Jersey Office of the Information Commissioner Annual Report 2021

1

J E R S E Y O F F I C E O F T H E I N F O R M AT I O N C O M M I S S I O N E R

ANNUAL REPORT

R.82/2022

Fulfilling the obligations of the Authority under Article  44 of the Data Protection Authority (Jersey) Law 2018  and the Information Commissioner under Article 43 of  the Freedom of Information (Jersey) Law 2011.

Contents

TRHOEL EJE, VRASLEUYE DSA, TVAISPIORONT, EPCUTRIPOONS AE U ATNHDO2R0IT2 Y1    S  SECTION 1-3 48 BREACH REPORTING SECTION 9 STRATEGIC OUTCOMES

Our ROur Valuesole  52 ENFORCEMENT AUDITS SECTION 10 06

Our Vision

Our Purpose2021 Strategic Outcomes 56 AINNFNOURAMLARTEIOPNO RATC TOIFV IFTRIEE SEDOM OF  SECTION 11

Statement from the Chair

Information Commissioner s Foreword 60 ENVIRONMENTAL, SOCIAL AND GOVERNANCE SECTION 12 THE JERSEY DATA PROTECTION AUTHORITY SECTION 4

16 GoAuthority Structurvernance, Accountability & Te & Authority Rranspareportency 62 OUTREACH AND COMMUNICATIONS SECTION 13

Governance Report

Authority Sub-Committees 74 REMUNERATION AND STAFF REPORT SECTION 14 SECTION 5

26 PRINSummarCIPALy of Principal RisksAND EMERGING RISKS 82 FINANCE REPORT SECTION 15

30 PERFORMANCE REPORT  SECTION 6 82 AUDITED FINANCIAL STATEMENTS SECTION 16

38 2021 CASE DATA SECTION 7

44 2021 CASE OUTCOMES SECTION 8

4 2021 Association frautperGlNetwIntPrivacy PrBritish IslPrAssociation (BIIDPobal Privacy Enfoternational Association of oritsonnellection Aork (GPENØs es and Irish Ddofes (AFeessionals (IAPP) uthorities prancot)ectionophone dAPDP)orA). cement ata deses donnØes  5

100 80% of

Following school sessions

Guests attended  students

90 ouar plirviecelywdoerbtaht e  information.

said they

 Your Privacy  understood importance

of protecting paying?  their personal

Complaints

Handled.

6692 Commended by  180 Guests at

Organisations registered. Global Privacy  JOIC

Assembly  Events for Covid-19

guidance.

Handled Interactive 232 75% network

Let s Go DPO of attendees said  created.

self-reported data breaches. infwormation prould benefit them esented

personally and

professionally.

The Jersey Data Protection Authority

(the Authority) is an independent statutory

body established to promote respect for the  We are Fair

private lives of individuals through ensuring

We treat people equally, without favouritism or privacy of their personal information by: discrimination. We are impartial in our activities and

free from bias or dishonesty. We are competent, reliable

and respectful. Our decisions are open, honest and

Implementing and ensuring compliance with the Data  rationalised by a sound evidence base to promote Protection (Jersey) Law 2018 (the DPJL) and the Data  integrity and trust. Protection Authority (Jersey) Law 2018 (the DPAJL).

Influencing attitudes and behaviours towards privacy and processing of personal information, both locally and internationally.

Providing advice and guidance to Island businesses

the Government of Jersey in response to changes in  We are Collegial

and individuals and making recommendations to

international data protection laws.

We share responsibility, including being honest and fair in our conduct towards others. We are willing

The Information Commissioner has separate responsibility for  to be judged on our performance. We work together implementing the Freedom of Information (Jersey) Law 2011  to achieve our strategic outcomes. A collaborative

(the FOI Law). This includes encouraging public authorities to  approach allows us to work effectively together or follow good practice in their implementation of the FOI Law  individually. We communicate clearly, actively listen to (including adherence to the relevant code of practice) and  others, take responsibility for mistakes, and respect help to promote transparency by supplying the public with  the diversity of our team. We demonstrate impartiality information about the law and advice and guidance on how to  and accountability.

exercise their rights.

We are Respectful

We respect those we work with and liaise with; this Our vision is to  To provide those who  Our values are hugely  means that we actively listen to others and behave

create an island  interact with Jersey  important to us, they  considerately towards others. We have self-respect and culture whereby the  organisations and  create our identity  make responsible choices in what we say and do, to protection of personal  the Government of  and inform how we do  reach personal and organisational outcomes. We treat data and privacy  Jersey with the highest  business. We created  others in the way we want to be treated.

becomes instinctive,  standard of personal  our values to be

with individuals and  data protection.  more than words on

organisations taking a  a page, using them

proactive approach to  to guide decisions,

embed such protection  select behaviours

throughout their daily  and drive continuous  We are Energetic activities and business  improvement in our

planning.  service. Our values

apply to us all,  We are enthusiastic and approach our

regardless of rank and  activities with vigour and vitality.

flow through each area

of our service, every

day.

02The Island s  To achieve this outcome, we will:

approach to data Demonstrate an ethical approach and a commitment protection clearly  tinto reregulatactions, both lory excellocally and intence at all times in all of our ernationally.

contributes to its

reputation as a Tspeak in both lake advantage of all approcal and intopriaternational ve opporenues. tunities to well-regulated Collaborate with other data protection authorities

jurisdiction.  internationally and other regulators in Jersey on

investigations and the development of guidance material.

01 03Jersey is

To achieve this outcome, we will:

recognised as

Jersey are provided  To achieImplement a public education prve this outcome, we will: ogramme making  embracing Bring an innoapprcsucomplianccess.oach te, as wo all data prvativell as business and public policy e and solutions-fotection issues that procussed omotes The people of  a world leader,

with a high level  individuals aware of their data protection rights  innovation to

of data protection  whilcomplying with their re facilitating public authorities and businesses in esponsibilities. safely develop and Deparvticipatelop the te effechnical eectively in fxperorums intise necvolving data essary to and expert service Work collaboratively with businesses, organisations,  implement digital  prtechnolotection and togical deechnolvelopments on the horizon that maogy and to anticipate  y whilst resources  charities/not-for-profit and public authorities to  technology.  have data protection implications.

are judiciously  assist them with meeting their lwhile promoting innovation in seregal obligations, vice to the public. Collaborate with stakeholders in implementing a and responsibly  regulatory sandbox to facilitate the development of

Implement an effective and fair enforcement  new technologies for processing personal data safely

managed.  programme. and securely.

forward in resolving this issue at the time of writing. The  of a global crisis, data sharing for the public good is fact remains that the private sector pays the majority  of paramount importance. However, such processing

of the Authority s funding, which in the long term may  should not be at the expense of privacy. Governments, Jacob Kohnstamm the Authority. The year ended on a more positive note  such as ours have a shared responsibility to ensure

prove problematic in terms of the independence of  organisations and Data Protection Authorities (DPAs) Chair, Jersey Data  however, with the Minister recognising that a resolution  privacy is considered throughout the data processing

Protection Authority to this issue should be a high priority in 2022. lifecycle and individuals are afforded the fundamental

right of data protection. DPAs cannot and should not be In terms of our personal privacy, there is a sense that

expected to do it alone.

privacy is something we no longer have control over.

Unlike many things in life, privacy is an intangible asset  Returning finally to the pandemic, in addition to the which we cannot easily see. That makes it more difficult  national lockdowns imposed upon many jurisdictions,

to quantify or place any tangible value upon. New  the global coverage of our Authority members gave Statement  on our business. This continued into 2021 as the second

emerging technologies and concepts such as artificial  rise to difficulties in travelling to Jersey. As a result, our intelligence seem far from the grasp of the everyday  Authority meetings were forced to move online across different time zones and like most, we learned quickly

to adapt to online video conferencing platforms to carry from the Chair more on citizens to provide  in a virtual boardroom and has been an adequate

and third waves of Covid continued to prevent us from ... it is our intention to focus  travelling and thus meeting in person. Technology has proved invaluable in bringing the Authority together

them with the necessary  substitute to physical meetings. However, teams work

Once again, it is my pleasure on behalf of the Jersey Data Protection Authority  tools and education to  well with face-to-face contact and over the preceding (the Authority) to present to the Minister and members of the States Assembly  months we have very much missed the human contact.

our Annual Report for 2021. This fulfils our statutory obligation under Article  better protect their own  The social element to any work forms a critical part of 44 of the Data Protection Authority (Jersey) Law 2018. personal data.... our team cohesion and effectiveness. It has been nearly

two years since we were last together in person, and as In last year s report, I spoke of the extraordinary  delighted that Paul will be leading the JOIC into  I often say jokingly, there is no such thing as a virtual challenges 2020 brought as we attempted to  the next chapter and continuing to strengthen the  beer! We look forward to a time in the near future when navigate the previously unchartered waters of a  organisation as we deal with the challenges of  our Authority can once again be together.

global pandemic. As well as the increased workload  emerging technologies and Artificial Intelligence (AI). individual, whereas the business sector and the public

created by the many privacy issues surrounding  sector can more readily see the benefits of AI to their  Looking ahead, we will continue to strengthen

track and trace regimes, we endured the social  human resources, productivity and profit margins. Our  our infrastructure and strategic capabilities with say a proper farewell to our outgoing Information  Last yGodata prI statvernment of Jered then, a kear I also spokotection as a fey value of data prsee of the impory (Goundamental human right. As vernment) rtancot ecection is the e of the ognising  and organisational measures in place to protect the  technology infrastructure, continued development

interruption of not being able to meet in person. The  Authority works a lot with businesses to ensure they  investment and focus on three key areas: enhancing Covid situation also meant that we were unable to  have the appropriate policies, procedures and technical  the resilience and reporting capabilities of our

Commissioner, Dr Jay Fedorak, who completed his  principle of fairness, which extends to the work  personal data they hold about their customers. However,  of our supervision and oversight activities and three-year term in July. Jay has been instrumental  of the public sector as well as private enterprise.  it is our intention to focus more on citizens to provide  the development of a data stewardship regulatory

in leading the Jersey Office of the Information  them with the necessary tools and education to better  framework in collaboration with other agencies and Commissioner (JOIC) into the post-GDPR era, having  Currfunding of the Aently, the privatuthoritye sect, with Goor providvernment paes 80% of the ying  protect their own personal data. industrto be a ly stakeading jurisdiction feholders in supporor data trusts.t of Jersey s aspiration

the remaining 20% by way of a grant. However,

built an excellent team and foundations for the  The volume of personal data recorded by governments

Government is the largest user of personal data,

future of the Authority. We thank him sincerely for  and big tech companies in the fight against and

much of which is also personal data of a sensitive

his hard work and dedication to privacy and data  response to Covid has been unprecedented. The silver

nature. Citizens have little choice but to relinquish

protection and wish him well in his new venture as a  lining is that the pandemic has woken many individuals  Jacob Kohnstamms)

control of their personal data if they are to fully

private consultant operating from his hometown in  and communities to this high level of data processing,  Chair, Jersey Data Protection Authority

participate in society. It is therefore incumbent upon

British Columbia. questioning the public benefits of such large-scale

Government to recognise that there are compelling

processing and how this impacts personal privacy.

As one door closed, another opened, with our new  reasons to pay their fair share of the cost of

Individuals are beginning to place greater value on

Information Commissioner, Paul Vane, stepping  regulating data protection in Jersey. Discussions on

their personal data. There is no doubt that in the midst

into the role in July. Similarly, we were not able to  a more appropriate funding mechanism commenced

formally welcome Paul in person, however we are  in 2021, however there has been no marked step

2021 was a year when we all hoped we would see a  financial and professional services sector made return to normality following the previous 12 months  the largest proportion of reports. This appears to

of the pandemic. However, I have always said that the  reflect their familiarity with working to a regulator Paul Vane BA(Hons) Soc Pol Crim (Open) concepts of normality and privacy are very alike,  driven compliance framework and speaks well to

Information Commissioner in that people s ideals of privacy and what can be  the strength of their internal controls. Whilst few

considered normal are personal to the individual.  complaints or breach reports were of a level that

In reality, we saw little change at the beginning  warranted any formal sanction from our office, the

of the year as Covid case numbers increased and  team used the opportunity of intervention to help new variants emerged. The JOIC faced similar Covid  educate organisations on how to improve their

related issues in respect of data security when  processes and avoid future similar occurrences.

working from home, contact tracing and the proposed Information

introduction of Covid vaccination certificates. The  For the first time in 2021, and despite the challenges team worked hard to  presented by the pandemic, ensure guidance was  we completed our first

up to date, relevant  compliance audits, focusing on the high-

Commissioner s  aanddvi coen whhaenrde tnoe perdoevdid. e  Even as a small  raicstkivditaiteas ,psruocche sassi ntgh ose

TJOhIeC  esf fseucitteiv eonf egsusid o af n t ch ee   island jurisdiction,  osergnasnitiisvaet, ihoenas lhtho-lrdeilnagt emdo  re wthaes GrelocboaglnPisreivdabcyy  Jersey can have  ianufdoirtmeda t2io6n o. rTghaen itseaatmio ns

Foreword  caonndfeI rweansc ea sikne Odcttoo ber  international policy... csoecmtoprl.i aTnhcise fiarcsrto tsrsanthcahte

Athsesierm inbtleyr 1n (a Gt Pi Ao )n aa tl   an influence on  wleivtehl sthoef adiamtaopf riomt pecrotivoinn g present on Jersey s  of audits represented a

response to the  tangible success for both It is with immense pride that I  pandemic to the GPA Covid-19 working group. A  the sector concerned and our office, with both

present my first Annual Report  number of the group s members adopted the Jersey  benefitting greatly from the experience. Our aim for as Commissioner under the Data  guidance for their own authorities. Examples like  2022 is to expand this aspect of our responsibilities Protection Authority (Jersey) Law 2018  this highlight the importance of our participation in  significantly.

international discussions around data protection and

and Freedom of Information (Jersey)  put Jersey on the international data protection map.  Again, despite the limitations imposed by the

Law 2011. The Jersey Office of the  I am extremely proud of my team for their agility,  pandemic, we continued to adapt our education and Information Commissioner has come  working at pace to produce a suite of guidance whilst  outreach programme, combining online delivery

a long way in the three years since  facing their own challenges brought about by the  with in person events and awareness sessions. We

pandemic. It also demonstrates that even as a small  successfully launched our Board Support Squad

the European General Data Protection  island jurisdiction, Jersey can have an influence on  initiative as well as our Let s Go DPO workshops and Regulation (GDPR) came into effect  international policy development. continued our school s education programme and along with our new laws in Jersey, and  industry awareness talks.

