Jersey Office of the Information Commissioner's Annual Report 2024

R.86/2025

JERSEY OFFICE OF THE INFORMATION COMMISSIONER ANNUAL REPORT

Fulfilling the obligations of the Authority under Article 44 of the Data Protection Authority (Jersey) Law 2018 and the Information Commissioner under Article 43 of the Freedom of Information (Jersey) Law 2011.

THE  CONTENTS

04 05 HIGHLIGHTS

84 103  AUDITED FINANCIAL STATEMENTS

JERSEY RETAINS

99% CCOLOMSPELDA IINNT 2S0 24 EU COMMISSION  OF THE

ADEQUACY STATUS

     54                31% 4%determination

    were investigated  were investigated 4.5% 4made.7% 17%

and a breach  and resulted

determination  in a no breach

were not  were withdrawn

investigated, as per RESPONDED TO             of the DPsets out the basis upon which wAJL 20e  18,

Part 4, Art. 20(2)

    investigate or reject      the complaint

    184

SELF REPORTED DATA BREACHES

[a]OUR  OUR  VISION PURPOSE

Our vision is to create an island culture whereby  To provide those who interact with Jersey  

the protection of personal data and privacy  organisations and the Government of Jersey with the  

becomes instinctive, with individuals and  highest standard of personal data protection. THE  

organisations taking a proactive approach to  

embed such protection throughout their daily  

activities and business planning.  

JERSEY DATA  OVAULRUE  S PROTECTION  Ovaulru evas ltuoesb ea rme ohruegtehlya nim wpoor rdtsa notn t ao puasg, eth, euys icnrge athtee moutroi dgeunidteit yd aencids iionnfos,r mse lheocwt bwe eh aovpi eoruartsea. Wnde  dcr ri evae t ec donot uinru ous  AUTHORITY  ismerpvW[b]ioceve, emeveen ryt idnaoy.u r service. Our values apply to us all, rega Wrdles e ars of rank  e and flow through each area of our  OUR ROLE are Fair.  Collegial.  

STRATEGIC OUTCOMES

01 Achiethe highest standarving and maintaining d of data

protection in Jersey.

1. Our purpose demands the highest standards of  committed to achieving and maintaining the

data protection for our citizens, and those who  highest standards of data protection. However, we interact with Jersey, remembering that our Laws  cannot do this alone. We will continue to engage (like GDPR) have extra-territorial scope.  with all sectors of our community, such as charities,

government, local businesses and youth groups

2. It is also important to remember that as a  (including both primary and secondary schools) fundamental human right, data protection is  to reach young people. Our deliverables in this intrinsically linked to well-being, mental health,  area support our aim to be an exemplar and a reducing inequalities and improving living  source of leadership to our stakeholders. This in standards. All of these areas are key elements  turn helps them to understand their role and their of the Island s collective strategy in the coming  responsibilities, so that they too can deliver the years. highest standards of data protection.

This outcome covers all areas of our organisation and those who we are here to serve and support. From delivering proactive day to day guidance and resources, to forging ahead with our outreach and education programmes, to specific enforcement initiatives, such as targeted audits, we are

8

02 Maximising topportunities technolo enhancogicae the Isll and ecand onomic s

reputation as a safe place to host personal data and do business.

1. Jersey is a unique jurisdiction where regulation  Proactively identifying relevant developments (including in respect of personal data) is  in the field of data protection, such as new and already entrenched in our society (particularly  emerging technologies, economic or social change, in the finance sector). It will be critical for  our deliverables in this area start at grassroots

our economy to ensure that Jersey remains  level, with the aim of helping our stakeholders

at the leading edge; monitoring international  to ensure they have solid foundations, minimise legislative frameworks, trading corridors and  risk and are alert to both future threats and innovation to ensure Jersey can act fast and  opportunities. As a small but agile team, a key seize opportunities that both grow and preserve  focus is on understanding the emerging landscape, our already strong reputation for data protection  working collegially with key change agents and and privacy more widely. providing thought leadership to facilitate positive

change.

2. Our strong relationships with relevant

stakeholders in the digital sector and  This includes our ongoing responsibility to maintain Government of Jersey have enabled us to  an awareness of regulatory and legal changes participate in a major project on the feasibility  which may impact on privacy and data protection of Data Stewardship services in Jersey. These  in Jersey and to contribute to our ability to navigate and similar concepts can provide exciting  new privacy frontiers.

opportunities for Jersey where the Island can be

seen as a world leader. We are key stakeholders

in those discussions.

03 Pgenerrotecting our futurations by putting chile  dren

and young people first.

1. Given the exponential advances and uses of  c. Highlighting children is not at the exclusion of technology, it is critical, now more than ever, that  adult populations within our community. We we take steps to educate children on how online  respect all members of our community whilst behaviours can affect their opportunities in later  recognising that some populations may be at life and equip them with the tools to protect  higher risk and need greater protection. Our themselves against the many harms associated  role as regulator is to ensure that we target our with growing-up in a digital environment,  support accordingly and apply the Law in a fair including educating on social media use, online  and consistent manner, protecting those who gaming and the darker sides of the internet. need it most.
2. Equally, many of these young people will be  In working towards this outcome, our deliverables our future digital innovators. It is incumbent  build on our already strong relationships with the upon us to help them embrace technological  Island s schools, through further development innovation in a safe way, and work with them to  and wider roll-out of our education programme. improve their own broader skills so as to ensure  Through specific targeted outreach campaigns, we that Jersey remains not only a safe place to live,  will continue to raise children s awareness of their but also an exciting, attractive and progressive  data protection rights, whilst alerting them to the Island in which to do business. potential risks of their online and other activities.

9

[c]CHAIR   [d]ohf ethfeo cGulos boaf lo Purri vaatctey nAt siosen m fobr l  y2 0A2 n4 n wuaa ls C o ou nr f  eh ro es nt cin eg   Ttohtraolu pgohpouulta 2ti0o2n4  ,o wf Jee ersne gy a sg  eu dn dwe itr h 1 82s6. % 8 6o%f t ohfe  REPORT ioprnefr coOJoepcgrotsnoreitbsyioee, inrdt. s Fwf.ooTarrhsioetasuOhrwfuAfiogucrekteh hohoonarnistaoygn,u raironnwotdefn rmfnionoar tmsti thoaeentn uaItsrlolesau,t n sa dg e  taiokmhnunedptorryweuooanlvuecdendhdeggrs easpestseoasaofn i pJodrOelnienIss C ugw,. l poetT hf roe oetfnh tp ewgea caoi trrgr i teopkicdneoi rpwuosato fit ltn tiihnn ha eg esl a didi rni dai pnto eta nthr  hsreei i o igsor n h rf a teos lp udor ar tt a  

and participating in privacy discussion on a global

The focus of our attention for 2024 was Elizabeth  our hosting of the GPA Conference. It was Denham  a huge honour of momentous proportions.

CBE The Office has grown in stature, recognised CHAIR, JERSEY DATA  for its work on an international stage.

