents to help  covering: essential steps to GDPR compliance; what Jersey business and community to begin to understand  GDPR mean for SME's; a GDPR implementation plan; GDPR and the Data Protection (Jersey) Law 2018. and more. The website received heavy use between

March 2018 and July 2018 (around the introduction

of EU GDPR on 25 May) with most visitors viewing the overview, resources, the GDPR guidance and questionnaires. The infographics provided pictorial practical information helping with GDPR compliance.

The graph below highlights the activity on the Think GDPR' website throughout 2018. In total in excess of 16,000 visitors researched information on the site.

User activity 2018 400

200 0

Mar May Jul Sept Nov

Supporting printed collateral for Think GDPR'


Additional Guidance

The change in law necessitated new guidance to

be provided to help the business community, States of Jersey Members and the public to understand the new and updated obligations and individual rights.

We published refreshed and new guidance on:

guidance for States' members

guidance on transitional provisions

the data protection principles

key definitions

guidance for SME's

guidance on breach reporting

duties of data controllers

guidance on registrations of controllers and processors

guidance on sanctions

guidance on criminal offences and civil remedies

We also presented a range of infographics and briefing papers to help support the community through the legislative changes.

Annual Report of Freedom of Information Activities

Benefits of effective freedom of information

Improves accountability of scheduled public authorities.

Promotes good governance and transparency.

THE FREEDOM OF INFORMATION (JERSEY) LAW 2011

The Freedom of Information (Jersey) Law 2011 provides public access to information held by Scheduled Public Authorities (SPAs). It creates a legal right for individuals to request information from SPAs. The Law covers all recorded information that is held by a SPA in Jersey. Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings. It is defined in the Law as meaning information recorded in any form'.

Scheduled Public Authorities are listed within Schedule 1 of the Law as:

the States Assembly including the States Greffe

a minister

a committee or other body established by resolution of the States or by or in accordance with standing orders of the States Assembly

a department established on behalf of the States

the Judicial Greffe

the Viscount's Department

Andium Homes Limited (registered as a limited company on 13th May 2014 under registration number 115713).

the States of Jersey Police force

a Parish


Our role in the Freedom of Information Law spans the following functions:

To encourage public authorities to follow good practice in their implementation of this Law and the supply of information.

To supply the public with information about this Law.

To fulfil the second stage of the appeals function - a person aggrieved by a decision

of a scheduled public authority may, within 6 weeks of the notice of that decision being given or within 6 weeks of the date the applicant has exhausted any complaints procedure provided by the scheduled public authority, appeal

to the Information Commissioner.

The Information Commissioner must decide the appeal as soon as is practicable but may decide not to do so if the Commissioner is satisfied that:

the applicant has not exhausted any complaints procedure provided by the scheduled public authority


The Information Commissioner must serve

a notice of his or her decision in respect of the appeal on the applicant and on the scheduled public authority.

The notice must specify:

the Commissioner's decision and, without revealing the information requested, the reasons for the decision; and

the right of appeal to the Royal Court conferred by Article 47.

Each year the Information Commissioner must prepare a general report on the exercise by the Information Commissioner of his

or her functions under this Law during the preceding year.

In final consideration of the Freedom of Information Law it has to be noted that significant effort is extended by the Commissioner's staff in providing informal advice and assistance to both members of the public and SPAs at various stages of the Freedom of Information process prior to any formal appeal. This includes time taken

for discussion, advice and mediation aimed at provision of information to the public along with greater public understanding of the machinery and workings

of government.

The Law gives individuals access to any information,  – there has been undue delay in making apart from their own personal data (information about  the appeal

themselves) such as their health records or credit  – the appeal is frivolous or vexatious; or reference file. The Data Protection (Jersey) Law 2018 gives

the proper avenue to access their own personal data.  – the appeal has been withdrawn,

abandoned or previously determined by the Commissioner.