I would like to take the opportunity  In terms of our other activities throughout the

first of all to thank my predecessor,  ymeuacr,hcoafs ethien vteesatmig as twioonrsk .c Bo yn t fi an ru tehde  t loa  rdgoemsti nate  Pfoerr h20a2p1s   wo an se   oo uf  rt hfiers ht i dg eh bli aghtet,s  Yo of  uo ru pr  re ivv ae cn yt s  c Aa l pe rn icd ea r Dr Jay Fedorak, for his leadership,  proportion of casework undertaken in 2021  worth paying? which attracted over 100 attendees.

support and expertise in steering the  related to complaints against the public sector.  The event promoted some deep discussion about organisation to where it is today. Jay  29% of all complaints received were made against  how much of our privacy we are willing to trade

will be missed by all of us here and we  public sector organisations, with many relating  for the goods and services we all expect and need.

to issues around data security, data sharing and  However, the overwhelming highlight for me was the wish him every success in his new role  lack of response to data subject access requests.  inclusion of some of the Island s young people in

in his homeland of Victoria, BC.  In terms of self-reported data breaches, the  the discussions, who provided a different, but hugely

[14]relevant perspective. We all learned a thing or two  colleagues and privacy experts. This will improve from their presence and will continue to involve our  our own understanding of the impact of AI and young people in future events. shape how we can best educate Islanders and local

businesses for the overall benefit of the Island.

Other areas of focus during 2021 included the

In addition to the GPA, the JOIC has continued to much-debated topic of international data transfers,

be involved in other international forums and data Transferring personal data out of Jersey  particularly in light of the events of the previous

protection networks. We now have a presence on two years, namely Brexit, the decision of the Court

a number of other international groups, including is critical to the stability of our economy  of Justice of the European Union to invalidate the

the Association francophone des autoritØs de EU-US Privacy Shield in 2020 and the introduction

and a major part of the day-to-day  of updated Standard Contractual Clauses by the  protection des donnØes personnelles[15] (AFAPDP), the

European Commission.  Global Privacy Enforcement Network[16] (GPEN), the activities of many local businesses,  International Association of Privacy Professionals[17]

Whilst these three factors may not mean a lot to the  (IAPP), and the British, Irish and Islands Data particularly the finance industry. average person on the street, the impact of these is  Protection Authorities Association (BIIDPA).

far reaching. Transferring personal data out of Jersey  Keeping an eye on the international data protection is critical to the stability of our economy and a  arena has become a fundamental part of our

major part of the day-to-day activities of many local  work at the JOIC and essential to fulfilling our businesses, particularly the finance industry. The  strategic outcomes. Thanks to rapid technological public sector is also reliant on cross-border data  advancement and the growth of the internet, the transfers for some of its back-office functions, so it  ease of movement of data has improved greatly

is easy to understand why any potential barriers to  and the accessibility and availability of data has transferring data can cause such anxiety in a small  improved significantly. As a result, the value of jurisdiction like ours. Our office has been working  personal data has increased exponentially, and the hard to monitor international developments in this  controls required to protect data have strengthened rapidly changing area. In September last year, we  as the risks associated with data transfers increase. set up a working group in collaboration with our  Working together as a global data protection colleagues at Jersey Finance Limited to explore the  community benefits both businesses and

issues faced by Jersey businesses, the impact on  individuals alike, and it is therefore critical to our Islanders and look at options for a practical way  Island future that Jersey continues to have a voice forward. These discussions are ongoing, and I look  on the global stage.

forward to sharing the results of those discussions

The JOIC remains committed to ensuring our

in next year s report.

Islanders and those who interact with Jersey Returning to our international work, since the  organisations are afforded the very highest

re-establishment of the GPA in 2018, the JOIC has  standards of data protection for this generation become an active member of several working  and those to follow as we strive to add real value to groups, ranging from enforcement cooperation,  our Island s health and prosperity and achieve our digital education, artificial intelligence and data  long-term vision whereby thinking privacy becomes sharing for the public good. Our participation in  instinctive.

all of these helps to shape our own strategies

whilst ensuring a consistent approach with our  Paul Vane BA(Hons) Soc Pol Crim (Open) international colleagues.

Information Commissioner

Artificial Intelligence and the continued advancement in technology and the internet is an important and growing area giving rise to many privacy issues. It is critical our office is involved in these discussions as much as possible to both influence and be influenced by our international

16 4 02 17

The Chair and voting members are appointed by the Minister.

The Information Commissioner is the Chief Executive and:

01

03

The Information Commissioner has the  The Authority is established to undertake delegated responsibilities of the Authority,  a variety of key activities which includes undertakes the functions of the Authority  promoting public awareness of risks and under the Data Protection Authority  rights in relation to processing, especially in (Jersey) Law 2018 (DPAJL) and the Data  relation to children and to raise awareness Protection (Jersey) Law 2018 (DPJL) other  of controllers and processors of their

than, the issuing of a public statement  obligations under the data protection laws.

under Article 14, the making of an order  It is also incumbent upon the Authority to

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Governance,  Authority Structure Accountability  & Authority Report

.

& Transparency The Authority is currently comprised of a non- The Authority meets at least four times per executive chair and five non-executive voting  annum. The Authority operates sub-committees

members. to ensure that relevant matters can be addressed fully, and recommendations taken back to the

The Jersey Data Protection Authority main Authority meetings.

The Authority has responsibility to:

Ensure that the Jersey Office of the Information Commissioner (JOIC) remains accountable to the people of Jersey, in properly fulfilling its mandate and delivering quality services to its stakeholders.

Ensure that the JOIC provides value for money and complies with appropriate policies and procedures with respect to human resources, financial and asset management, and procurement. This includes formal approval of any single item of expenditure in excess of ten per cent of the operating budget for the JOIC.

Delegation of Powers

There are other powers and functions that the Authority may exercise under the Law, most notably:

Enforcing the Law.

Promoting public awareness of data protection issues.

Promoting awareness of controllers and processors of their obligations.

Cooperating with other supervisory authorities.

Monitoring relevant developments in data protection.

Encouraging the production of codes.

The Authority also provides an advisory function

to the JOIC. With a balance of expertise in data

protection, governance, and local knowledge

of the Jersey Government and industry, the  Jacob Kohnstamm Authority provides strategic guidance to the JOIC  AU T H O R I T Y C H A I R with respect to fulfilling its mandate effectively

and efficiently.

David Gailina Clarisse Paul  Helen Smith Liew Girot Routier MBE Hatton

AUTHORITY  AUTHORITY  AUTHORITY  AUTHORITY  AUTHORITY VOTING MEMBER VOTING MEMBER VOTING MEMBER VOTING MEMBER VOTING MEMBER

I N F O R M AT I O N C OM M I S S I O N ER The Authority has delegated all these other

powers and functions to the Information

Commissioner.

There are certain functions that the Authority Law stipulates that the Authority must perform itself, and which cannot be delegated to the Information Commissioner. The most important function is that only the Authority can decide whether to issue administrative fines for contraventions of the Law. While the JOIC will make the official finding in each case as to whether a contravention has occurred, it is the Authority that will determine whether a fine will be applicable and the value of that fine.

Maintaining confidential records of alleged contraventions.

T H E J E R SAE Y D ATA P R O T E Cs Te Ir Ove Nd   Aa Us  Tc Hha Oi Rrm Iuthority Ta Yn of the Dutch Data  VDTENURED2ftoh0aOre1v8aTiIdCaIf aONujnorda Gitnhnhvid Smith eed Aadrs Uitttrswh Teeop HcreAye Oneudta Rtelhyrc Isoe Tbrusei Yntseyotn Miril nsr2 E,eO8sa MecpOtr Bpocvtoib Eoni e Rnbgrte Rienrd afovuarrpierteyv ioofudsactoam pmroitsescitoinoenr rso.les, under CJacHAIR OFob KTHE AUTHORohnstammITY As Deputy Commissioner David

MTENURECoHtTENUREhhfefieacaiArelsrstuoiincn slcteeielr 2v2M9e4 adDMyaaa2tsay0 v 12Pi 8c0r,eo2c  4tcue.hrcrat eiior nmnt ember  paWneor oriokf  dinog f  PcPUfSooahrnromreittofyoepinscuof.otarsPirloeyrsdnsieooi axoArar ufys t woettahheatnoelrhldsr-ac;iktthhtin,heoaJoesaisrwtcsiaenon ddob tfivf ht isgahseeuloalrrErt veD yuearibdnotoapat dhesyaevnic e  2EXPERIENCEDetUh0xaKep2vI3eir nd.or ftl oi,esrf moaolnf aloDtiwin eodipnneu gCpt yoseh  mniCsdomremein stmti sr idei osamsntieeaorn  np ster fro Or taofe fitmc ctt e hio en  hpelfiaptehnarrosaeosdfsidtotgiDetioranniaccvodigetfitenmiamcortshaoiPneninenrgniaotshittctntrhtetrrotiaeoecrvlt ogeftiGiitidvaoimieeenlunnlsecfiset,D,thhnriisinoaeareueclnpscIlcD C.iucontHOaedifgvtse it saensth p .hfdgPeulearailUottlyUsyatKeKedsc tion EXPERIENCE  chairman of the Executive Committee  (ICO) in November 2015.  Regulation and represented the ICO on

Jacob has 18 years experience in  of the International Conference of Data  the Article 29 Working Party of European the field of data protection, having  Protection and Privacy Commissioners  David spent over 25 years working with  Supervisory Authorities set up under

Protection Authority for 12 years. conference in Amsterdam in 2015.

VGailina Liew OTING AUTHORITY MEMBER

VOTING AUTHORITY MEMBER  TENURE  intersection with the ethical use of

Gailina joined the Authority in October  technology, human behaviour, artificial Clarisse Girot October 2024.

2018 and has recently been reappointed  intelligence, and the future of human

for a further three years until 28  society.

Gailina brings more than 20 years of EXPERIENCE  board governance experience and

Clarisse joined the Authority in October  world of data protection globally, having  Gailina is a broadly-experienced  data protection perspectives from

2018 and has recently been reappointed  been involved in major international  independent non-executive director  the listed company, investment fund,

for a further three years until 28 October  cases in data protection and privacy. with a legal, scientific, operations  human health, economic development, 2024. and international business executive  education, regulatory, adjudication and

background. She is interested in the  voluntary sectors to the Jersey Data EXPERIENCE  evolving frameworks for the regulation  Protection Authority.

Clarisse is a seasoned data privacy  of privacy, data protection and their

and Asian law expert and has unique

expertise in the area of the regulation

of international data flows.

VOTING AUTHORITY MEMBER  

Helen Hatton  

TENURE   Deputy Director General of the Jersey Helen joined the Authority on 1 August  Financial Services Commission in May 2019 for a period of three years. Her  2009 having led the implementation current term of office is due to expire on  of regulatory development in the

31 July 2022. Island from its blacklisted state in 1999 to achieving one of the world s best

EXPERIENCE  International Monetary Fund (IMF) Helen is widely recognised as the  evaluation results.

prime architect of the modern Jersey

regulatory regime. Helen retired as

VOTING AUTHORITY MEMBER

Paul Routier  MBE

TENURE  presenting any new legislation to the Paul joined the Authority on 1 August  States Assembly, he made it a priority 2019 for a period of three years. His  to ensure that a satisfactory public current term of office is due to expire  consultation had been done.

on 31 July 2022.