PROTECTION AUTHORITY

INFORMATION  

COMMISSIONER S  JwGhsetaoiartsvshneetdbhyranoeirms tdnhwese tnecnhtelelesses sEdciatUoeur nydaA fi  tddt ero eamd  qts aaaua  tsapf ie ocrago yn us t daiea nefcr ed ct li ai opsUtinleoKa cna2 pe0n ae2dt nr 3o s dp otd r htniohv aa a etbl c JudUeysa Kri stn a ee, y s s  FtahrdoemmAinuaitlshlt otrhariettiyvc eawsfieenrsee isrnetvqoeu stetwisgotaedtdea dttoaaccnoodnnctsrlioodsleleerdrissi.snTu2hin0eg2 4,  FOREWORD enicpdsoneaewmaerctibdeismcllifciuounoolnngramsirftt uewhytdr.hehtTehiathc renAheardu nlpstosrhaeefcoferaaemrrslgi ostidutyuf a a brsptriuadnemssgrpias nrotonooerndtssteaashpclte eeetdsi c o abati notfiuna csdlt iawranrawiueent sgthss husaofoelnuarrdtti so t iahrntye i o  n  The elandscape of data volving  

activities are essential pillars to these adequacy  

personal data and thrive for the Jersey economy. protection laws  

Oouver rr ethguel pataosrtyyaepapr,rwoeachha, vweocroknintginculeodse tloy swt ir tehn gthen  across the globe  Paul Vane bcoumsinpelisasnecse, apnodlicbyemsat kperarsc tainceds t thher opuugbhli co utor eptrhoomso otfe  reflects the growing  

outcome-based regulation. The evolving landscape  importance of  INFORMATION COMMISSIONER ogrfodwaitnag p irmo pteocrt ti aonnc lea wofs parcivroascsy  t ihne m g olodbeern r esfloecic et ts y t , he  privacy in modern  

alanwdswaerer enmotaoinn lcyoamdmheitrteedd ttoo beunts uarlsinogutnhdaet rtshteosoed  society, and we  

and embedded into organisational culture. remain committed  Dof public trust in our ecata protection is the corneronomsty. one  ACCOUNTABILITY  to ensuring that  

As technology advances and  AND ENFORCEMENT these laws are not  data-driven innovation expands,  only adhered to but  

individuals must have confidence  Atrcucsot uwnotratbhiyl idtya tisa   feuc no ds ay msteemnt. a Ol rtogaan fisaairt iaonnds must  also understood  

that their perhandled responsiblsonal data is y, securely, and  toabkleigpartiooancst i-v ep rsotetepcst itnogednastuar eb ythdeeysimgne,e bt ethinegir  and embedded  transparently. At the JOIC, our role  torfa cnosmpaprleiannt cwei tbhy ianddoivpidtiunagl sth, aenmdi nfodssteetr ionfg d aocinuglt tuhree  into organisational  is to uphold the highest standards  raicghhitetvhininggt.hWe ese c  ogonatilns u t eh rtoou sguhpcploeratr bguusidinaenscsee,sr oinb ust  culture.

of data protection, ensuring that  frameworks and ongoing engagement, helping  

organisations remain accountable,  tmhaeimntnaianviingga thei gthheeitrh riecgaul lsattaonrdya rredqsu.irements while  

enforcement is effective, and above  Regulation must be backed by meaningful  Authority noted that in both cases the aggravating  all, people s rights are safeguarded. enforcement. In 2024, we have taken decisive action  factors warranted the issuing of a fine as set out in  

where necessary and proportionate, ensuring that  the Regulatory Action and Enforcement Policy. [e] non-compliance carries real consequences whilst at  Our Law currently prevents us from publishing  

the same time ensuring the best possible outcome  specific details of reprimands and orders we have  for the individual affected. At the same time, our  issued, but that does not take away from our belief  focus is on prevention - helping organisations  that strong enforcement builds public trust and  understand their responsibilities before issues arise,  confidence, demonstrating that data protection is  promoting self-regulation, and encouraging the  not optional but a fundamental right.

adoption of privacy-first practices.  

PROTECTING PEOPLE  modernised its data protection framework by  partnership on data flows, and explore new

AND DELIVERING VALUEaadnodptthien gDathtae DPraottaePctriootne cAtuiothno (rJeitrys e(Jye)rLseayw) 2L0a1w8  aevnefonruceesmfeonr tj ocionot paecrtaiotinosn, .i ncluding through

2018 which entered into force in 2018 and align the

Above all, our mission is to protect people. I have  Jersey regime closely with the GDPR.  Jersey has actively participated at each

often said that we are people protectors and not  roundtable discussion which have focussed

In the area of government access to personal data,

just a data protection regulator. Individuals deserve  on data flows, tools to promote and facilitate

public authorities in Jersey are subject to clear,

control over their personal data, clarity on how  compliance by small and medium-sized

precise and accessible rules under which such

it is used, and the assurance that their rights will  companies and sharing information on activities

authorities can access and subsequently use for

be upheld. We continue to advocate for greater  of data brokers across borders.

public interest objectives, in particular for criminal

transparency, fairness, and security in data privacy  The roundtable discussions are thought provoking

law enforcement and national security purposes,

practices, ensuring that privacy is a core principle  and are generating broader understanding

data transferred from the EU. These limitations

instilled from the outset rather than an afterthought. between adequate countries, shared learning and

and safeguards follow from the overarching

At the same time, we are committed to delivering  legal framework and international commitments,  collaboration.

excellent value for money in everything we do.  notably the ECHR and Convention 108, as well as  It would be remiss of me not to mention our

We operate efficiently, prioritising resources in  from Jersey data protection rules, including the  international activities, and in particular the success

our small team to where they have the greatest  specific provisions for the processing of personal  of last year s Global Privacy Assembly which we had

impact - whether through targeted investigations,  data in the law enforcement context set out in  the honour of hosting in Jersey. Amongst some key

guidance that prevents costly non-compliance, or  the Data Protection (Jersey) Law 2018, as modified  outcomes identified, simplifying the complex global

collaborative initiatives that strengthen industry- by Schedule 1 to that Law. In addition, Jersey law  regulatory environment and encouraging more

wide standards. By adopting innovative regulatory  imposes a number of specific limitations on the  effective collaboration were key themes discussed.

approaches, leveraging technology, and continuously  access to and use of personal data for criminal law  Also highlighted was the need to do more involving

improving our processes, we ensure that every  enforcement and national security purposes, and it  young people as well as how to address the real

pound spent translates into stronger data protection  provides oversight and redress mechanisms in this  harms associated with failures of basic data privacy.

and privacy outcomes for individuals, businesses,  area.  The message was clear. Privacy is a fundamental  THE FUTURE

and our society as a whole. Based on the overall findings set out in the SWD,  human right and needs to be accessible for

the Commission concludes that Jersey continues  all humanity. Too many people are denied the  Looking ahead, we will continue to evolve alongside INTERNATIONAL  to provide an adequate level of protection for  opportunity to be treated fairly and equally, just  the ever-changing digital landscape, ensuring

personal data transferred from the EU.  because of their culture, geography, disability or  that data protection remains at the heart of a fair, COLLABORATION We are delighted to be participating in a series  gender. competitive, and trusted digital economy. By working

The success of the week also highlighted the  together - regulators, businesses, and individuals

of high-level roundtable discussions which the

In January 2024 the EU Commission published the  strength and quality of our local service industry,  we can create a future where privacy and innovation

European Commission is undertaking with all

Adequacy Review report of the functioning of the  many of whom were involved in providing an  go hand in hand, building a digital environment that

countries who provide an adequate level of

adequacy decisions. The report contained the  exceptional experience for the 500 or more visiting  works for everyone.

protection for personal data.