2018 OPERATIONAL PERFORMANCE & APPEALS

The Central Freedom of Information Unit received

a total of 736 valid requests during 2016, 809 valid requests in 2017 and 734 valid requests in 2018.

The decrease corresponds with a quiet period between March and July, during the States of Jersey election.

Please note that the chart represents all Freedom

of Information requests received, including subject access requests for personal information sent in error.

Copies of responses to Freedom of Information requests are available on the States of Jersey website gov.je/Government/FreedomOfInformation/Pages/index.aspx


FOI Appeals 2015 – 2018

2015 4 2016 1 2017 4 2018 4

Number of requests received per month up to 31 December 2018


The annual volume of Freedom of Information requests has been consistent since 2015. Appeals have also remained consistently low. The possible reasons for this are:

greater communication between requestors and scheduled public authorities

greater public awareness of the Law

results of the work of both the central FOI Unit and the Office towards increased transparency across scheduled public authorities

reluctance about pursuing a second stage appeal to our office.

Requests by month and year

140

120

100

80

60

40

20 0

2016 2017 2018 2019

La Corbière, St. Brélade

SIGNIFICANT 2018 DECISION NOTICES

We issued four formal decision notices in 2018 following the appeals submitted to us. The decision notices relate to the following information regarding:

the Government of Jersey workforce modernisation program

water pollution in certain areas of the island

SATS (Standard Assessment Tests) exam results in 2017 and secondary school inspection reports

the employment information of the chief executive for the States of Jersey, including his contract.

In each case, the Commissioner conducts a formal hearing adhering to the principles of administrative fairness and the laws of natural justice. The Commissioner provides the public authority and the applicant with an opportunity to submit any information. It is essential that both parties make full and complete arguments in support of their contentions and provide adequate evidence, as opposed to mere speculation, to support those arguments.

The Commissioner presumes that when making

its submissions, each party is providing all relevant material that is available at the time of the assessment.

The Commissioner issues a Decision Notice based

on the submissions of the parties, the precise wording of the legislation and any relevant case law. The decision is unbiased and includes adequate reasons. If a party

is dissatisfied with the Decision Notice, the only avenue of appeal is to the Royal Court. The Royal Court may review the Commissioner's decision to determine whether it was reasonable.

Rozel Harbour, Trinity

International Liaison

The Commissioner and Deputy attended key international conferences throughout 2018 broadening their knowledge and raising Jersey's profile.

Annual Report 2018 of the Jersey Data Protection Authority 26

CONFERENCE OF EUROPEAN DATA  THE INTERNATIONAL CONFERENCE CHATHAM HOUSE ILLICIT FINANCIAL PROTECTION AUTHORITIES:  OF DATA PROTECTION AND  FLOWS LONDON

"Data Protection – Better Together" PRIVACY COMMISSIONERS ANNUAL November

May CONFERENCE BRUSSELS  The head of Jersey Finance invited the Commissioner

to attend the Chatham House Illicit Financial Flows

The conference in Albania drew together a broad range  21 – 25 October

conference in November 2019. The conference shared

of attendees to debate territorial scope, challenges

The International Conference of Data Protection expert insights from senior policy-makers and key

of data protection in humanitarian action and the

and Privacy Commissioners (ICDPPC) is a worldwide  stakeholders on illicit finance and money laundering. influence of European standards on other systems

annual forum at which independent regulators on

ASIAN DATA PRIVACY LAWS  padriovapct yh, idgaht lae pverol treecstoiolunt iaonnds afrnede dreocmo mofminefnodramt aiotniosn  

WORKSHOP LONDON  addressed to governments and international

5 October organisations.

The Commissioner attended the half day workshop in London titled Asian Data Privacy Laws and their impact on business' The workshop explored to what extent are the Asian laws responding to the EU Data Protection Regulation and the latest privacy law developments in India, China, Japan and Korea.