During his final term of office, he EXPERIENCE  successfully led the debates in data

Paul was an elected member to the  protection legislation which, after

States of Jersey for 25 years and  gaining the support of States Members, Assistant Chief Minister for a period  led to the establishment of the Data

of this time. During this time, he was  Protection Authority. He also led the responsible for working with officers  time critical political work in negotiating and the public to develop a number  the final version of the Data Protection of policy documents and legislation  (Jersey) Law 2018 and the Data covering a wide cross section of  Protection Authority (Jersey) Law 2018 commercial and social issues. Before  which are in force today.

Further details regarding the Authority members external appointments can be found at www.jerseyoic.org/team

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Governance Report   2021 Authority Members Remuneration

.

The Authority voting members received, in  Further details regarding the Authority voting

aggregate, £61,427 in remuneration in 2021.  member remuneration can be found at page 76. The Authority is committed to ensuring a high standard of governance and all members are expected to

conduct themselves in accordance with the Seven Principles of Public Life

Performance Evaluation and Re-appointments

The Governance Committee has established Accountability an Authority performance evaluation process

which is based on an internal annual peer review of performance by voting members with an

Openness Selflessness independent external review contemplated for

every third year. The first internal performance evaluation took place in 2021.

The Chair s first three-year term of office expired on 24 May 2021 and three Jersey Data Protection

Authority members terms of office expired in the Honesty Standards in  Integrity autumn of 2021. The outcome of the performance

public life.

evaluation provided evidence upon which the Chair based formal letters to the Minister to recommend the reappointment of three Authority

Diversity of the JDPA

Leadership Objectivity

The six voting members of the Authority reflect a balance between male and female members, different nationalities, ranging in age from late 40s to early 70s, with a broad mix of formal education and professional

members. The Chair was also recommended to the Minister for reappointment based on a rigorous individual performance review.

The Governance Committee has also established

a self-assessment process to survey the breadth of skills, knowledge and experience of Authority voting members. This process was undertaken for the first time in 2021 to generate a Skills Matrix for the Authority. The Skills Matrix reflects a broad mix of skills, knowledge and experience across

the primary areas of governance, sectoral skills and personal attributes that are appropriate for the Authority s mandate.

qualifications including law, IT, sciences, business administration, education and teaching.

The following table sets out the number of full Authority and Sub-Committee meetings held during 2021 and the number of meetings attended by each voting Authority member.

Remuneration & Full Authority Audit and Risk Governance

Human Resources

Number of Meetings 5 7 4 2 Clarisse Girot  5 - 4 - Helen Hatton 5 7 - - Jacob Kohnstamm 4 - 4 2 Gailina Liew  5 7 4 - Paul Routier MBE 5 - - 2 David Smith  5 7 - -

T H E J E R S E Y D ATA P R O T E C T I O N A U T H O R I T Y

Authority Sub-Committees Organisational

Helen HattAudit & Risk Con (Chair) / Gailina Liew / Dommittee (ARavid SmithC) Structure

The voting members who comprise the ARC are:

The Audit & Risk Committee s mandate is to advise and make recommendations to the Authority. The purpose of the ARC is to:

Assist the Authority in its oversight of the integrity  Provide input to the Authority in its assessment of  Jacob Kohnstamm

of its financial reporting, including supporting the  risks and determination of risk appetite as part of  AU T H O R I T Y C H A I R

Authority in meeting its responsibilities regarding  the overall setting of strategy.

financial statements and the financial reporting

Assist the Authority in its oversight of its risk

systems and internal controls.  management framework. David Gailina Clarisse Paul  Helen

Monitor, on behalf of the Authority, the  Smith Liew Girot Routier MBE Hatton effectiveness and objectivity of external auditors.

AUTHORITY  AUTHORITY  AUTHORITY  AUTHORITY  AUTHORITY VOTING MEMBER VOTING MEMBER VOTING MEMBER VOTING MEMBER VOTING MEMBER

Governance Committee

The voting members who comprise the Governance Committee are:

Gailina Liew (Chair) / Jacob Kohnstamm / Clarisse Girot I N F O R M AT I O N C OM M I S S I O N E R The Governance Committee s mandate is to advise and make recommendations  D I R E C TO R O F O P E R ATI O N S

 to the Authority. The purpose of the Governance Committee is to:

Keep the Authority s corporate governance  Review the balance, structure and composition  HR Consultant External Legal Counsel arrangements under review and make appropriate  of the Authority and its committees. Its role also

recommendations to ensure that the Authority s  encompasses the selection and appointment of

arrangements are, where appropriate, consistent with  the Authority s senior executive officers and voting

best practice corporate governance standards.  members of the Authority and giving full consideration

to succession planning and the skills and expertise

Lead the process for appointments ensuring plans are

required to lead and manage the Authority in the

in place for the orderly succession to the Authority.

future.

Finance Manager Office Manager Compliance and Enforcement Manager Policy &

(P/T ) (Fixed Term Contr a ct) Research Lead

Remuneration & Human Resources Committee (R&HR)

The voting members who comprise the R&HR Committee are:

Paul Routier MBE (Chair) / Jacob Kohnstamm

The Remuneration & Human Resources Committee is mandated to advise and make recommendations

to the Authority, with the purpose of: Finance Team Communications Team Casework Team

Assisting the Authority in ensuring that the  Overseeing arrangements for appointments

Bookkeeper/ Media & Case

Authority and Executive retain an appropriate  (including recruitment processes) and succession  Accounts Accounting  PR & Events Senior Senior Case Worker WCaseorker WCaseorker structure, size and balance of skills to support the  planning. Technician Officer  Comms Officer Co-Ordinator WCaseorker WCaseorker Worker (P/T)

(P/T)

organisation s strategic outcomes and values.

Assisting the Authority by reviewing and making

Assisting the Authority in meeting its  recommendations in respect of the remuneration

responsibilities regarding the determination,  policies and framework for all staff.

implementation and oversight of remuneration

Each Sub-Committee Chair reports back to the

arrangements to enable the recruitment,

Authority, making recommendations for consideration.

motivation and retention of employees generally.

26 5 27

We identify and manage these and other risks through our risk

management framework which is based on our low appetite for risk.

Our low appetite for risk is due to  strategic outcomes. We continue to monitor

our obligation to fulfil our statutory  political and legislative developments and

responsibilities as the independent  assess the opportunities and threats to

body promoting respect for private lives.  enable us to regulate effectively. Risks are

Maintaining trust, independence and  scrutinised via a scoring mechanism which is

reputation is essential for the Authority.  linked to likelihood and consequence.

Risks are overseen by the Audit and Risk  The following table identifies the principal

Committee, who monitor risk movements  risks and mitigating actions. The risks are

and mitigating actions and relevance to the  categorised into five main areas.

01 04

02 05

03

The Authority s strategic outcomes are subject to a number of risks and uncertainties that could, either individually or in combination, affect the operational performance of our team.

P R I N C I PA L A N D E M E R G I N G R I S K S

Summary of Principal Risks

Risk Description  How we manage the risk Covid-19 Response  Risk Description  How we manage the risk Covid-19 Response

Understand our compliance

obligations and what this looks  We understand that data  Stakeholder mapping exercise

Internal compliance failing to  like on a practical level. controller/processor resources  coupled with genuine

comply with the Data Protection  may be diverted away from usual  Stakeholder relationships.  engagement.

Authority (Jersey) Law 2018 in terms  Monitor how we implement and  governance and compliance work.  Maintaining constructive and  Outreach to data controllers to of case management, process and  sustain our obligations.  We expect to see timely and  collaborative relationships to  Regularly reviewing  support them through Covid. reasonableness of decisions made.  Put in place effective and ongoing  transparent communication with  ensure key stakeholders are  relationships and keeping

training, staff feedback, internal  data subjects and the Authority.  included in key projects. Maintaining  in touch with industry and

audits and reviews.  JOIC s credible reputation.  Government assists in

understanding the privacy

playing field.

Maintaining consistent and

Perception industry and Government  compliant investigation, inquiry  We meet the standards as perception that our effectiveness as  and audit processes.  required by the Law to ensure

consistency and fairness

a regulator is based on our fining

Enforcing appropriate and  throughout our regulatory

actions.

proportional enforcement  activities.

sanctions.

Risk Description  How we manage the risk Covid-19 Response

Risk Description  How we manage the risk Covid-19 Response  Ensure that we deliver the  Ensure that our Covid

relevant activities to help  communications and advice are Jersey Adequacy it is essential that  Government maintain adequacy  exemplary.

Embedding succession planning  We care about our team s welfare,  the island maintains its adequacy  with European Union.  Contribute to international throughout the organisation.  especially when working away  status with Europe to help protect  Monitor effectiveness of the  privacy working groups

data flows.

Maintaining a capable and  Building skills and knowledge  from the office. Our employee  data protection laws.  remotely.

knowledgeable team. It is essential  through personal and  communication and engagement

that the statutory functions of the  professional development.  put health and well-being first.

Jersey Data Protection Authority are  Human Resources strategy aligns  We cross-train where possible

fulfilled to the highest standard to  with our strategic outcomes.  to ensure resilience and avoid a

maintain credibility and trust.  Striving for diversity and inclusion  single point of failure.

throughout our operational and

HR activities.

Revenue. The revenue model is  Organisations ceasing trading

delivering sufficient monies to  impacts on our registration s  Risk Description  How we manage the risk Covid-19 Response support the necessary activities of  Mreonitvenues clor operoselyational c.  osts and  revenue.

the Authority. Any changes in revenue  New businesses have contributed

streams from industry or Government  Stakeholder relationships to  to the revenues.

funding could impact on our ability to  gauge industry movements.

fulfil our regulatory functions.  Fstablinance thre industroughout the pandy has remained emic.  Frequent reviews.  Goreducvernment re data prequesting totection gro ant

Provide activity data.

monies to help with Covid Government funding for Government  Protecting our independence as  activities funding.

Critical applications are only  a key priority.  Authority seeking to ensure that data protection activities.

accessible through secure portals  Reviewing grant and working  the Government fund their data requiring layered authentication.  agreement. protection activities.

We undertake Disaster Recovery

Cyber threat and Information Security.  exercises to test systems.  IT vulnerabilities due to remote

working have been evaluated and The Authority recognises that it is a

We employ industry best practices  processes enhanced to protect

target for cyber threats.

as a fundamental part of our  our critical applications.

cyber security policies, processes,

software and hardware.

Cyber awareness training is ongoing within our team.

30 6 02 31

All of our activities contribute to the delivery of our strategic outcomes. Our priorities are to ensure that Jersey achieves and maintains the highest standard of data protection.

01

03

The following pages review our compliance  This vision is an essential pillar to

and enforcement activities in relation to our  maintaining Jersey s position as a well- strategic outcomes. Our communications  regulated, safe place to do business and is of and outreach activities also contribute  fundamental importance to Jersey s economy, significantly to the outcomes and details of  recognising that alongside its traditional these activities are detailed from page 62 of  agricultural and tourism industries, Jersey this report.  is also a globally recognised international

finance centre. In addition, maintaining

The vision of the Authority is to create an  the social well-being of Jersey s citizens by island culture whereby privacy becomes  ensuring that individuals privacy is regarded instinctive, with individuals and organisations  as a fundamental human right is core to the taking a proactive approach to privacy  Authority s focus.

and data protection which is embedded

throughout their daily activities and business  The Authority will strive to promote the data The vision of the Authority is to  planning. The Authority aims to achieve  protection rights of individuals, be they our

this by engaging with the Island community  local citizens or international stakeholders, create an island culture whereby  to embrace a collaborative and innovative  through a practical and ethical approach

approach to data protection whilst providing  to business practice and regulation that privacy becomes instinctive... a leading-edge model to other, similar  supports the delivery of public services and

jurisdictions.  promotes the social and economic interests of the Island.

The Bailiwick of Jersey boasts a wealth of

culture and history. It also has a vibrant blend Anne King of economic activities across retail, agriculture

and fisheries, legal, tourism, finance and public Operations Director sector. Each of these areas employs thousands of

staff, the finance sector represents 40% of Jersey s

economic output. The finance sector is a mature,

well-regulated sector which employs over a

quarter of Jersey s workforce. The well-established

regulatory culture and behaviours of this sector

permeates through to the proactive approach

and understanding of their data protection

obligations. The finance sector represents

28% of the data protection registrations in 2021. The Authority welcomes the approach taken by the finance sector to data protection compliance and, indeed, other sectors that are already well- versed in the obligations surrounding regulatory compliance.

Performance Report

The Authority continued to demonstrate its operational agility throughout 2021 functioning in a pandemic environment, which meant that our team, data controllers, processors and data subjects were often working from home or in a variety of remote/hybrid locations. These restrictions impacted on our community, generating different challenges and expectations. Laws do not diminish or fall away just because we were still tackling Covid. In fact, we would argue that data protection laws are even more critical bearing in mind that data protection is about protecting the rights and freedoms of people. It supports a well-functioning democracy and protects individuals from the risks of rapid technological change. Data protection helps redress imbalance between the individual and organisations that collect, process and communicate their personal data to third parties.