Commission on the first review of the adequacy  delegates. Jersey is blessed with some incredible  In the early part of 2025, we will be setting our decisions that were adopted on the basis of Article  The EU Commissioner identified that the adequate  talent, and I was delighted to see an Island business  strategy for the next three years and taking on board

25(6) of Directive 95/46/EC1 (Data Protection  countries form one of the world s broadest networks  community coming together to show off the best of  the outcomes and actions from the GPA Conference Directive) .  for safe and free data flows and that in today s world,  Jersey. Equally pleasing was seeing full hotels and  in October. Jersey has an opportunity to be a leader

cross-border data flows are an integral part of our

We were delighted to read that the Commission  restaurants, a busy transport network, increased  in many respects, our geographical size proving time

economy and daily lives. To this end he set in motion

determined that eleven countries or territories ensure  retail spending and hearing our visitors feedback  and time again that we can operate on a global stage

a series of discussions commencing in March 2024.

an adequate level of protection for personal data  and desire to return to Jersey, all of which will have  and be noticed.

transferred from the European Union which included  The EU Commissioner identified that the shared  provided a significant injection to the local economy

Jersey. commitments have already led to significant benefits  at a normally quiet period in the year. I must extend  Fnienwa lClyh, aI iwr, oEulilzda blikeetht oD eenxtheanmd Ca B wEa, r wmh  ow ebl rcino gmse w t io th o ur

for individuals, businesses, and our economies.  my heartfelt thanks to all those involved, including

her a wealth of knowledge, experience, expertise

The EU Commission made particular reference in the  The priority is to build on these achievements and  my JOIC team and our event organisers who all

and wisdom to our Authority. I am very much looking report to  further strengthen our cooperation in promoting  ensured the delivery of an exceptional event and

forward to working closely with Elizabeth and our

 the developments in the Jersey legal framework  trusted flows. With the development of Artificial  helped cement the longer-term prosperity of our

Authority Members to further the excellent work of since the adoption of the adequacy decision,  Intelligence and global challenges arising from new  Island.

my JOIC team, in whom I remain immensely proud including legislative amendments, case law  technologies, our collaboration at bilateral and

and grateful for their tireless efforts.

and activities of oversight bodies, which have  international level is more crucial than ever. I would

contributed to an increased level of data  like to increase our engagement in these matters, by  Paul Vane

protection. In particular, Jersey has significantly  discussing how we can maximise the benefits of our  Information Commissioner

4

THE  

JERSEY DATA PROTECTION AUTHORITY

The Authority is a statutory body  The Chair and voting members are appointed by the

Minister. The Information Commissioner is the Chief which oversees the protection  Executive and:

of personal data. The Authority

consists of the Chair, and as per  a  is responsible for managing the other employees Article 3 of the DPAJL 2018 no  of the Authority.

fewer than 3 and no more than

8 other voting members and  b  iAsu itnhochriatyrg. e of the day-to-day operations of the the Information Commissioner

as an ex officio and non-voting  c  has the functions conferred or imposed on him or member. her by the Law and any other enactment.

The Information Commissioner, on behalf of the  The Authority s activities regularly involve Authority, undertakes the functions of the Authority  collaboration with local and international

under the DPAJL 2018 and the DPJL 2018 other than  partners, sharing expertise in data protection,

the issuing of a public statement under Article 14  regulation and financial services. The Authority and the making of an order to pay an administrative  has established positive working relationships

fine under Article 26 of the DPAJL 2018, or any other  with local Government, public authorities, private function specified by the Authority by written notice  sector stakeholders and international partners

to the Information Commissioner. characterised by collaboration and respect. The

Authority is strongly purpose-driven, thus both the The Authority is established to undertake a

strategic outcomes and business planning processes variety of key activities which includes promoting

are more than just words on a page. The Authority public awareness of risks and rights in relation to

and in turn data protection are pivotal in helping processing, especially in relation to children and to

to engender trust and confidence in the Jersey

raise awareness for controllers and processors of

economy. By safeguarding personal and sensitive their obligations under the data protection laws. It

information, we contribute to the foundation of trust is also incumbent upon the Authority to report to

upon which Jersey s economy thrives.

Government on the operation of the data protection

laws and to advise the Minister and the States

of Jersey on any amendments that the Authority

considers should be made to the laws.

All of the Authority s functions must be performed independently and free from direct or indirect external influence.

THE JERSEY DATA PROTECTION AUTHORITY

Governance, Accountability and Transparency

THE DATA PROTECTION AUTHORITY

The Authority has responsibility to:

Ensure that the JOIC remains accountable to the people of Jersey, in properly fulfilling its mandate and delivering quality services to its stakeholders.

Ensure that the JOIC provides value for money and complies with appropriate policies and procedures with respect to human resources, financial and asset management, and procurement. This includes formal approval of any single item of expenditure in excess of 10 per cent of the operating budget for the JOIC.

The Authority also provides an advisory function to the JOIC. With a balance of expertise in data protection, governance, and local knowledge of the Jersey Government and industry, the Authority provides strategic guidance to the JOIC with respect to fulfilling its mandate effectively and efficiently.

DELEGATION OF POWERS

There are other powers and functions that the Authority may exercise under the DPAJL 2018, most notably:

Enforcing the Law. There are certain functions that the DPAJL 2018

Promoting public awareness of data protection  stipulates that the Authority must perform itself, issues.  and which cannot be delegated to the Information Commissioner. The most important functions are

Promoting awareness of controllers and

that only the Authority can decide whether to issue processors of their obligations.

administrative fines and/or public statements for

Cooperating with other supervisory authorities.  contraventions of the law. While the JOIC will make

Monitoring relevant developments in data  the official finding in each case as to whether a protection. contravention has occurred, it is the Authority that

Encouraging the production of codes. will determine whether a fine will be applicable and

Maintaining confidential records of alleged  the value of that fine. Similarly, it is only in cases contraventions. where because of their gravity or due to some other exceptional circumstances that the Authority will The Authority has delegated all these other powers  issue a public statement, where it is in the public and functions to the Information Commissioner.  interest to do so.

AUTHORITY STRUCTURE

The Authority is currently comprised of a non-executive chair and five non-executive voting members.

As members are appointed by the Minister, the Chair wrote to the Minister in June 2022 to request he consider  appointing Members for a four-year term of office. Given that Article 3(5) of the DPAJL 2018 also sets out the  duration of the term of office of appointed Authority Members:

5 Each voting member is appointed for a term of 5 years or such shorter period as the Minister thinks fit in  

a particular case and is eligible for reappointment up to a maximum period of service of 9 years.

Since the Authority s inception, the Minister appointed Authority Members on a three-year term. To allow for  maximum contribution and stability, a four-year term was deemed as more suitable, allowing sufficient time to  deliver the best value, without risking a lack of diversity in thinking.  

The Minister approved this request on 13 November 2023 in R.169 presented to the States Assembly. 2

The Authority meets at least four times per annum. The Authority operates sub-committees to ensure that  relevant matters can be addressed fully, and recommendations taken back to the main Authority meetings.