17TH ANNUAL CONFERENCE PDP

11 and 12 October

The Deputy Commissioner joined attendees for the

17th Annual PDP Conference in London. The 17th Annual conference provided industry experts and regulators with an opportunity to analyse the practical components of the GDPR and the Data Protection Act 2018 helping organisations to ensure they are fully compliant.


The Conference first met in 1979 and provides international leadership to data protection, privacy and freedom of information by connecting the efforts of 115 privacy and data protection authorities from across the globe.

The Commissioner and Deputy Commissioner benefited from the International Conference of Data Protection and Privacy Commissioners in Brussels, titled Debating Ethics – Dignity and Respect in data driven life' was

the 40th International Conference of Data Protection and Privacy Commissioners. The 2018 conference focussed on exploring beyond compliance mechanisms, to understand how the digital age is changing society and people's daily lives and see how ethics can help challenge the inequalities and unfairness which increasingly characterise our digitised societies

and economies.

The International Conference of Data Protection and Privacy Commissioners Annual Conference Brussels

Tirana, Albania Brussels Town Hall PDP Conference London

MEETINGS WITH DATA PROTECTION  REGULATORS

The Commissioner met with the Information  Commissioner's Office in the UK in September and  the Data Protection Authority (Guernsey) later in the  year. The ongoing dialogues and positive relationships  with other data protection regulators provides a great  platform for sharing experiences, best practices and  ensuring consistency of interpretation and application  of the law.  

British, Irish and Islands' Data Protection  Authorities (BIIDPA) meeting  

The Deputy Commissioner attended the British, Irish  

and Islands' Data Protection Authorities (BIIDPA) meeting  that was held in the Isle of Man in June 2018.  

These meetings provide a platform for the exchange  

of useful information to ensure a consistent approach  to the treatment of issues that are of common interest.  For a number of years now, Jersey has played an active  role in discussions between the British, Irish and Islands'  Data Protection Authorities. Representatives of the  regulators from the UK, Ireland, the Jersey, Guernsey,  

the Isle of Man, Gibraltar, Malta and Cyprus meet  annually to discuss the challenges, share best  

practice and ensure cooperation where appropriate.  

Aztec Group House, St Helier

PUBLIC ENGAGEMENTS & AWARENESS SESSIONS

The Jersey Data Protection Association The Deputy Commissioner gave 21 talks to a wide range

of audiences in 2018. The increase in awareness sessions The Commissioner presented to members of the

gradually rose throughout the year – ranging from simple Jersey Data Protection Association in November 2018.

talks to the public to detailed, technical seminars

Dr Fedorak shared with the members What's been

to industry.

on his office's agenda since May 2018?'

For example Paul Vane presented to a taxi company,

The Jersey Data Protection Association (JDPA) was formed

General Practitioners, Jersey Farmers Union, PwC, Jersey to help all organisations in Jersey to understand respond

Business and Chartered Institute of Management. Paul and comply with the demands of customers, employees,

Vane spoke to over 650 people regarding data privacy. suppliers and regulators in the field of data privacy and

Paul also spoke to members of the public in talks held protection'. The JDPA committee includes representatives

at Jersey Library.

from various industry sectors including Financial

Services, Public Sector, Digital, the Legal Profession,  The Commissioner, Deputy Commissioner and staff Retail, Tourism and Hospitality, Energy and Construction. receive invitations to undertake speaking engagements

and provide awareness sessions to industry

The Jersey Association of Trust Companies  representatives and professional bodies.

In November, the Jersey Association of Trust Companies

(JATCo) invited the Commissioner to reflect on the  

activities of our office in 2018 considering both data  Public Engagements & Awareness Sessions

protection and freedom of information responsibilities.

The Jersey Association of Trust Companies is an

organisation that represents the majority of trust  22% Public companies in Jersey. JATCo represents its members'

interests to government and financial services regulators.  0% Legal

It also runs an educational programme to enable  4% Health decision makers and opinion formers (both locally and

further afield) to have critical information upon which  9% Finance

to make decisions affecting the Island's trust industry.