P E R F O R M A N C E R E P O R T

The industry sectors representing other volumes  Case numbers have been relatively consistent SR of complaints and SRDBs are legal services,  since 2019 until 2021. The complaint numbers

Compl manufacturing, wholesale & Retail, technology  fell during 2021, in part this could be because

14 81 and telecommunications and charities. (see  individuals were not placing as much emphasis table/diagram above) It should be noted that  on data protection as the pandemic continued one initial complaint can evolve into several  to disrupt daily events. Many organisations separate cases due to its complexity.  may be more aware of their data protection responsibilities and responding appropriately to subject access requests.

RDBs S

51 1864 Com

7 Complaints SRDBs plaint

Com 26 145 2019 256

110 4

113 140 2020 229

Co

2

Bs 6692 3

SRD

18 288 Registrations 261

2 The JDPA is bound by the Law to investigate  The Authority is an independent regulator and omplain complaints and SRDBs. The spirit of the DPJL  will only impose fines where proportionate

C 2 2018 is proportionality. Whilst the DPJL provides  and having had regard to the matters it must

the Authority with significantly enhanced  consider, as set out in the Authority Law,

fining and enforcement powers we are pleased  Art.26(2). We always undertake a thorough

to report that in Jersey none of the cases  investigation and/or inquiry process, as investigated by our office and involving non- detailed in the Authority Law. (The process

Co public authority controllers warranted the  is detailed on page 43). (We are specifically RDBs 506 issuing of an administrative fine.  prohibited from issuing administrative fines

S 10 211 3 The DPJL is very prescriptive of the threshold  against public authorities.)

439 SR for fining, and so far, we have not had a case  During the course of 2021, the Authority

8 that has met those criteria. Jersey does not  issued one Public Statement reflecting the

mplain SRDB Compl have the large corporations which we have  fact that the Children s Services Department,

Co 6 5 4 seen subjected to fines from Data Protection  Government of Jersey had been found to

Authorities in other jurisdictions. It is also  have contravened Art.8(1)(f) of the Law in worthy of note that the number of fines issued  that it failed to comply with the integrity and

in Europe are also very few in total when you  confidentiality principle and ensure that it had weigh those numbers up against the number of  appropriate technological and organisational cases those DPAs have investigated since GDPR  measures in place to ensure the security of came into force. the data it processes. It should be noted that had the Authority not been prevented by law

The infographic highlights a culture of compliance  represent 29% of our annual complaints in 2021 and  Additionally, we believe that a significant  from imposing a fine due to the Controller

proportion of our population remain unaware  being a Public Authority, the Authority would and high level of reporting within the finance and  22% of our Self-Reported Data Breaches (SRDBs). of their rights under the Law. Experience tells  have likely considered imposing a fine in these

prtheofy ressional sereported high vvices sectolumes of lor. Analysis indicatow-level breaches es that  The industry sectors representing other volumes  us the more people who understand their rights  circumstances. The Authority does not make and this must be considered in light of the fact that  of complaints and SRDBs are legal services,  will exercise them, will know who we are, and  a statement following the conclusion of every

will result in more complaints to our office.  piece of regulatory action, rather, and in line this is an industry used to reporting requirements  manufacturing, wholesale & retail, technology and  In turn this means we see more cases where  with the Authority Law, it will only do so where

and that takes a pro-active approach to such  taboelecve). It shoulommunications and charities (see diagrd be noted that one initial complaint am  individuals have suffered harm as a result of  because of the gravity of the matter or other matters. It is worthy to note that Public Authorities,  can evolve into several separate cases due to its  poor data protection practices. Outreach and  exceptional circumstances, it would be in the

whilst only 1.6% of our data protection registrations,  complexity.  enforcement should work in tandem if we are to  public interest to do so.

be at our most effective.

P E R F O R M A N C E R E P O R T

It is important to remember our vision is to create an island culture whereby privacy becomes instinctive with individuals and organisations taking a proactive approach to privacy and data protection by it being embedded throughout their daily activities and business planning. In striving to achieve this we pride ourselves on making every touch point with a complainant, an enquirer, an organisation reporting a breach or a registration enquiry an informative and positive experience aimed at fostering a constructive and educational relationship. Whereby both parties learn and can exchange information, helping us to understand the challenges faced by industry and the frustrations faced by complainants. That said, we will not shy away from exercising our enforcement powers where warranted, or where the organisation at fault has demonstrated wilful neglect or a repeated pattern of behaviour.

data protection is about protecting the rights and freedoms of people. It supports a well-functioning democracy and protects individuals from the risks of rapid technological change...

Dealing with the JOIC is a breath of fresh air.

Unlike a lot of other official bodies they treat you like a valued customer.

With a friendly, professional and knowledgeable team, whatever the matter, they are always ready and willing to help.

Well done JOIC. You make working with a Commissioner a most pleasurable experience!

Constructive working relationships allow data controllers and processors to feel sufficiently comfortable to approach us to ask for help and guidance before a situation reaches crisis point. As the Authority Chair stated in 2019:

  I believe that data protection is a team sport. There are many players, and we will only succeed if everyone plays their part, and we work together. The players are the Authority, the Government, businesses, associations, and the public. The Authority is partially referee and partially coach. Like a referee, it interprets and implements the rules. Sometimes it issues warnings a yellow card - and sometimes issues penalties a red card. Like a coach, it provides guidance and training as to how to play effectively by the rules. The Government creates the rules through the States Assembly and then must play by those rules. Companies need to learn the rules, set up infrastructure for compliance and then follow the rules.

38 7 The JOIC rWe classify them inteceives a bro the foad rollangowing cate of contacts. egories:.  39

COMPLAINTS

90

ENQUIRIES

119

SELF-REPORTED

DATA BREACHES

232

CONSULTATION

    REVIEW

1

FOI APPEAL 2

   3 FOI ENQUIRY

Schedule 4 of the Authority Law details the process of

Enforcement by the Authority in the event it receives a

complaint (which can lead to a formal investigation) or   conducts an inquiry.

2 0 2 1 C A S E D ATA

The volume and type of cases submitted to the Authority is consistent with the pattern of activity over the years since the introduction of the Data Protection (Jersey) Law 2018. The Authority presents this report to demonstrate that we handle each complaint, breach and enquiry with fairness, consistency and respectfully.

What were people complaining about? 2020 2021

Direct marketing 3 5 2020 140 Ir eacsekievde dfo irt/ atchceeys hs atove/cwopitihehse oldf  mit yf rpoemrsmoneal information and I ve not  33 19

I asked for my information to be rectified/erased/sent to  6 2

2019 145 aI ndootnh te trh cionnk tmroyl l pere  rasnodn  aml ydraetaq uise sbte hinags / bheaesnbreeefnu skeedpt safe 37 14 2018 184 My information has been shared and it shouldn t have been 31 22

13 9

2017 55 SUonmasesoignneehdas collected my personal data, but I didn t give it to them 17 19 0 50 100 150 200 TOTAL 140 90

2020 2021

The above table shows the number of complaints received by the JOIC over the last five years.

Article 19 of the DPAJL summarises the parameters of the Right to make a complaint

An individual may make a complaint in writing to the Authority in a form approved by the Authority if

1. the individual considers that a controller or processor has contravened or is likely to contravene the Data Protection Law; and
2. the contravention involves or affects, or is likely to involve or affect, any right in respect of personal data relating to the individual.

Individuals complain to our office about their concerns in relation to the processing and use of their personal information.

13 17 3

Each complaint and  31

self-reported data breach  33 (SRDB) is evaluated using

a standard framework  37 6

as set out in Part 4 of the

Data Protection Authority

(Jersey) Law 2018

9 19

22

5

14 19

2

2 0 2 1 C A S E D ATA

The JOIC must takrepresentations made inte befo acorcount ane issuing its y  Investigation Each c(SRDB) is eas set out in PAthis frinitiativwhich wcontruthority (Jeraamewomplaint and self-rvention of the Lae inte mavaluatork to a liky lsearearn about fry) Lat 4 of the Do ced using a standarely conduct an inquirw 20ontrw 18. The JOIC will also use .eporaata Prvom a whistlention of the DPted data brotection d fry on its oamewe-bleach oork wn wAJLer ,  final ddata ccappeal that final dof Jerinomplainant. Both parvolvsee a data subject in the same waontretyermination which will be sent t.oller or data pretermination tties haocessor and tve a 28-dao the Ry.)o the o the y period toyal Couro t  Matrix

or by observing a behaviour relating to the use

of personal information by an organisation. The  (The process (right) is almost identical in terms

investigation will identify if there has been a  of an inquiry although such obviously does not

Upon receipt, each complaint and self-reported  As part of our formal investigation and inquiry

data breach is evaluated to determine whether  process, we have the power to issue a formal

or not to investigate or conduct an inquiry,  Information Notice to compel the production of

as appropriate. The Authority undertakes this  information and the recipient will usually have 28  Inquiry Complaint

evaluation as soon as is practicable and in any  days to respond.

event within eight weeks for complaints and as  In the majority of cases such correspondence is

soon as possible for self-reported data breaches.  requested and responded to directly by email.

In the case of a complaint, once the initial  This is generally quicker and more efficient as  8 weeks to evaluation has taken place the complainant  most controllers are willing to cooperate fully  decide if we are is advised in writing whether or not a formal  with the investigation. This often makes for a good  investigating. investigation will take place. The complainant  relationship between JOIC and the organisation we  No Investigation

has a 28-day window of appeal at this stage if the  are investigating.

Authority decides it would not be appropriate to

carry out a formal investigation and it may reject  Wnotice we wherould make wee wuseer ofe ethexperiencing rmore formalesistancinformatione from  that wNotice AREe to inCvontrestigating/oller and Ccarr omplainantying out inquiry Notice to Complainant that

complaints if they fulfil certain criteria set out in  a controller to provide us with the information  we are NOT investigating

the Law. requested.

Once the investigation is underway the JOIC will

provide updates at least every 12 weeks. The  Request additional information within 10 days investigation must conclude whether the Law has

been contravened (Article 23 of the Authority Law)

and, if so, must decide whether or not to impose  Updates every 12 weeks. Controller / Processor / Complainant any formal sanction (although it does not have to

do so). The JOIC will then notify the data controller

or data processor of the proposed determination  Contravention of the DPJL 2018?

which sets out the findings and includes details of

any sanctions it is minded to impose, and they are

afforded 28 days to provide any representations on

those draft findings and/or sanctions.  No Yes

Art. 28 Notice to Controller  Art. 23 Proposed Determination 28 Days to Processor Complainant Including any orders or Submit

sanctions to Controller representations

Final Determination

To: Controller / Processor / Complainant Both Parties have 28 days to appeal Public Statement

44 8 03This policy is based on five key principles: 45

01

02

04

05

This policy seeks to promote the best protection  philosophy is to work collaboratively with

for personal data without compromising the  the community to educate and guide data

The JOIC s Regulatory Action and Enforcement Policy 7,  ability of businesses to operate and innovate in  controllers, processors and data subjects to

the digital age. It helps to engender trust and  reduce breaches, complaints and contraventions. introduced in 2020 supports the Authority s Strategic  build public confidence in how Jersey s public  Whenever we apply sanctions, it must be fair and

Outcomes as detailed above and the Business Plan.  authorities manage personal data.  reasonable in the circumstances.

Throughout 2021, the Authority continued to review and improve its regulatory approach, tailoring any enforcement action appropriately and proportionately to the actual contravention and the harm suffered by the individual. Our

7 https://jerseyoic.org/media/l5sfz1s0/joic-regulatory-action-and-enforcement-policy.pdf

2 0 2 1 C A S E O U T C O M E S

Authority Sanctions Public Statement

The Authority has several tools in its enforcement suite, namely: As with everything it does, the Authority

approaches the issuing of Public Statements

Reprimand on a proportionate basis and will only issue a

Warning public statement where, because of the gravity

Orders of the matter or for other exceptional reason, it

Public Statement would be in the public interest to do so. It does not report on every formal action taken because

Administrative Fine  that is not what the Law provides for and the Authority reserves this power for the most

serious cases such as that issued in October 2021 involving a very serious breach of a data

Reprimand subject s special category data by a Government of Jersey entity. This Public Statement involved

Orders to update policies and procedures in respect of data sharing and training of relevant staff on these matters and their data protection obligations more generally.

The Public Statement confirmed that a breach of Article 8(1)(f) of the Data Protection (Jersey) Law 2018 had occurred, as the data controller failed

to comply with the Integrity and Confidentiality Principle and ensure that they had appropriate technological and organisational measures in place to ensure the security of the data they process.

This is a formal acknowledgment that an organisation has done something wrong and is being rebuked for its conduct. This remains on the record of an organisation and could be considered if further incidents occur in the future. Generally, reprimands are issued in tandem with certain

other orders, but this is not always the case. For example, whilst there may have been a technical contravention of the Law for which the organisation was responsible, they might have taken steps to put things right and rectify the issues that contributed

Warning

We may issue a Warning when the Authority considers that any intended processing or other act or omission is likely to contravene the Law.