JDPA Chair & 5 Voting Members

*As from 29/10/24 Information Commissioner

Operations Director Finance Director

People & Organisational  Compliance &  External Legal  

Development Partner Enforcement Manager Counsel

Community Operational

Engagement Communications Compliance  Senior  Accounts  Lead & PR Lead & Policy Lead Caseworker Technician

Office & Operations  

Communications  Coordinator  Case6w ox rkers Finance Assistant / JDPA Secretary Officer

Total current number Employees: 19 (18.6 FTE)

2 https://statesassembly.je/publications/assembly-reports/2023/r-169-2023

THE JERSEY DATA PROTECTION AUTHORITY

Authority Members

CHAIR OF THE AUTHORITY 28 OCTOBER 2024 PRESENT

Elizabeth Denham CBE

TENURE

Elizabeth joined the Authority as of 1 May 2023 for a first term that is due to expire on 30 April 2027. Elizabeth applied for the position of Chair and following an open recruitment process, the Minister appointed Elizabeth as Chair. Elizabeth started her Chair appointment on 28 October 2024.

CHAIR OF THE AUTHORITY  MAY 2018 28 OCTOBER 2024

Jacob Kohnstamm

TENURE

Jacob has been Chair of the Authority since May 2018. Jacob s term of office was extended by the Minister, for six-months, as his replacement was recruited. The handover took place at the 46th Global Privacy Assembly conference on 28 October 2024.

VOTING AUTHORITY MEMBER

Helen Hatton

TENURE

Helen joined the Authority on 1 August 2019 for a period of three years and was reappointed for a second term which is due to expire on 31 July 2025.

VOTING AUTHORITY MEMBER  

Paul Routier MBE

TENURE  

Paul joined the Authority on 1 August 2019 for a period of three years and was reappointed  for a second term which is due to expire on 31 July 2025.

VOTING AUTHORITY MEMBER  

Stephen Bolinger  

TENURE  

Stephen joined the Authority on 1 May 2023 for a first term that is due to expire on 30 April  2027.

VOTING AUTHORITY MEMBER

Paul Breitbarth  

TENURE  

Paul joined the Authority as of 1 May 2023 for a first term that is due to expire on 30 April  2027.

VOTING AUTHORITY MEMBER

Gailina Liew  

TENURE  

Gailina joined the Authority in October 2018 for a period of three years and was reappointed  for a second term which expired on 28 October 2024.

Further details regarding the Authority members external  appointments can be found at https://jerseyoic.org/team

THE JERSEY DATA PROTECTION AUTHORITY THE JERSEY DATA PROTECTION AUTHORITY

Governance Report  Authority Sub-Committees

AUDIT & RISK COMMITTEE ARC  

The voting members who comprise the ARC are:  

Helen Hatton (Chair)  

The Authority is committed to ensuring a high standard of Paul Breitbarth joined ARC on the 12 July 2023 meeting date.

Christine Walwyn (Co-opted accountant, Non-voting)

governance and all members are expected to conduct themselves  

in accordance with the Seven Principles of Public Life.  The ARC s mandate is to advise and make recommendations to the Authority. The purpose of the ARC is to:  

Assist the Authority in its oversight of the integrity  of the overall setting of strategy.  

of its financial reporting, including supporting the  

Authority in meeting its responsibilities regarding Assist the Authority in its oversight of its risk  financial statements and the financial reporting  management framework.

systems and internal controls.  

Monitor, on behalf of the Authority, the  

ACCOUNTABILITY effectiveness and objectivity of external auditors.  

Provide input to the Authority in its assessment  of risks and determination of risk appetite as part  

OPENNESS SELFLESSNESS

GOVERNANCE COMMITTEE  

The voting members who comprise the Governance Keep the Authority s corporate governance  Committee are: arrangements under review and make  

Seven  appropriate recommendations to ensure that the  HONESTY Principles  INTEGRITY Gailina Liew (Chair)  Authority s arrangements are, where appropriate,  

of Public Life Jacob Kohnstamm consistent with best practice corporate  

Elizabeth Denham CBE joined at Governance  governance standards.  

Committee meeting on 29 June 2023. Review the balance, structure and composition  

Stephen Bolinger joined the Governance  of the Authority and its committees. Its role also  Committee at the meeting on 16 October 2024.  encompasses the selection and appointment  

of the Authority s senior executive officers and  The membership of this Committee is currently  

voting members of the Authority and giving full  under review as the JDPA heads into 2025.  

consideration to succession planning and the  LEADERSHIP OBJECTIVITY The Governance Committee s mandate is to advise  skills and expertise required to lead and manage  

and make recommendations to the Authority. The  the Authority in the future.

purpose of the Governance Committee is to: Evaluate the performance of Authority members  

on a regular basis as described more fully later in  this report.

THE JERSEY DATA PROTECTION AUTHORITY

REMUNERATION & HUMAN RESOURCES COMMITTEE R&HR

The voting members who comprise the R&HR Committee are:

Paul Routier MBE (Chair)

Jacob Kohnstamm

Stephen Bolinger joined R&HR on 3 November 2023 meeting date.

The R&HR Committee is mandated to advise and make recommendations to the Authority, with the purpose of:

Assisting the Authority in ensuring that the  (including recruitment processes) and succession Authority and Executive retain an appropriate  planning.

structure, size and balance of skills to support

the organisation s strategic outcomes and values. Assisting the Authority by reviewing and making

recommendations in respect of the remuneration

Assisting the Authority in meeting its  policies and framework for all staff. responsibilities regarding the determination,

implementation and oversight of remuneration

arrangements to enable the recruitment,

motivation and retention of employees generally.

Overseeing arrangements for appointments

Each Sub-Committee Chair reports back to the Authority, making recommendations for consideration.

The following table sets out the number of full Authority and Sub-Committee meetings held during 2024, and the number of meetings attended by each voting Authority member.

JDPA MEETINGS  Elizabeth  Jacob  Helen  Gailina  Paul  Paul  Stephen  Christine  

Denham CBE Kohnstamm Hatton  Liew Breitbarth Routier MBE Bolinger Walwyn  

1 March 2024     X

Via Video

2V7ir tMuaalr Mchee2t0in2g4 X 29 May 2024   X

2H1y bAruidgMusete t2i0ng24  Via Vid eo Via Vid eo Via Vid eo Via Vid eo X 28 October 2024   X

22 November 2024   X Via Vid eo AGs uaensitnovnitleyd   X

AUDIT & RISK Elizabeth  Jacob  Helen  Gailina  Paul  Paul  Stephen  Christine  

Denham CBE Kohnstamm Hatton  Liew Breitbarth Routier MBE Bolinger Walwyn  

1V4ir tFueabl rMueaertyin2g024  X X X Via Vid eo X X 27 March 2024  X X X  X X

Via Video

25 April 2024  X X X  X X

Via Video

29 July 2024  X X  X  X X  Via Video Via Video Via Video

23 October 2024 X X X X  X X Via Video

GOVERNANCE Elizabeth  Jacob  Helen  Gailina  Paul  Paul  Stephen  Christine  

Denham CBE Kohnstamm Hatton  Liew Breitbarth Routier MBE Bolinger Walwyn  

23 April 2024      X  X X X X

Via Video Via Video Via Video

16 October 2024   X X X X

REMUNERATION  

& HR Denham Elizabeth  KohnstammJacob  HattHelen on  Gailina Liew BreitbarPaul th Routier Paul  BolingStephen er Christine Walwyn  CBE MBE

2 August 2024  X  X X X    X

Via Video Via Video Via Video

25 October 2024  X  X X X    X

Via Video Via Video Via Video

2024 AUTHORITY  MEMBERS REMUNERATION

The Authority Voting Members received, in aggregate, £84,582.06 in remuneration  in 2024. Further details regarding the Authority Voting Member remuneration can  be found on page 83.