65% Professional Bodies

European Developments

"Maintaining free data flows between Jersey and other countries

is fundamental to our Island's economy"

On 4 May 2016, the EU Official Journal published official texts of General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27

April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The GDPR came into force on 24 May 2016, and applied from 25 May 2018. EU Member States were supposed to transpose it into their national law by

6 May 2018.

It also published the Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention,


investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Jersey implemented the requirements of both the GDPR and the Directive in 2018, as first non-EEA jurisdiction. The Island's new legislative framework came into force on the same day the GDPR came into force, 25 May 2018.

Maintaining free data flows between Jersey and other countries is fundamental to our Island's economy, particularly the operations of the financial services industry. Jersey currently benefits from the European Commission treating it as a third country providing


adequate levels of data protection under the former European Data Protection Directive 95/46/EC. This permits companies in EU member states to transfer personal data to Jersey without the need for additional levels of protection through binding corporate rules

or standard contractual clauses.

Preserving this free flow of personal data is a great benefit to our economy, which is worth preserving. The current adequacy designation remains in place pending a review by the European Commission of Our new legislation in comparison to the requirements of the GDPR. We are hopeful that our new data protection regime implemented in May 2018 will receive

a favourable assessment during this review.

Corporate Social Responsibility

Our team enthusiastically focussed on shrubs and plants for two days in 2018

to help support the excellent work of Jersey Hospice. The Commissioner and Deputy Commissioner were among the team who cleaned out planters, swept paths, pruned shrubs, cleaned the water feature and spruced up the green house.

Jay Fedorak said it was rewarding to contribute, even in a small way, to the total philosophy of care and patient well-being offered by the team at Jersey Hospice. We are committed to continuing our work in the community throughout 2019.

The small team has raised sponsorship for Children-in-Need and MacMillan Cancer Support through simple events involving baking and stair climbing.

We will be developing environmental policies in 2019/20. We have strived to upcycle' and recycle' as much office waste as possible to date.

Bonne Nuit, St.John

Financial Information

The States of Jersey provided the office with a base budget for 2018 that it established as part of its routine budget development process in 2017. It subsequently allocated additional funding to the office for preparation and implementation of the new laws. We are working with the Government of Jersey on a model to ensure adequate funding for the office for future years.

The recruitment of the new Finance Manager in 2018 assisted our office in establishing greater financial independence from the Government of Jersey.

2017 2018 notes

Registry fee 125,519 214,277 Guernsey recharge 67,057 6,151 Total income 192,576 220,428 Contribution from the  399,700 454,971

Government of Jersey

Additional contribution from  313,660 1

the Government of Jersey Notes to financial information for 2018

Net income 592,276 989,059 1. Additional funding was allocated to the OIC to assist with Data Protection (Jersey) Law 2018 preparation

and implementation

Manpower costs 360,413 467,328 2 2. Staff increased by 5 full time equivalent in 2018 Supplies and services 163,250 329,508 3 3. Includes consultancy fees, recruitment fees and

legal and professional fees

Administrative costs 12,040 16,243 4

4. Increase in administration costs due to increased

Premises and maintenance 44,252 86,748 5 staff using telephones, printing, photocopying etc. Finance cost 11,758 1,614 6 5. Increase in premises costs due to interim

Total operating cost 591,713 901,441  accommodation costs 6. Finance costs are bank charges

7. The surplus has resulted from an increase in

Surplus 563  87,618 7 the number of entities registering with the OIC

Annual Report 2018 of the Jersey Data Protection Authority 36

2nd Floor, 5 Castle Street, St. Helier , Jersey, JE2 3BT |  +44 (0) 1534 716 530

www. jerseyoic.org

Recent News

Next week's Constituency Drop-Ins 13 December 2024
States Meeting Summary: 10-12 December 11 December 2024
New report highlights challenges in secondary education funding 9 December 2024

Quick links