Orders

The Authority can make a variety of Orders but we make sure these are proportionate to the actual contravention. During 2021, the Authority issued a range of orders including:

Ordering a controller to provide certain staff members with appropriate training and to

report back to the Authority within a stipulated timeframe, confirming that training had been provided, who it had been provided to and with a copy of the course materials, this for review by the Authority.

Keeping a controller under effective supervision for a period of time whilst they updated

certain policies, procedures and IT systems and requiring an updating report at the end of that period.

to the contravention and a formal rebuke may

suffice. For example, we issued a formal reprimand

where an organisation had failed to consider a

staff member s specific request not to share a   Administrative Fines

report which contained special category data. Due

to a failure in internal processes, the organisation

proceeded and shared the report anyway although  The Authority Law provides for substantive The degree of responsibility of the ultimately such sharing did not cause any lasting  administrative fines and sanctions for  person concerned and the technical and issues for the data subject. Notwithstanding, it was  contraventions of the Law, but it is our intention  organisational measure implemented for the felt that case was serious enough to issue formal  to use these as a position of last resort.  purposes of data protection.

reprimand. In determining whether to impose an Previous contraventions.

administrative fine in accordance with Article 26 The degree of cooperation with the Authority. of the Law, the Authority will consider: The categories of personal data.

In issuing a fine, the Authority will consider the

The nature, gravity and duration of the

need for it to be effective and proportionate, as A Warning is designed to avoid such a contravention.  contravention.

well as to have a deterrent effect. It has not had We have not had occasion to issue any warnings.

Whether the contravention was intentional or  to issue any fines. neglectful.

The action taken by the controller or processor to mitigate the loss or damage, or distress suffered.

Directing that a controller should respond to a

previously unanswered subject access request

within a certain timeframe (including providing

previously withheld information). Information Notices

Directing that a controller properly actions

a request for rectification, including giving  As part of our investigation process and powers  Often upon receipt and analysis of the requested notice to third parties previously in receipt of  under Schedule 1 of the Authority Law, we  information, we have further questions which inaccurate information/information it should not  have the power to issue an organisation with  results in a follow up Information Notice. It will have received. an Information Notice. This imposes a legal  be clear that such exchanges can take a number

requirement to provide us with any information  of months.

we consider necessary to assist us in any

investigation or inquiry. Therefore, we tend to use the Information Notice

for the more complex/serious cases or where An Information Notice requires we give the  there is reluctance from a data controller to

data controller 28 days to provide the requisite  engage with us at an early stage.

information. This is a lengthy and formal process.

48 9 FA thirrom our rd of the brecords it is eeaches rvident that just undeported ter half o us w or parer ticularly harmfe from the financial ul non-compliance. It is  49

and professional services sector.

2021data breaches

It shoulculturthrstat In the ccontroughout their activities. Ares that: olle of rd be noter must, without undue dase of a pereporting and monited that this sectsonal data brticloring bror has a e 20 of the Laeleach, the ay and, whereaches  w e  52%472020% data breaches

self-reported

feasible, not later than 72 hours after having

become aware of it, notify the personal data

breach in writing to the Authority in the manner

rdequirata bred beach is unliky the Authorityely to r, unlessesult in a risk t the personal o the  self-reported

rights and freedoms of natural persons.

of the reported breaches were unlikely to result  important to note that failing to report a breach,

in a risk to the rights and freedoms of natural  where required, could result in a severe penalty. persons . However, we continue to encourage

organisations to report breaches to enable us  To help mitigate the possibility of increased

to understand the breach landscape in Jersey to  breaches as our community adapted to working

help shape our guidance and advice.  from home (either wholly or in part) in response

to the Covid pandemic, we maintained a

As previously noted, we take every opportunity  vibrant and broad range of relevant guidance.

to educate and support the organisation  We improved and regularly updated our Covid

reporting a breach. Breaches can be traumatic  website hub, recognising this resource was vital

for organisations to manage and carry serious  in helping organisations by providing timely and

reputational damage for businesses. The JOIC  effective communication to support the business

team works sympathetically, yet professionally,  community to remain compliant.

when responding to breach reports.

We were very proud to be commended by

Most reported breaches do not warrant the  the Global Privacy Assembly8 (GPA) at their

conducting of a formal regulatory response and/ international conference in October for our work

or the imposition of a formal sanction. However,  in this area and it was suggested that other data

the Authority may impose an administrative fine  protection authorities refer to our guidance.

in a case of deliberate, wilful, negligent, repeated

Investigating self-reported data breaches represented 52% of our Compliance and Enforcement caseload during 2021. In 2020 self-reported data breaches made up 47%.

9 https://globalprivacyassembly.org/

B R E A C H R E P O R T I N G

Types of Breaches Reported in 2021

Types of Breaches Reported 2021

Unauthorised disclosure 168

Unassigned 2 200 Alteration 3

150 Destruction 1

Lack of availability/access 1 100 Loss 11 50

Unauthorised access 46

0

TOTAL 232 2021

Of the breaches reported in 2021, one resulted in a  As indicated above, there is an element of over- formal inquiry and a determination that there had  reporting self-reported data breaches of matters been a contravention of the Data Protection (Jersey)  that do not necessarily need be reported, but, Law 2018.  at present we do not discourage such reporting

as it gives us an opportunity to identify patterns Of the remaining self-reported data breaches,  and offer guidance, support and words of advice

many did not cross the threshold for reporting to  to organisations to help increase understanding the Authority and were of a minor nature. Once  and improve their internal processes (including reported, the Authority makes enquiries of the data  educating on breaches that reach the threshold controller to obtain a full picture of the breach that  criteria for reporting).

has occurred, and what steps have been taken by

the organisation to deal with the breach and, where

appropriate, stop similar occurrences in the future.

Specifically:

168 self-reported data breaches were due to  unauthorised disclosure (e.g. emails sent in  error) but in all circumstances, the breaches  were appropriately mitigated, presenting no risk  to the data subject.

Of the remaining 64 incidents there were a  We improved and regularly updated

number of diffphishing attack, lerent issues including malwarost data and technical/ e,  our Covid website hub, recognising this procedural errors leading to breaches. In all  resource was vital in helping organisations

cirmitigatcumstanced, pres, the bresenting no risk teaches wo the data subject.ere appropriately  by providing timely and effective

communication to support the business community to remain compliant.

52 10 53

One of our key 2021 business plan deliverables was to assess the level of compliance of data protection in Jersey. To help achieve this we exercised our power to conduct data protection compliance audits to begin to assess the percentage of businesses reaching a competent standard of

data protection practice in certain key areas.

The primary purpose of the enforcement audit  1. The Authority may

is to provide the Authority with an insight into  (a) conduct a data protection audit of any

the extent to which the audited entities are  part of the operations of the controller

complying with the particular areas audited and  or processor; or

highlight any deficient areas in their compliance.

(b) require the controller or processor

We faced the challenge of carrying out this  to appoint a person approved by the

function whilst in the midst of ongoing  Authority to

pandemic restrictions.

1. conduct a data protection audit of

The first tranche of audits started in November  any part of the operations of the 2020 and were completed in January 2021. We  controller or processor, and undertook the second tranche of desktop audits

2. report the findings of the audit to

in June 2021 and completed these in November

the Authority.

2021. We took a risk-based approach to selecting

the industry sector to audit first. The industry  2. The Authority must specify the terms of area selected processes a high volume of special  reference of any audit carried out under sub- category data and it was felt could most benefit  paragraph (1).

from a targeted audit following issues that had  3. The controller or processor concernedx been raised against controllers in that sector. must pay for an audit required under sub-

Article 22 (7) of the Data Protection Authority  paragraph (1)(b).

(Jersey) Law 2018 details our power to conduct  Thus prior to undertaking compliance audits of or require data protection audits  any nature we are required to carefully consider

and document the audit terms of reference.

The following is an extract from the information passed to the data controllers being audited in both tranche one and tranche two.

Scope/terms of reference

We are required to specify the terms of Transparency, lawfulness and fairness.

We will significantly enhance our audit  reference of the audit.  Article 8(1)(a) of the DPJL requires personal

information to be processed lawfully, fairly capability, frequency and breadth from  and in a transparent manner in relation to

2022 onwards following our investment  The cmandatwe arompliance vorery fy kor reen te audits wecipients to work with the industre co conduct aromplete. That said e  y to  the data subject. In other words, how does

the relevant controller demonstrate that

in audit software, team recruitment and  help improve data protection compliance and  they are able to explain to data subjects

forge a positive, collaborative relationship.  what information is being collected, for what training.  The audit scope is limited to the following  purpose and what is done with it, etc.

matters and seeks to gauge the controller s

compliance with appropriate data protection

principles and obligations:

E N F O R C E M E N T A U D I T S

Integrity and confidentiality: Article 8(1) This industry sector revealed that a frequent

(f) of the DPJL requires that personal data  issue was the quality of privacy policies. The are processed in a manner that ensures  Privacy Policy/Notice is a key document as it lets appropriate security of the data, including  employees, customers, suppliers and contractors protection against unauthorized or unlawful  know that organisations take their privacy processing and against accidental loss,  responsibilities seriously. It spells out how destruction or damage, using appropriate  organisations use personal information and what technical or organisational measures. We  individuals can do if they would like clarification will ask about personal information breach  as to how that information is being used. The provisions and what policies/procedures the  policies which existed and were shared as part controllers have in place to deal with breaches  of the second tranche of audits highlighted

should they occur.  that often they failed to contain the specified

information required in Article 12(4) of the DPJL.

The broader aspects of data protection

management and staff training.  Again, all of the responses were reviewed Respondents were asked a range of simple  thoroughly and feedback given where

questions to assess their compliance, for  appropriate. We worked closely with the example, existence of an appropriate privacy  organisations in question to provide guidance policy, staff training and the use of an  that would assist them in preparing a privacy internal data breach log. We also requested  policy that would be fit for purpose for their documentation to evidence the responses  organisation without actually preparing it for given. We assessed each response fully and a  them.

Red-Amber-Green (RAG) indicator rated each

Overall, the standard of compliance we found was controller. At the end of the process, we looked at

encouraging. Where issues were identified, the

all the data to assess common themes.

feedback from our office was well received and One common issue was the suitability of data  any issues identified were generally dealt with protection training and the appropriateness of its  promptly.

delivery. We found that training was infrequent

Undertaking compliance audits is a detailed and and did not reflect the local data protection

resource intensive activity. However, the results law. We provided supportive guidance and

are essential to help us to fulfil our strategic suggestions as to how each audited organisation

aim of achieving and maintaining the highest could better protect their clients and staff with

standard of data protection in Jersey.

more relevant and timely training, not necessarily

relying on just an online platform.  We will significantly enhance our audit capability,

frequency and breadth from 2022 onwards Encouragingly, this was the only common issue

following our investment in audit software, team identified in the first audit tranche.

recruitment and training.

All of the audited organisations engaged fully with our office and responded to the guidance and recommendations offered. Their training plans were updated to reflect the needs of the organisation and we were satisfied with the improvements made.

In the second tranche of audits carried out between June 2021 and November 2021 we audited 25 organisations from one business sector using the same online process, using the same terms of reference with slightly modified questions to better reflect the industry sector.

56 11 The aim of the FOI Law is to promote a culture  appeal. 57

The Freedom of Information (Jersey) Law 2011 (the FOI Law) provides

the public with a legal right for individuals to request access to, and be provided with, information held by Scheduled Public Authorities (SPA).

This covers information recorded in any form  The Information Commissioner must decide the

held by a SPA and includes printed documents,  appeal as soon as is practicable but may decide computer files, letters, emails, photographs,  not to do so if satisfied that:

and sound or video recordings. SPAs covered

by the FOI Law include Government of Jersey The applicant has not exhausted any

departments, Parishes, States of Jersey Police  complaints procedure provided by the

and Andium Homes. scheduled public authority.

There has been undue delay in making the

of openness and transparency across the public

The appeal is frivolous or vexatious; or

sector, improve accountability and promote

good governance by providing individuals with a The appeal has been withdrawn,

better understanding of how SPAs carry out their  abandoned or previously determined by the

duties, make the decisions they do and spend  Commissioner.

public funds. The Commissioner must serve a notice of his

or her decision in respect of the appeal on

(The FOI Law does not give individuals a right of  the applicant and on the SPA. This is done by

access to their own personal data because this  way of a formal Decision Notice that will set

right is available under the DPJL.)  out:

Our role in regulating the FOI Law includes the The Commissioner s decision and, without following functions: revealing the information requested, the

reasons for the decision; and

To encourage public authorities to follow The right of appeal to the Royal Court good practice in their implementation of this  conferred by Article 47.

law and the supply of information.