THE JERSEY DATA PROTECTION AUTHORITY JDPA PERFORMANCE  

EVALUATION  

JDPA PERFORMANCE EVALUATION  

AND RE APPOINTMENTS  

The Authority is committed to regularly evaluating and

reporting on its governance and effectiveness. A key  

element of this process is the Independent External  The Governance Committee has established a comprehensive performance evaluation process for the  

Review (IER) of the Authority, undertaken every three  Authority, consisting of the following components:  

years to assess the Authority s overall performance.  

The IER took place over a four-month period from  January to April 2024. A local, specialist provider was  engaged to support the Authority in assessing and  measuring the overall effectiveness of its governance  and culture.  

ANNUAL PEER REVIEW  The assessment utilised technology combined  

Each voting member conducts a peer review, assessing  with expertise in people governance, to deliver a  

the performance of every other member. The focus is  comprehensive and insightful evaluation. The process  on evaluating performance against the key attributes  benefitted from the full cooperation of the Authority  expected of a board member.  members and the JOIC, ensuring a collaborative and  

comprehensive review. The three main domains that  made up the evaluation framework are.

Culture.  

Decision-making.  

ANNUAL Implementation.  

SELF ASSESSMENT  

OF SKILLS  AfiThndidsriantfhgtosr rewopeuorgreht rwaepavspiercwooaemcdhpaldenetdel idavpeinprerAdopvvreaidll u2b0ay2b 4tlhe a ei nnAdsu i igtthhs otsr,i ty. essential to the Authority s commitment to continuous

Individual voting members undertake an annual self- improvement. Under the leadership of the new JDPA  assessment, evaluating their competence across a broad  Chair, the Authority plans to revisit and build on these  spectrum of skills, knowledge, and experience essential  findings in 2025 to strengthen governance, enhance  for fulfilling the Authority s mandate.  organisational effectiveness, and drive progress  

towards its strategic outcomes.  

INDEPENDENT  DIVERSITY OF THE JDPA EXTERNAL REVIEW

At the end of 2024 the Authority comprised of five members, 40% of JDPA members

An independent external review of overall Authority  were female and 60% were male. Members range in age from early 40s to early 70s effectiveness, to be conducted every three years.  and represent five different nationalities. Authority members bring a diverse range of

experience, formal education and professional qualifications, including expertise in data protection, law, governance, IT, business, education and teaching.

5

PRINCIPAL  &EMERGING RISKS

The Authority s primary obligation is to fulfil statutory responsibilities as the independent body promoting respect for private lives. The Authority s strategic outcomes support us in the fulfilment of our mandate.

The strategic outcomes are subject to a number  mitigating actions and relevance to the strategic of risks and uncertainties that could, either  outcomes. We continue to monitor political individually or in combination, impact the  and legislative developments and assess the operational performance of our team.  opportunities and threats to enable us to regulate

effectively. Risks are identified and scored against We identify and manage these and other risks

likelihood and consequence parameters to through our risk management framework which is

generate a risk matrix that is regularly monitored based on the Authority s low appetite for risk.

and used to guide the Authority s strategic

Risks are overseen by the Audit and Risk  thinking and actions.

Committee, who monitor risk movements and

The following table identifies

the principal risks and  1 LEGAL & REGULATORY mitigating actions. The risks are

categorised into five main areas:

2 OPERATIONAL

3 GOVERNANCE

4 STRATEGIC

5 POLITICAL

PRINCIPAL & EMERGING RISKS

Summary of Principal Risks

RISK DESCRIPTION  HOW WE MANAGE THE RISK

Revenue.  

Monitor number of entities deregistering as the economy changes.

Economic uncertainty impacts on the number of entities trading in Jersey  Monitor the actual registered entity revenues.

and registering with the Authority. Registration income is dependent on  Monitor operational costs and revenues closely.

turnover and headcount of entities. Therefore, our registered entities may  Monitor entity numbers, liaise with Statistics Jersey for data analysis. remain the same in number but represents less in revenue.

Stakeholder relationships to gauge industry movements.

Interpretation of administered entities within the Data Protection  Seeking changes to the Data Protection (Registration and Charges)

(Jersey) Regulations 2018 to amend criteria for being classed (Registration and Charges) (Jersey) Regulations 2018.

as administered entity submitted to Government of Jersey for consideration in June 2021. Discussions remain on-going

Any changes or absence of fee/grant monies from Government impacts

Maintain liaison with Government to progress fee discussions to

on our ability to plan effectively and could impact on our ability to deliver

contribute financially to the provision of data protection regulation our regulatory mandate.  in Jersey.

Monitor with support from the Jersey Financial Services Commission and the Authority.

A potential change in the AML Jersey legislation could mean a significant  MoneyVal report in the public domain and the findings were more reduction of administered entities in Jersey.  positive than anticipated however we are monitoring the impact

of the report, and this may result in changes to the volume of administered entities in Jersey.

Achieving proportionate and relevant accredited security standards.

Asset management, software and hardware security.  Testing, maintenance, asset replacement, training.

Undertake relevant testing and maintenance.

Embedding succession planning throughout the organisation.

Building skills and knowledge through personal and professional

Talent Management, Retention and Succession Planning. development.

Maintaining a capable and knowledgeable team. It is essential that the  Aligning Human Resources strategy with our strategic outcomes. statutory functions of the Jersey Data Protection Authority are fulfilled to  Striving for diversity and inclusion throughout our operational and the highest standard to maintain credibility and trust.  HR activities.

Align our training and development with our succession planning and performance management.

We have a constantly evolving learning and development programme.

Training and Development Essential the JOIC maintains sufficient and  Ensure personal training plans are in place, manage expectations. progressive knowledge to avoid poor quality advice/regulation.

Ensure job descriptions are up to date and understood.

Financial uncertainty limits budget and resources for training and  Implement a Competency framework to establish the core (general) development.  competencies needed to succeed in each role.

Align with talent and succession management, performance management (OBA) and career opportunities.

Critical applications are only accessible through secure portals

Cyber threat and Information Security. The Authority recognises that it is a  requiring layered authentication.

target for cyber threats.  We undertake Disaster Recovery exercises to test systems.

We employ industry best practices as a fundamental part of our cyber security policies, processes, software and hardware.

Cyber awareness training is ongoing within our team.

RISK DESCRIPTION  HOW WE MANAGE THE RISK

Using Outcomes Based Accountability to engage key stakeholders and form like-minded partnerships.

Poor Stakeholder relations impacting on inclusion in projects and Island  The heightened awareness of JDPA/JOIC due to GPA Conference and decisions.  Enforcement is slightly mitigating this risk.

Manage stakeholder communications and mapping plan and listen and measure feedback.

Genuine engagement and relationships.

JDPA Succession planning and Authority recruitment plan for 2025 to be considered and agreed by the JDPA by end Q1 2025.

JDPA effectiveness review (to be completed every 3 years) and

Authority Talent Management and Retention.  internal skills review are well overdue.

Maintain data protection expertise within the Authority.

Maintain local members to provide for an understanding of unique local landscape in which JDPA operates.

RISK DESCRIPTION  HOW WE MANAGE THE RISK

JOIC focus is on outcome-based regulation.

Enforcing appropriate and proportional enforcement sanctions.

Maintaining consistent and compliant investigation, inquiry, and

Perception industry and Government perception that our effectiveness

audit processes.

as a regulator is based on our fining actions.

Publication of quarterly newsletters explaining enforcement.

Increased prominence on website of decisions taken.

Use Outcomes Based Accountability measures to report on enforcement activity.

Understand our compliance obligations and what this looks like on a practical level.

Internal compliance failing to comply with the Data Protection

Monitor how we implement and sustain our obligations.

Authority (Jersey) Law 2018 in terms of case management, process and

Put in place effective and ongoing training, staff feedback, internal

reasonableness of decisions made.

audits and reviews.

Application of technology to help us achieve statutory deadlines.

Ongoing.

Understand our compliance obligations and what this looks like on

JOIC Internal Compliance how we operate and how we are looking after the  a practical level.

team, due diligence etc. with regard to:

Monitor how we implement and sustain our obligations.

Employment (Jersey) Law 2003.

Discrimination (Jersey) Law 2013  Put place effective and ongoing:

Data Protection (Jersey) Law 2018.  Training.

Freedom of Information (Jersey) Law 2011.  Induction.

Data Protection Authority (Jersey) Law 2018.  Recruitment.

Health and Safety at Work (Jersey) Law 1989.

Review of processes.

Staff feedback.

Internal Audits.

PRINCIPAL & EMERGING RISKS

RISK DESCRIPTION  HOW WE MANAGE THE RISK

Detailed project management, including sponsorship and conference agenda to attract sufficient ticket sales.

Hosting GPA International Conference in October 2024.

Risks associated with the conference.  Ensure a resilient and relevant range of speakers and panellists.

Financial exposure.  Monitor sponsorship monies/commitment carefully and share the Reputational.  financial risk with sponsors.

Impact on mandated activities.  Collaboration with the GPA.

Managing local, national and international reputational risk.

Greater accessibility & availability of technology in all areas, impacts on

Horizon Scanning.

ability to keep abreast of developing changes in personal data processing.

Stakeholder management.

Impact on detriment to the individual and reputation of JOIC.

Measuring the impacts of resources in relation to Business Plan and Statutory Obligations.

Developing relevant management information on data protection trends.  Considering the most effective options for gathering information and The absence of relevant and timely information impacts on service  tracking progress/improvement. Outcomes based accountability performance, informed decision making and relevant strategic outcomes. who is better off?

Horizon scanning.

Creating baselines for most vital areas to track.

Constant horizon scanning.

Consider most effective options for gathering information and

A potential lack of management information on data protection trends  tracking progress/improvement.

could impact decision making, planning and evaluating issues.  Create baselines for most vital areas to track.

Measuring impact of resources in relation to Business Plan and Statutory Obligations.

RISK DESCRIPTION  HOW WE MANAGE THE RISK

Adequacy approved with the EU in 2024 and the UK in 2023.  

Failure to maintain Jersey Adequacy with the EU and UK.  Adequacy reviews are an ongoing process and activities by both the  

Authority and Government need to be cognisant of this.  

Frequent reviews and provision of activity data.  

Protecting our independence as a key priority.  

Insufficient and/or unpredictable Government funding for Government  

data protection activities.  Discussions have been ongoing since late 2020 to effect a change  

in the annual grant/fee Government contribution for data protection.  

Reviewing grant and working agreement.

JOIC & JDPA embracing the opportunity of the evaluation.  

Providing timely and relevant information.  

The Value for Money Review being undertaken at the request of the GoJ to  

help inform them as to any financial commitments/grant/fee monies to  Facilitating the opportunity for the auditors to understand our work  

and mandate.  

the Authority. Review in Q1 2025.  

Emerging outcomes based accountability framework can be used to  explain JOIC purpose and approach to performance measurement.

Ministerial decisions and the Privacy/Data protection implications.

Stakeholder management.

Risks not evaluated and risk of impact on Data subjects.

Communication with Government.

Maintaining constructive dialogue with the Department of the Economy.  

Monitor relationship.  

Changes in personnel and availability of key personnel impacts our  

Proactive approach to maintaining regular dialogue.

working relationship.

We strive to maintain and monitor exchanges with the relevant  

Changes in key GoJ relationships, especially in either or both of the Policy  parties.

Principal and Senior Policy roles. Such changes impact on relationship  Maintain open and fair dialogue.

management and relevant knowledge.  Clarifying and recording decisions/requests.  

Working constructively with GoJ policy leads.

Political unrest and wars in Ukraine and Israel-Gaza.

Risks:  

Monitor and liaise with stakeholders.

Cyber implications.

Horizon scanning.

Economic costs.

Political instability and unpredictable landscapes.

The impacts of the new American Presidential administration on privacy  Horizon scanning. frameworks and relevant bodies.  Collaboration.  

6

PERFORMANCE  REPORT

Anne King

OPERATIONS DIRECTOR

The JOIC s method for measuring and monitoring progress toward our strategic outcomes considers both the quantitative and qualitative effects of our service. We are not only concerned with the number of cases closed, audits undertaken, or campaigns run; we also strive to shi t attitudes and behaviours towards our vision of a culture where privacy is instinctive and islanders are empowered to assert their rights. Our measurement model will aim to also find evidence of progress in these more nuanced areas and determine is anyone better off? as a result of our efforts.

We already include performance measures in many of our activities,  and we recognise we can expand our efforts further to include a  consistent approach across all areas of our service. The following  sections highlight our enforcement activities, case data, breach data,  outreach and engagement activities and most importantly the impacts  and effectiveness.  

The JOIC has adopted an Outcomes Based Regulation approach,  meaning that enforcement is not all about fines; it is a graduated series  of responses to engender a change in behaviour which better protects  the integrity of both data subjects and data controllers generating  compliance and, importantly, trust. Enforcement outcomes are lessons  learnt to be shared. Our Regulatory Action and Enforcement Policy  details our approach to proportionate enforcement.  

ENFORCEMENT BY THE AUTHORITY  

As per Part 4 of the Data Protection  provide any representations on those draft findings  Authority (Jersey) Law 2018. and/or sanctions.  

Complaints and Inquiries  We must take into account any representations made  

before issuing our final determination which will be  Part 4, of the DPAJL 2018 sets out Enforcement by  sent to the data controller or data processor and to  the Authority detailing how we approach Complaints  the complainant. Both parties have a 28-day period  and Inquiries.  to appeal that final determination to the Royal  

Court of Jersey but can only do so if our decision is  Upon receipt, each complaint and self-reported data  

considered unreasonable in the circumstances of  breach is evaluated to determine whether or not to  

the case.

investigate or conduct an inquiry, as appropriate.  