To supply the public with information about  In each case, the Commissioner conducts a

the Law. formal appeal process adhering to the principles

of administrative fairness and the laws of

The Freedom of Information To deal with appeals.

natural justice. Both sides are provided with an (Jersey) Law 2011 An applicant who is dissatisfied with a decision  opportunity to make formal written submissions of a SPA in responding to their request may,  in support of their position. The Commissioner

within six weeks of the notice of that decision  presumes that when making its submissions, being given or within six weeks of the date  each party is providing their full and complete the applicant has exhausted any complaints  arguments and all relevant evidence in support.

procedure provided by the SPA, appeal to the

The Commissioner issues a Decision Notice Information Commissioner on the basis that the

based on the submissions of the parties, the The aim of the FOI Law is to promote a  decision of the SPA was not reasonable.

precise wording of the legislation and any culture of openness and transparency  relevant case law. The decision is objective

and includes adequate reasons. If a party is across the public sector dissatisfied with the Decision Notice, the only

avenue of appeal is to the Royal Court. The Royal

Court may review the Commissioner s decision to

determine whether it was reasonable.

The Commissioner s team also provides informal advice and assistance to both members of the public and SPA prior to any formal appeal.

E N F O R C E M E N T A U D I T S

The increase in requests from 2020 to 2021 appear to have been generated by individuals seeking

2021 Operational Performance and Appeals  information on topical health and political issues.

Fishing licences Planning - Skatepark and Ann Street.

The Central Freedom of Information Unit of the Government of Jersey reported that Covid-19 Health treatments.

it received 1,130 valid FoI requests during 2021.  Track and trace Drones

Vaccines

Deaths

PCR testing

Significant 2021 Decision Notices

We issued two formal Decision Notices in  As of 31 December 2021, there were no active 2021 both relating to information sought  appeals under review.

from the States of Jersey Police regarding

disciplinary complaints [14].

60 12 61

Protecting the environment is one of

our priorities, and we are a member of

the Government of Jersey s Eco Active

Business Network . This is an environmental

management scheme for organisations on the island.

The Authority continues to be committed to:

01 Improving efficiency in the use of energy.

02 Reducing waste.

03 Demonstrating compliance with

environmental legislation.

62 13 prJOeparICed t DEo tr Bad ATe our privacy in orE der to access goods and services. 63

Your privacy

a price worth paying?

100 guests gathered for our lively debate titled Your privacy - a price worth paying? during October 2021 to explore the value of privacy, ownership of personal information and under what circumstances are we

The debate was structured to allow the young guests to challenge the grown-ups and ask what was being done, how and when, to protect their personal information in a world where the relentless pace, ability and invasive nature of technology and artificial intelligence shows no sign of slowing down.

Guests from a wide range of industry sectors including business, education and charity contributed to the discussion which

was held in line with our strategic

aim to ensure the people of

Jersey are provided with a high

level of data protection as

Sarah Moorhouse well as striving to ensure Jersey

is recognised as a word leader Communications Lead embracing innovation to safely

develop digital technology.

The aim of the event, the first of its kind

for our organisation, was to establish

what the audience was most concerned

about regarding their privacy and personal

information. Students from a number of island

schools including Highlands College, Jersey

Winning the hearts and minds of islanders was at the forefront of the  College for Girls and Beaulieu School attended

and guest speakers from The Diversity Network,

JOIC s communications outreach, campaigns and activities for 2021  Jersey, the Digital Jersey Academy, Highlands College, with each project complementing the work of the JOIC s Compliance  Government of Jersey, MIND Jersey, Jersey College for

Girls, Jersey Finance, Trax.je and Jersey Consumer Council and Enforcement team and in line with our business promise to  shaped and ignited our debate.

promote the data protection rights of individuals through a practical  The debate audience strengthened the message that and ethical approach to business practice and regulation. islanders need the tools to navigate the personal

information challenge and feel equipped and empowered to understand the privacy landscape, ask the right questions and know how to check.

We received extremely positive feedback following our debate.

JOIC Debate guest experiences

Community Education and Outreach

In line with our mandate, we re committed to  The Young Privacy Ambassador Programme raising awareness across our community about the  educates Jersey s young people about why their importance of individuals taking ownership and  personal information must be protected and aims control of their personal information. Our Young  to equip them with the tools they need to do so. Privacy Ambassador Programme expanded during  Sessions include video content, props and age- 2021 and our team delivered 44 sessions to island  appropriate quizzes to engage the students and schools via a mix of in person and virtual delivery  check their learning.

of our key messages.

Our Young Privacy Ambassador sessions reinforce the fact privacy is a fundamental human right.

Performance Measure

To ensure the students:

Understand the meaning of Personal Information and how the DPJL protects them and their personal information.

Are equipped with the tools to protect their personal information, with a particular focus on digital advancements and technology.

Get to grips with their individual rights as citizens under the Data Protection (Jersey) Law 2018.

Are aware of the legal obligations those that are processing their personal information must adhere to under the law.

The sessions reinforce the fact that privacy is a fundamental human right and aim to ensure students have the relevant knowledge, are able to explore their rights and responsibilities and acquire the skills they need to lead fulfilling, responsible and balanced lives.

As the students progress through their school journey, our workshops offer a deeper level of education around understanding privacy rights and ethics. Following the sessions during 2021, 80% of young people we engaged with commented they understood the importance of protecting their personal information.

 The team at the JOIC have delivered a range of engaging, high quality sessions, giving our students an introduction into the world of data protection, highlighting the value of their personal data and demonstrating ways to safeguard themselves in this area. We would like to thank the team for their support and are looking forward to further sessions in the near future.

PSHE Leader

Courtroom Challenge

Year 12 students at Hautlieu School stepped out  Our outreach team hosted assemblies for local of the classroom and into the courtroom once  sixth formers during 2021 to inform them about again during 2021 to learn more about data  how to exercise their personal information rights protection law via a privacy trial court case . and responsibilities and explore privacy issues

as they enter adult life. Our team also delivered The challenge required the students to evaluate  Data Protection Basics virtual sessions to first

a fictional courtroom bundle, then split into  year degree students studying business law. prosecution and defence teams for a two-hour  Feedback confirmed the sessions supported hearing.  the students in learning more about the

The aim of the challenge was to: foundations, principles and obligations of Jersey

data protection law.

Bring privacy law to life.

Increase young people s understanding of privacy law in an ethical context.

Encourage the students to explore a fictional data protection case and question privacy issues.

Inspire the next generation of privacy professionals.

The courtroom challenge was my favourite activity so far held by JOIC to teach us about the Data Protection (Jersey) Law 2018. It made the law more relevant to real life and helped us to understand why and

how the law is in place to protect our personal information. It was one of the most helpful activities that we have done regarding protecting our data because we all actively and consciously took part debating about the nuances of the law and how it works. This further helped us to

understand our rights as young adults

International Baccalaureate Student

Events

The aim of our JOIC events programme of  

180 was to educate, guide, inform and engage.

presentations and interactive workshops for 2021  

Due tpresento the Ced via a mix of facovid pandemic, sessions we to face and virere tual  Guests delivery. Themes ranged from International

Transfers to Subject Access Step-by-Step, to the

Dos and Don ts when dealing with Rectifications

and Erasure requests and what makes a good

Data Protection Impact Assessment. The events

programme included a data protection workshop

designed specifically to support small businesses

and sessions raising awareness of our office, who

we are and what we do.

We also delivered presentations following requests  

75% from organisations including teams from the

healthcare, property and charitable sectors. Our

events attracted 180 guests, with 75% of attendees  Said the information would commenting the information presented would  benefit them personally benefit them personally and professionally. 68% of  & professionally. attendees said they learned something new from

the session they attended. Whilst overall guest

numbers were lower than anticipated, smaller

groups prompted more in-depth conversation

around each subject.

68%

Said they learned something new from

the session they attended.

Data Protection Day 2021

Due to the pandemic meaning we could not  data and how islanders can best protect their host in person events, we invited guests to  personal information against the threat of celebrate Data Protection Day 2021 with us  Covid-19 related scams.

virtually. Presentations included CovidCop2021

The Rise of Employee Spyware which  Our office was proud to attend events during explored the implications of ethics, data  2021 as part of the Jersey Fraud Prevention protection and employee monitoring as well  Forum and collaborate with Jersey Chamber as Inclusive or Intrusive a discussion about  of Commerce and Jersey Library to extend our the importance of striking a balance between  reach to industry and individuals.

employee engagement and employee privacy.

The Deputy Information Commissioner

appeared live on Jersey local radio discussing

the impact of data breaches, employee health

It s All About You

Our It s All About You campaign was launched  Privacy Toolkit, an online, practical go-to- during 2021 to maximise our engagement with  guide to help islanders protect their personal islanders as part of our citizen privacy brand. information and understand their individual

rights. The campaign was promoted via local The campaign launch was in line with our  television advertising and resulted in an

strategic deliverable to ensure the island s  increase in visits to the dedicated It s All About approach to data protection clearly contributes  You section of our website.

to its reputation as a well-regulated

jurisdiction. It centred around a bespoke

It s All About You aims to:

Empower Islanders and provide them with the tools to protect their personal information.

Grow the conversation around the value of privacy.

Support and encourage Jersey s community to enjoy a healthy privacy self-esteem.

It s All About You Survey

During February 2021 we launched a  In response to the question To what extent are confidential survey as part of our It s All  you aware of the role of the Jersey Office of the About You campaign. Aimed citizens in Jersey,  Information Commissioner?, 52% of recipients the purpose of the survey was to find out how  said they were unaware of the role of our

aware islanders were about their personal  office. Raising awareness of our office is an information rights. important part of our JOIC business plan and

communications for 2022.

Very concerned Fairly concerned Not very concerned Not at all concerned

Genetic data  

(DNA, blood type etc.) 48.13% (180) 26.20% (98) 18.45% (69) 7.22% (27) Health data 59.68% (225) 23.34% (88) 12.20% (46) 4.77% (18) Political, religious and other

23.47% (88) 27.20% (102) 30.93% (116) 18.40% (69) beliefs data

Biometric data (Fingerprint,

78.31% (296) 14.81% (56) 3.97% (15) 2.91% (11) facial recognition, CCTV image)

Nationality 15.24% (57) 18.18% (68) 35.83% (134) 30.75% (115) Sexual orientation 18.62% (70) 14.10% (53) 33.24% (125) 34.04% (128) Criminal record information 40.27% (151) 17.87% (67) 15.73% (59) 26.13% (98) Contact details such as

70.45% (267) 19.00% (72) 6.33% (24) 4.22% (16) name, address, email address

Date of birth 49.07% (185) 24.40% (92) 15.92% (60) 10.61% (40) Passport data 86.60% (323) 9.92% (37) 1.07% (4) 2.41% (9) Credit and debit card details 95.76% (361) 2.65% (10) 0.00% (0) 1.59% (6) ID information  

80.95% (306) 15.08% (57) 0.00% (0) 0.00% (0) (driving licence etc.)

*Not all respondents answered every question.

The survey, the first of its kind for our office, will be repeated each year. This initial survey will be used as a benchmark for future research and importantly, will help us shape our outreach activities.

Survey questions ranged from asking respondents to rate their knowledge of their personal information rights to asking them how concerned they would be if their personal information was lost or shared without their permission. 381 Islanders took part in the survey.

Another key finding was 96% of respondents said it was important to them that organisations kept their personal information safe and secure. The table to the right highlights how concerned respondents said they would be if their sensitive personal information was lost or shared without their permission.

Guest Bloggers

Influencers continued to support our mission  to bring privacy themes to life during 2021.  Thought leading industry professionals  contributed to our website blog pages in line  with our vision to embrace a collaborative and  innovative approach to data protection. Blog  themes ranged from the relationship between  contact tracing and data protection to data  protection in the workplace and privacy and  sustainability. Our contributors promoted  their blogs on social media which resulted in  increased engagement and more islanders  joining the privacy conversation.  

Blog extract  

 I ve always been told that a good starting point  for data protection is to ask if you d be happy  if your information was being treated the way  you re planning to treat someone else s. And I  was not happy.  

Business

Board Support Squad

How do you hold the executive to account when  Its purpose is to help industry leaders to

it comes to data protection? How do you stress  understand both board and manager data test the effectiveness of the data protection  protection risks and responsibilities and to policies and procedures embedded in the  provide them with an opportunity to work with organisation?  our office in a safe space to stress test the data

practices in their organisation and identify

Set up in line with our mandate to help to help  any privacy risks before they are realised. boards and Non-Executive Directors be fully  The launch of our Board Support Squad has conversant with the role they must play when  resulted in stronger working relationships and it comes to privacy needs, the Board Support  collaboration with industry and supported the Squad has been a popular addition to our JOIC  development of relevant guidance material. portfolio.

Guest experiences

Let s Go DPO! is just the tip of the iceberg in terms of the support the JOIC provides. That the sessions are so well attended is evidence of a collective experience of them being prepared to listen and engage on any subject.

The Let s Go DPO! sessions have been invaluable to me as a recently appointed DPO. They provide a safe space for confidential peer-to-peer discussions and a forum to seek guidance from JOIC on issues faced by businesses.

Let s Go DPO! Network

Autumn 2021 saw the launch of our interactive Let s Go DPO! support network created to provide Data Protection Officers and Data Protection Leads in Jersey a safe and confidential environment in which to:

Discuss the highs and lows of being a DPO or DP Lead.

Share skills, explore common experiences and ideas to help overcome some of the challenges faced by DPOs or DP Leads.

Build working relationships for future collaborations.

Collaboration with members is at the heart of  Its purpose extends to promote compliance

this network. Each session is structured around a  and awareness of the DPJL and demonstrate the specific theme chosen following discussion with  JOIC s commitment to providing support to those members. The launch sessions explored JOIC s  working within the field of data protection locally Compliance and Enforcement role, Subject Access  by offering them the opportunity to discuss and Requests and this included a discussion about  contribute to our strategic outcomes, where

the support DPOs feel they need as well as data  appropriate.

breaches explored via case studies.

 Let s Go DPO was launched in line with our strategic aim to ensure the island s approach to data protection clearly contributes to its reputation as a well-regulated jurisdiction.

Small Business Focus

Our small business self-assessment tool was  to ensure the people of Jersey are provided with launched during 2021 to support and empower  the highest standards of data protection. Once small business owners and sole traders to  small business owners or sole traders complete improve their understanding of their data  the self-assessment, they are presented with protection obligations and find out what they  practical steps and links to guidance to assist need to do to ensure they are keeping personal  them with data protection compliance. information secure, in line with our commitment

Media Engagement and Partnerships

Regular features throughout 2021 included  individuals being equipped with the tools to

a monthly Ask the Commissioner column  protect their personal information and led to an in Jersey s print media to demystify data  increase in visits to the Privacy Toolkit area of protection issues as well as articles highlighting  our website.

topical privacy issues, written by JOIC senior

management. Media releases issued during  The JOIC Communications team continues to 2021 included a Public Statement and an  nurture and develop working relationships with update regarding our JOIC Data Protection Audit  key stakeholders such as Jersey Business, Jersey Programme. Chamber of Commerce, Digital Jersey, Jersey

Finance, Law Society of Jersey and MIND Jersey We continue to use television, print and  for the benefit of the Jersey community. We were radio advertising to inform islanders about  also pleased to partner with States of Jersey

their obligations and individual rights under  Police, Jersey Consumer Council and Citizens the Data Protection (Jersey) Law 2018. Local  Advice Jersey to raise awareness about the television advertising during 2021 focused on  importance of protecting personal information the legal requirement for businesses, charities  as part of a social media campaign during

and organisations of any shape or size that  Spring 2021.

process personal information to be registered

with our office and adhere to their obligations

under data protection law and led to greater

awareness and new business registrations.

A second television campaign focused on

72 participated in working  GlIntobal Privacy Assembly - ernational EnfMARCH 2021orcement  Information C2021ommissioner  73

Working Group

JANUARY 2021

Deputy InfCommissioner parormation ticipated  AUGUST 2021

in working group regarding

Global Privacy Assembly

International Enforcement,

- Artificial Intelligence

exchanging information

Working Group Centre for Information

about global enforcement

Policy and Leadership

Information Commissioner  strategies.

group exploring Artificial  Webinar - A World View on  spoke remotely at Centre  OCTOBER 2021

Intelligence. Deputy  Privacy: Commissioners in  for Information Policy

Information Commissioner  Discussion and Leadership event

participated in working  Covid-19 s Impact on Data:

group exploring the   Deputy Information  Lessons Learned and the  Information Commissioner

response to Covid-19 and  Commissioner joined  New Future, co-hosted with  attended International

the data protection/privacy  discussion about data privacy  Dubai International Finance  Enforcement Working

issues associated. with regulators across several  Centre. Group Governance Meeting.

continents and what key

issues they are addressing in

today s landscape.

British, Irish and Islands Data Protection Authorities (BIIDPA) meeting

Information Commissioner

and Deputy Information

Annual Privacy & Security  Global Privacy Assembly -  Commissioner participated  Transform 2021

Conference, Victoria, BC. Humanitarian Aid Working  in annual small jurisdiction  Infattormation Cended Exporommissioner ting Data

Information Commissioner  Group meeting over two days. Stewardship Services  Iantftoernmdeadti oJenr sCeoym cmonisf se iroe nn ec re

and Deputy Information  project workshops (series)  exploring data strategies. Commissioner remotely  Infparormation Cticipated in rommissioner ound  Westminster eForum  hosted by Digital Jersey.

Keynote Seminar

attended one of world s  table discussion about

largest privacy conferences. the role of personal data   Deputy Information  Building a Digital Jersey

protection in international  Commissioner remotely  NOVEMBER 2021 humanitarian aid and crisis  attended session about next  Information Commissioner

FEBRUARY 2021 management. steps for UK data protection. participated in two-day

workshop hosted by Digital

Jersey.

APRIL 2021 Deputy Information

Commissioner attended

International Conference of

Information Commissioners  SEPTEMBER 2021 (Freedom of Information)

JUNE 2021

74 14 c ommissioned a cEmployee Compr ompositionehensive review of pay and reward for both the Authority members and the JOIC  75

As at the end of 2021 there were six Authority voting members and

12 (11.4 FTE) permanent employees within the JOIC. In total, 67% of

employees were female and 33% were male.

The senior leadership team is comprised of four permanent employees, 50% female and 50% male, supported by two external consultants.

Remuneration

Against a backdrop of skill shortages in the island, in 2020, the HR and Remuneration Committee employees. This was undertaken by an independent consultant with the purpose of:

a)  Developing a Pay and Reward Philosophy for  d)  Drawing benchmark comparisons with other the JOIC, to include guiding principles against  relevant organisations and posts. which reward decisions are made.

e)  Designing a new pay structure and the

2. Identifying the components that constitute pay  surrounding policy. and reward within the JOIC.
3. Establishing an appropriate method of determining pay between different levels of work.

As a result of this review a new pay structure was implemented in January 2021. The JOIC pay structure now consists of ten pay bands, containing three pay points within each band.

All pay decisions are underpinned by the JOIC Pay and Reward policy, which includes our reward principles and details of our job evaluation methodology.

Sam Duffy

Transparent Ethical Enabling Human Resources Manager

Promotes facilitation and Openness and accessibility  Fairness and equitability

collaboration Drives innovation and a

Honesty and Integrity Objectivity and impartiality

We recognise the value of a diverse team  solutions-focussed approach and welcome candidates who bring new

Evidence based Accountability Drives regulatory excellence experiences, skills, thinking styles and

opinions to enhance our team.

It is the Authority s intention to monitor the effectiveness of the JOIC pay and reward policy, every 12- 24 months. The aim is to ensure that pay and reward are competitive, reward good performance and support the JOIC in attracting and retaining key talent.

Remuneration of directors Talent Management

Director roles, which includes the Information Commissioner, are positioned between pay bands 8 and 10 on the JOIC pay structure, as described previously.

Directors pay and reward follow the same principles as all posts. Appointments at director level are based on clear criteria and require demonstrable evidence of management and leadership capabilities. At the current time all posts, including director level receive accrued

pension benefits. See the finance report on page  As a small employer working in a specialist

78 for further information. At the current time no  field, talent retention is vital to our success. We posts, including director level, receive allowances  require a broad range of skills and knowledge, not or performance related pay. The only additional  only in data protection, but in communication, benefit available at director level is parking.  outreach, case management, finance, legal, HR

and general business management. Building on our engagement work, we have put in place a comprehensive programme of training sessions

to support continuing professional and personal development. It can be challenging in a small organisation to provide a breadth of career

opportunities, however in 2021 we achieved three internal promotions and two progressions (employees receiving an incremental pay increase on account of exceptional performance). Our progress in the area of reward and remuneration also supports our plans to retain and engage talent.

Recruitment Employee policies relating to disabled persons

All staff appointments are made on merit and based on fair and open competition. All vacancies are openly advertised using a number of channels to encourage a broad range of applications from all backgrounds and sectors of our community. Criteria are defined before interviews and used to

objectively assess candidates suitability for the

The JOIC have a number of policies and procedures role. We recognise the value of a diverse team and

in place to ensure employees with a disability are welcome candidates who bring new experiences,

treated fairly at all stages of the employee lifecycle skills, thinking styles and opinions to enhance our

(such as recruitment, training and development, team.

absence, career progression etc.) Candidates

and employees with a disability are supported

in a number of ways, such as adjustments to

the interview process, providing an appropriate working environment and flexible working patterns where possible. Our aim is to ensure that those who are, or become, disabled, are treated fairly and can continue to perform effectively and contribute to our goals.

Employee turnover

One member of staff left the team in 2021  and one retired. This equated to an employee  turnover of 16% in 2021.  

Employee engagement

During the Covid pandemic, employee  health, well-being and engagement was  

a priority for the JOIC, particularly whilst  the team was working remotely and for  individuals who were new to the office.  An engagement survey was conducted in  October 2021 focusing on seven key areas  of employment. Overall, the engagement  scores were high, with job satisfaction,  pay and benefits and teamwork returning  the highest levels of engagement. Areas  for improvement were also identified,  such as internal communication and more  structured training. Plans are ongoing with  the team in these areas.

78 15 2021 was a challby local businesses and the eenging yxpectation that ear for JOIC but not in the typical wacompared to 2020. Rather than this being y  79

you would expect to have challenges during the normal course of business. Budgeting and forecasting during a pandemic (which brought with it a high degree of uncertainty) was something we had

not expected to face, and we had no comparisons with a normal

trading year that we could draw upon but we knew we were not alone and many other businesses were facing similar struggles.

With the Covid-19 pandemic still a very  All fee bands have seen an increase in fee

real issue, the budget for 2021 was set  income with the exception of the Special

conservatively. Noting the pressures faced  Category Data fee which has fallen by 37%

the pandemic would cause many businesses  due to a reduction in entities holding special

to cease trading we anticipated a drop in  category data it is likely that entities are not

registration revenue for 2021. passing the revenue threshold to become

eligible to pay a fee in this banding. We

The opposite of our assumptions was true,  are likely to see increases in this area as

however, and we saw registration income  businesses return to pre-pandemic levels of exceed our original budget (£1.5m) by almost  activity.

40%.

.

Full year 2021 Full year 2020

Full time equivalent employees fee  £463,240  £407,783 13.6%

Past year revenues fee  £78,400  £73,050 7.3%

Proceeds of Crime fee  £106,600  £103,150 3.4% Claire Le Brun

Administration services fee  £1,412,121  £1,217,324 16% Finance Manager

Special Category data fee  £33,050  £52,650 -37.2%

Total £2,093,410  £1,853,957  12.9%

Registrations continued to be received

over the course of the year due to the  The largAdministrest incration serease has been seen in the vices fee category which has  Rthe cegistrourations cse of the yontinued tear due to be ro the suceceived ocess of ver success of the community awareness  increased by 43% on budgeted figures and a  the cevents dommunity aetailed earlier in this annual rwareness programmes and eport

programmes. 16% oThe full yverall increar fee in this catease when cegomparory maked tes up o 2020.  and new businesses rfirst time. This additional registering with us fegistration revor the enue

67.5% of the total registration revenue in 2021.  was unbudgeted and contributed to the surplus (2020: 65.6%) generated in the year.

The next highest fee band is the full-time equivalent employees fee which makes up 22.1% of the total registration revenue received in 2021. (2020: 21.9%)

Working in Partnership with Government

Budget 2021 Actual 2021 Variance

JOIC receives a Government of Jersey grant and  JOIC is still in a growth phase. Registration fee

during 2021 the grant received was £500,000 (2020:  income is targeted to grow by 5% each year but

£260k). there will be a point in time where we reach  £1,092,734 £965,689 £127,045

saturation and fee income will level off.

The grant income represents 19.3% of the total

income received during 2021 and in line with the  JOIC s operating expenses are set to grow at a

Partnership Agreement between JOIC and the  higher rate with forecasts showing large increases

Staff costs have increased by 7% compared to the  consistent with the change of personnel. The Government of Jersey this grant income was used  during 2022/2023 as the full staff complement is

2020 spend. Commissioner s grade was subject to the same for the purposes of administering the Authority  reached with further increases in non-staff areas

external review detailed in the Human Resources Law, oversight and enforcement of the DPJL and  through 2024 and beyond. Staff costs include the Commissioner s salary.

report from Kojima.

the oversight and enforcement of the FoI Law. There was a change in Commissioner during 2021

but the grading applied to the role remained

Remuneration and Staff

Remuneration for the Authority was subject of an external review by Kojima. The findings were submitted to the Minister who approved the following time commitments and rates for the Authority members:

Commissioner Salary 2020 Commissioner Salary 2021 % Increase on 2020 It is with the full picture in mind that the

Government grant value is set along with the fee

bandings which are reviewed on an annual basis.

£134,750 £143,693 6.6%

Annual Remuneration per Time

Role Day Rate Authority member for the

Commitment

relevant contribution

Authority Chair 18 days p.a  £950 £17,100 *Sub-Commitee Chair  3 days p.a  £750 £2,250 Voting Members  12 days p.a  £750 £9,000

*  The Sub-committee Chair is a new duty in 2021 attached to an existing Voting Member role. The Sub-committee Chair has an additional three days allocated to allow for the increased workload but is paid at the same day rate as a voting member.