The Authority undertakes this evaluation as soon as  The above process is almost identical in terms of an  is practicable and in any event within eight weeks for  inquiry although such obviously does not involve a  complaints and as soon as possible for self-reported  data subject in the same way.

data breaches. As part of our formal investigation and inquiry  

In the case of a complaint, once the initial evaluation  process, we have the power to issue a formal  

has taken place the complainant is advised in writing  Information Notice to compel the production of  whether or not a formal investigation will take place.  information and the recipient will usually have 28  The complainant has a 28-day window of appeal at  days to respond.  

this stage if the Authority decides it would not be  In the majority of cases such correspondence is  appropriate to carry out a formal investigation and it  requested and responded to directly by email.  

may reject complaints if they fulfil certain criteria set  This is generally quicker and more efficient as  

out in the DPAJL 2018.  most controllers are willing to cooperate fully  

Once the investigation is underway we provide  with the investigation. This often makes for a good  updates at least every 12 weeks. Any investigation  relationship between our office and the organisation  must conclude whether the law has been  we are investigating.

contravened (Article 23 of the DPAJL 2018) and, if so,  We would make use of the more formal Information  must decide whether or not to impose any formal  Notice where we were experiencing resistance from  sanction (although it does not have to do so). We  a controller to provide us with the information  

will then notify the data controller or data processor  requested.

of the proposed determination which sets out the  

findings and includes details of any sanctions it is  

minded to impose, and they are afforded 28 days to  

[f]PERFORMANCE REPORT

Authority Sanctions and Powers  C. Warning

We may issue a Warning when the Authority considers

that any intended processing or other act or omission The Authority s Regulatory Action and Enforcement Policy [g] , introduced in 2020, is based on five key  is likely to contravene the DPJL 2018. A Warning is  principles of enforcement, which supports the outcomes-based approach: designed to avoid such a contravention. We have not  

had occasion to issue any Warnings.

1. PROPORTIONALITY  4.  CONSISTENCY  
2. TARGETED   5.  TRANSPARENCY
3. ACCOUNTABILITY   D. Order

The Authority can make a variety of Orders, but we  This policy seeks to promote the best protection for personal data without compromising the ability  

make sure these are proportionate to the actual  

of businesses to operate and innovate in the digital age. It helps to engender trust and build public  

contravention and actually address and remediate the confidence in how Jersey s public authorities manage personal data.

issues identified.  

AUTHORITY SANCTIONS  

That said, we do not shy away from exercising our enforcement powers where warranted, or where the

7 T[h]lihnvieyniDgn PpfoJeLrr m2s 0oa 1nt 8i ow anh p or pe  lcl ia eatnsi n tb oge  t  pdo ei ra re snc oti ndly ae  lon drt i aifinta adb i rl mee, ec ntala nyt iu nr ga l, organisation at fault has demonstrated wilful neglect or a repeated pattern of behaviour.

identified in particular by reference to an identifier. The definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

ENFORCEMENT  Investigation Process

& COMPLIANCE  Eiiwsnai etcPhvhaiarnclt oue4maigtopehfdltat hwiuneset ieDnakPgnsA dafJ  Loss ret 2 alc0fno1-d 8rme .a pp Trdlo ha r eiftnr e Jat Odsm I  Cdae naw utd noa  da rbk esr  raes tsoa a oc ksh ene  st (a  So tsR hu iDt s  B ) evaluation as soon as is practicable and in any event

possible for self-reported data breaches.

In the case of a complaint, once the initial evaluation

has taken place the complainant is advised in writing

whether or not a formal investigation will take place. Stephanie MacNeill

The complainant has a 28-day window of appeal,

if the JOIC decides it would not be appropriate to COMPLIANCE & ENFORCEMENT MANAGER carry out a formal investigation or the complaint

is rejected on the grounds it does not fulfil certain criteria set out in the Law.

Data protection holds organisations entrusted  Once the investigation is underway the JOIC provide

updates at least every 12 weeks.

with personal data accountable, setting  As part of our investigation process and powers

Personal data is at the very heart of most  organisations. Data protection legislation is in  place to help ensure that all of us are provided  with appropriate legal protections and remedies in  today s highly digitised world.

Therefore, we tend to use the Information Notice for  the more complex/serious cases or where there is  reluctance from a data controller to engage with us  at an early stage.

The investigation must conclude whether the Law  has been contravened (Article 23 of the DPAJL 2018)  and, if so, must decide whether or not to impose  

any formal sanction (although it does not have to  

do so). The JOIC will then notify the data controller  or data processor of the proposed determination  which sets out the findings and includes details of  any sanctions it is minded to impose, and they are  afforded 28-days to provide any representations on  those draft findings and/or sanctions.  

The JOIC must take into account any representations  made before issuing its final determination which  will be sent to the data controller or data processor  

ENFORCEMENT & COMPLIANCE

As part of our formal investigation and Inquiry  Schedule 4 of the DPAJL 2018 details the process process, we have the power to issue a formal  of enforcement by the Authority in the event it

 information notice to compel the production of  receives a complaint (which can lead to a formal information and the recipient will usually have 28  investigation) or conducts an inquiry.

days to respond.

The Authority receives a broad range of contacts. We (The above process is almost identical in terms of an  classify them into the following categories:

Inquiry although an inquiry does not involve a data

Enquiries. These range from simple questions

subject in the same way. The Authority may conduct

regarding our location and career opportunities an inquiry on its own initiative into the application

to the more complex questions around guidance of the Data Protection Law as per Part 4, Article 21 of

matters. In 2024 we responded to 83 general

the DPAJL 2018.) 4

enquiries.

In the majority of cases such correspondence is Complaints. Complaints are received from requested and responded to directly by email.  individuals concerned about the use of their This is generally quicker and more efficient as  personal data, non-response to a subject access most controllers are willing to cooperate fully  request or other rights which have not been

with the investigation. This often makes for a good  fulfilled.

relationship between JOIC and the organisation we

Self-Reported Data Breaches. Under the DPJL,

are investigating.

data controllers are required to report certain We would make use of the more formal information  breaches to the JOIC within 72 hours of becoming notice where we were experiencing resistance from  aware of the breach unless the breach is unlikely a controller to provide us with the information  to result in a risk to the rights and freedoms of requested. the individual.

184 TSreoeptlafo-lrRNteeupdmo irnbt ee2rd0  24

Data Breaches  34% owfeoreu rcocamspellaoiandts

about Public

Authorities

4 https://www.jerseylaw.je/laws/enacted/Pages/L-04-2018.aspx.