The actual payment made to the Commissioner in 2020 included a payment for a double taxation reimbursement which is not included in the figures above. The taxation reimbursement was specific to the agreement with the previous Commissioner and not part of the considerations for grade setting.

Non-Staff Costs

There are underspends, throughout the non-staff  It is with the full picture in mind that the

budget areas that are related to the previously  Government grant value is set along with the fee mentioned delayed recruitment and the pandemic  bandings which are reviewed on an annual basis. causing delays in planned operations.

The underspends, along with the over achievement in registration income, has meant a large underspend has been generated.

There are no other payments made to the  Authority members do not constitute an employee  Budget 2021 Actual 2021 Variance Authority members. The Chairman and the other  for the purposes of the Employment (Jersey) Law

voting members are appointed by the Minister  2003 or other local legislation.

who must have particular regard to the need to

ensure that voting members of the Authority. Total staff costs for the year were underspent at  £807,266 £654,207 £153,059

year end due to delayed recruitment as a result of

1. have the qualifications, experience and  the pandemic.

skills necessary to exercise and perform the

functions of a member, in particular relating  The surplus generated in the year will be carried  of projects and initiatives that are currently to the protection of personal data; forward and utilised in 2022 to fund a number  undergoing detailed discussion and analysis.

2. have a strong sense of integrity; and
3. are able to maintain confidentiality. (Art. 3 DPAJL)

12 https://www.kojima.je/

82 16 83

General Information

Members of the Authority

Jacob Kohnstamm  Chair

Clarisse Girot   Voting Member

David Smith  Voting Member

Gailina Liew  Voting Member

Paul Routier MBE  Voting Member

Helen Hatton   Voting Member

Dr Jay Fedorak  Information Commissioner (non-voting member) up to 1st July 2021 Paul Vane  Information Commissioner (non-voting member) from 2nd July 2021

Registered Office

2nd Floor

5 Castle Street St Helier Jersey JE2 3BT

JERSEY DATA PROTECTION AUTHORITY (JDPA)

Banker

AUDITED FINANCIAL STATEMENTS HSBC

15-17 King Street St Helier FOR THE YEAR ENDED 31 DECEMBER 2021 Jersey JE2 4WF

Independent Auditors

Baker Tilly Channel Islands Limited 1st Floor Kensington Chambers 46/50 Kensington Place

St Helier Jersey Jersey

JE4 0ZE

Authority Report  Statement of Authority s Responsibilities

The Authority present their report and the audited financial statements of the Jersey Data Protection Authority (JDPA) ( The Authority ) for the year ended 31 December 2021.

Incorporation

The JDPA was incorporated in Jersey under the Data Protection Authority (Jersey) Law 2018 ( DPJL ) on 25 May 2018.

Corporate governance and delegation of authority

The JDPA carries the ultimate responsibility for the discharge of the responsibilities under the DPJL. The JDPA operates under the name of the Jersey Office of the Information Commissioner (JOIC).

The JDPA is the guardian of independence, sets the organisation s strategic direction, holds the Commissioner to account and provides the Commissioner with advice, support and encouragement. It ensures that JOIC provides value for money and complies with appropriate policies and procedures with respect to human resources, financial and asset management, and procurement.

The JDPA has the authority to appoint (or re-appoint) the Commissioner or remove the Commissioner from office. The JDPA has very limited operational responsibilities and these do not include day-to-day operations, individual casework or most enforcement decisions. The Authority has the ability to delegate functions to the Commissioner, but cannot delegate the following functions: this power of delegation; the function of reviewing any of its decisions; the issuing of a public statement under Article 14 of the DPJL; the making of an order to pay an administrative fine; the preparation of the Annual Report. By

a Authority Resolution of 7 January 2019, the JDPA delegated all its functions to the Commissioner, in accordance with Article 10, except Reserved Functions . In performing the Reserved Functions the Authority will have the assistance of the Commissioner.

Results

The financial statements provide an overview of the Jersey Data Protection Authority s income and expenditure for 2021.

The JDPA is responsible for preparing the Authority s report and the financial statements in accordance with applicable law and regulation.

The Data Protection Authority (Jersey) Law 2018 requires the Authority to prepare financial statements for each financial period. Under that law, the Authority have elected to prepare the financial statements in accordance with United Kingdom Accounting Standards, including Section 1A of the Financial reporting Standards 102, the Financial Reporting Standard in the United Kingdom and Republic of Ireland ( FRS 102 1A ) (collectively, United Kingdom Generally Accepted Accounting Practice ( UK GAAP ). The Authority must not approve the financial statements unless they are satisfied that they give a true and fair view of the state of affairs of the Authority and of the surplus or deficit for that period.

In preparing these Financial statements, the JDPA is required to:

select suitable accounting policies and then apply them consistently;

make judgements and estimates that are reasonable and prudent;

state whether applicable accounting standards have been followed, subject to any material departures as disclosed and explained in the financial statements; and

prepare the financial statements on a going concern basis unless it is inappropriate to presume that the Authority will continue in business.

The voting members are responsible for keeping adequate accounting records that are sufficient to show and explain the Authority s transactions and disclose with reasonable accuracy at any time the financial position of the Authority and enable them to ensure that the financial statements comply with the Data Protection Authority (Jersey) Law 2018. They are also responsible for safeguarding the assets of the JDPA and hence for taking reasonable steps for the prevention and detection of fraud and other irregularities.

The JDPA at the date of approval of this report confirm that:

so far as the Authority are aware, there is no relevant audit information of which the Authority s auditor is unaware; and

each Authority member has taken all steps that they ought to have taken as a member to make themselves aware of any relevant audit information and to establish that the JDPA s auditor is aware of that information.

Going Concern

The Authority consider, given the financial condition of the Authority, the use of the going concern basis is appropriate for the current period and at least 12 months from the date of signing these financial statements.

Auditors

The Comptroller and Auditor-General exercised her power under Article 43(3)(a} of the Data Protection  Jacob Kohnstamm Authority (Jersey) Law 2018 (as defined by the Comptroller and Auditor General (Jersey) Law 2014), to  Chair

appoint Baker Tilly Channel Islands Limited as auditor of the Authority for the 5 years from the year

ended 31 December 2018 to 31 December 2022. 31st March 2022

Jacob Kohnstamm Chair

31st March 2022

Chairman s Statement  Independent Auditor s Report

2021 has been a successful year in terms of operational development, enhancing governance, improving infrastructure and financial independence.

The JDPA introduced the new revenue model early in 2019. The revenue generated through registration fees, as detailed in the DPAJL, is allowing us to grow and meet the advancing requirements imposed on all data protection authorities as a result of rapidly emerging technologies. Such technologies include synthetic data, AI and emotional recognition software.

Currently, the private sector provides 80% of the funding of the Authority, with Government paying the remaining 20% by way of a grant. In recent years, on occasion, Government has reduced the grant figure to 10% of our funding. Discussions on a more appropriate and representative funding mechanism commenced in 2021, the Minister recognises that a resolution to this issue should be a high priority in 2022. The casework generated from the public sector represents 29% of the investigations undertaken in 2021, which is not dissimilar to other years. Hence the discussions are focussing on equity between funding from public and private sector whilst critically protecting the Authority s independence.

The registration fees provided an annual income of £2,091,353 in 2021. The fees generated increased by 18% from 2020. We anticipate the fees levelling out or potentially declining as the full impacts of Covid begin to impact the economy and we reach saturation point of organisations required to register with the JDPA as per the Law.

We are closely monitoring the registration fee income year on year; we are being prudent In our planning as the JOIC Is a relatively young organisation and is still in a growth phase. Registration fee income is set to grow at 5% each year but there will be a point In time where we reach saturation and fee income will remain stagnant or drop when this occurs. Operating expenses are set to grow as fee income levels off and we meet an equilibrium.

Our new three-year strategic plan details new strategic outcomes 2022 - 2025. Looking ahead, we will continue to strengthen our infrastructure and strategic capabilities with investment and focus on three key areas: enhancing the resilience and reporting capabilities of our technology infrastructure, continued development of our supervision and oversight activities, and the development of a data stewardship regulatory framework In collaboration with other agencies and industry stakeholders in support of Jersey s aspiration to be a leading jurisdiction for data trusts.

To the relevant Minister of the Government of Jersey (the Minister ) on behalf of Jersey Data Protection Authority and the Comptroller and Auditor General.

Opinion

We have audited the financial statements of Jersey Data Protection Authority (the Authority ) which comprise the statement of financial position as at 31 December 2021 and the statement of comprehensive income and retained earnings, for the year then ended, and notes to the financial statements, including a summary of significant accounting policies.

In our opinion, the accompanying financial statements:

give a true and fair view of the financial position of the Authority as at 31 December 2021, and of its financial performance and surplus for the year then ended in accordance with United Kingdom Accounting Standards, including Section 1A of Financial Reporting Standard 102 The Financial Reporting Standard applicable in the UK and Republic of Ireland (UK GAAP); and

have been prepared in accordance with the requirements of the Data Protection Authority (Jersey) Law 2018 (the Law ).

Basis for Opinion

We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs). Our responsibilities under those standards are further described in the Auditor s Responsibilities for

the Audit of the financial statements section of our report. We are independent of the Authority in accordance with the ethical requirements that are relevant to our audit of the financial statements in Jersey, and we have fulfilled our other ethical responsibilities in accordance with these requirements. We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Conclusions relating to Going Concern

In auditing the financial statements, we have concluded that the Authority s use of the going concern basis of accounting in the preparation of the financial statements is appropriate.

Based on the work we have performed, we have not identified any material uncertainties relating to events or conditions that, individually or collectively, may cast significant doubt on the Authority s ability

Jacob Kohnstamm  to continue as a going concern for a period of at least twelve months from when the financial statements Chair are authorised for issue.

31st March 2022 Our responsibilities and the responsibilities of the Directors with respect to going concern are described

in the relevant sections of this report.

Other Information

The other information comprises the information included in the annual report other than the financial statements and our auditor s report thereon. The Board of Members of the Authority (the Board ) with delegation to the Information Commissioner (the Commissioner ) are responsible for the other information contained within the annual report. Our opinion on the financial statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we do not express any form of assurance conclusion thereon. Our responsibility is to read the other information and, in doing so, consider whether the other information is materially inconsistent with the financial

statements or our knowledge obtained in the course of the audit, or otherwise appears to be materially  Use of this Report

misstated. If we identify such material inconsistencies or apparent material misstatements, we are

required to determine whether this gives rise to a material misstatement in the financial statements  This report is made solely to the Minister, as a body, in accordance with section 43 of the Law. Our audit themselves. If, based on the work performed, we conclude that there is a material misstatement of this  work has been undertaken so that we might state to the Minister those matters we are required to state other information, we are required to report that fact. to them in an auditor s report and for no other purpose. To the fullest extent permitted by law, we do not

accept or assume responsibility to anyone other than the Authority and its Minister, as a body, for our We have nothing to report in this regard. audit work, for this report, or for the opinions we have formed.

Responsibilities of the Board

As explained more fully in the Board s responsibilities statement set out on page 85, the Board is

responsible for the preparation of financial statements that give a true and fair view in accordance with  Baker Tilly Channel Islands Limited UK GAAP, and for such internal control as the Board determine is necessary to enable the preparation of  Chartered Accountants St Helier, financial statements that are free from material misstatement, whether due to fraud or error. Jersey

In preparing the financial statements, the Board are responsible for assessing the Authority s ability to  Date: 31 March 2022 continue as a going concern, disclosing, as applicable, matters related to going concern and using the

going concern basis of accounting unless management either intends to liquidate the Authority or to

cease operations, or has no realistic alternative but to do so.

The Board is responsible for overseeing the Authority s financial reporting process. Auditor s Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor s report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with ISAs will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial statements.

The extent to which our procedures are capable of detecting irregularities, including fraud, is detailed below:

Enquiry of management to identify any instances of non-compliance with laws and regulations, including actual, suspected or alleged fraud;

Reading minutes of meetings of the Board;

Review of legal invoices;

Review of management s significant estimates and judgements for evidence of bias;

Review for undisclosed related party transactions;

Regarding revenue derived from registrations made to the Authority, obtain an understanding of the process from initial registration through to the income being recognised and received, including walkthroughs and detailed control testing;

Undertake substantive analytical procedures to assess the completeness of the reported income derived from registrations made to the Authority;

Review agreements correspondence and conditions related to the funding from the Government of Jersey, to ensure an appropriate level of grant income has been recognised in the reporting period;

Undertake test of controls to gain assurance over the procedures relating to staff starters, leavers and the payroll process;

Using analytical procedures to identify any unusual or unexpected relationships; and

Undertaking journal testing, including an analysis of manual journal entries to assess whether there were large and/or unusual entries pointing to irregularities, including fraud.

A further description of the auditor s responsibilities for the audit of the financial statements is located at the Financial Reporting Council s website at www.frc.org.uk/auditorsresponsibilities.

This description forms part of our auditor s report.

Statement Of Comprehensive Income And Retained Earnings  Statement Of Financial Position