NUMBER OF COMPLAINTS AND SELF REPORTED  DATA BREACHES PER SECTOR 2024

REGISTRATIONS  AMICABLE  COMPLAINTS  SRDBS

RESOLUTIONs

Count  % Count % Count  % Count  %

Agriculture and Fishing 96 1% 0 0% 1 1% 0 0% Animal Husbandry and Welfare 64 1% 0 0% 0 0% 2 1% Charities 302 4% 1 5% 3 4% 16 9% Construction, Trades and Services 786 10% 0 0% 2 2% 9 5% Education and Childcare 234 3% 1 5% 1 1% 8 4% Faith, Worship and Religion 46 1% 0 0% 0 0% 0 0% FSerinancial and Prvices ofessional  1995 26% 3 14% 6 7% 53 29% Health and Wellbeing 600 8% 1 5% 8 10% 33 18% Legal Services 119 2% 1 5% 6 7% 8 4% LeisurTourism/Te and Fravel/Entitness/Hospitalityertainment / 599 8% 1 5% 3 4% 5 3% Manufacturing, WholRetail esale and  461 6% 1 5% 3 4% 3 2% MAdvedia, Certisingommunication and  166 2% 1 5% 0 0% 0 0% Professional Bodies/Professional  

Associations/Professional  330 4% 1 5% 4 5% 6 3% Consultancy

Public Authority/Sector,  

Appointed Regulators and  120 2% 6 27% 28 34% 23 13% Statutory Bodies

RManageal Estatemente and Property  1161 15% 0 0% 2 2% 5 3% Social Clubs and Associations 292 4% 0 0% 0 0% 0 0%

TCechnolommunicationsogy and Tele- 240 3% 0 0% 1 1% 2 1% Utilities and Delivery Services 86 1% 1 5% 3 4% 10 5%

No organisation type (domestic  

CCTV for complaints or not  0 0% 4 18% 11 13% 1 1% completed correctly)

TOTAL  7697 100 22 100 82 100 184 100

The large employer and data users namely  Since the introduction of the DPJL 2018, the number  Public Authorities attract the highest number of  of complaints has fluctuated year on year, with  complaints and based on proportionality this is not  the self-reported data breaches averaging 210 per  unreasonable, representing 34% of our complaints.  annum.

Health and Wellbeing is being carefully monitored as  

the complaints have doubled in number from 2023.

Throughout 2024 the Amicable Resolution process  Complaints generally relate to a mix of topics but has remained a positive option for matters to be  predominantly focus on right of access requests, and resolved amicably with between the individual  unauthorised disclosure of personal data.

(the complainant) and the data controller. 50% of

Amicable Resolution matters were successfully

completed.

2024 TOTAL Uncategorised at time of submission 16 20 5 3 3 47

II vaes kneodt  froerc eaicvceeds sit t/ot/hceoyphieasv eo fwmithy hpeelrds oitnfarolimnf moremation and  33 18 16 30 27 124 Direct marketing 2 5 1 11

I asked for my information to be rectified/erased/sent to  7 9

another controller and my request has been refused

I don t think my personal data is being/has been kept safe 37 13 5 5 12 72

My information has been shared and it shouldn t have been 30 22 18 21 22 113

Other - - 4 1 3 8

Sthoemmeone has collected my personal data, but I didn t give it to  13 9 2 3 5 32 TOTAL 137 90 56 72 82 437

[i]subjects, failing to respond to requests or declining  Following the structured investigations, the Authority  to share certain aspects of information expected by  issued a blend of Orders, Reprimands and Words of  the applicant.  Advice. We monitor the implementation of the Orders  

to ensure the Data Controller/Processor responds  The complaints received regarding sharing personal  

appropriately to the correct standard and within a  data are mostly due to employers over-sharing  

defined time frame. Depending on the complexity  information, the blind copy function not being  

of the Orders, the implementation process can take  used when sending group emails, information  

several months.

being shared without a basis between controllers  

and ex- employees using personal data without  

authorisation.  

OF THE COMPLAINTS CLOSED IN 2024

31% wa brere ineach dvestigatetermination ed and  17%were withdrawn  

made.

47% [j]P20arer18, sets out the basis upon t 4, Are not int. 20(2) of the DPvestigated, as per AJL  4% wresultere ined in a no brvestigated and each  

which we investigate or reject  determination

the complaint

ACTION WE VE TAKEN

The complaints we have investigated have resulted  when managing a data subject access request.  

in a number of sanctions issued, including Keeping a controller under effective supervision  Reprimands and Orders. Also in 2024 the Authority  for a period of time whilst they update data  

were requested to consider issuing administrative  protection policies, procedures and IT systems  fines to two data controllers. and requiring an update report at the end of that  

The Orders covered a range of topics from role  period. For example, retention schedule, privacy  specific training, software training, redaction training,  policy and breach log.

lawful basis of data sharing, implementation Directing that a controller should respond to a  

of policies, data migration, registering with the  previously unanswered subject access request or  Authority, and conducting new searches of systems  any other data subject right under the DPJL 2018  

Data Protection Governance

Risk: Without a robust governance process for evaluating the effectiveness of data protection policies and procedures there is a risk that personal data may not be processed in compliance with the DPJL 2018 resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

Training and Awareness

Risk: If staff do not receive appropriate data protection training, in accordance with their role, there is a risk that personal data will not be processed in accordance with the DPJL 2018 resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

Security of Personal Data

Risk: Without robust controls to ensure that personal data records are held securely in compliance with the DPJL 2018, there is a risk that they may be lost or used inappropriately, resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

Records Management

Risk: In the absence of appropriate records management processes, there is a risk that records may not be processed in compliance with the DPJL 2018 resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

Data Subject Access Requests Responses

Risk: Without appropriate procedures there is a risk that personal data is not processed in accordance with the rights of the individual and in breach of Art.8(f) of the DPJL 2018. This may result in damage and/or distress for the individual, and reputational damage for the organisation as a consequence of this and any regulatory action.

The Authority were requested to consider issuing The extent to which the controller or administrative fines to two data controllers in late  processor has complied with previous notices, 2024. The issuing of an administrative fine by the  determinations, recommendations or orders Authority will be dependent upon a number of Adherence to any applicable approved codes of factors. conduct or certification mechanisms

The nature, gravity and duration of the failure Any other aggravating or mitigating factor

The intentional character of the failure or the  applicable to the case, including financial benefits extent of negligence involved gained, or losses avoided, as a result of the failure

Any action taken by the controller or processor to  (whether directly or indirectly)

mitigate the damage or distress suffered by the Whether the penalty would be effective,

data subjects proportionate and dissuasive.

The degree of responsibility of the controller  Considering the above criteria, the Authority noted or processor, taking into account technical  that in both cases the aggravating factors warranted and organisational measures implemented by  the issuing of a fine as set out in the Regulatory

the controller or processor in accordance with  Action and Enforcement Policy.

Articles 8, 14, 15, 21 and 22 of the DPJL In one case the controller was aggressive and brash

Any relevant previous failures by the controller or  in their actions and behaviour, the Authority noted processor the duration of the contravention and evaluated the

The degree of co-operation with the JOIC, in order  harms/impacts caused on the complainant over the to remedy the failure and mitigate the possible  course of the complaint. In the other case there was adverse risks of the failure improper disclosure for the second time in a matter of months combined with a threat to further publish

The categories of personal data affected by the

the personal data concerned and linked with the failure

controller s dismissive nature the Authority felt that

The manner in which the infringement became  a relevant/proportionate penalty should be awarded. known to the JOIC, including whether, and if so to

The current approach to determining the amount of what extent, the controller or processor notified

the administrative fine is set out in the Authority s the JOIC of the failure

Regulatory Action and Enforcement Policy.

THE TRUE IMPACTS OF POOR DATA PROTECTION  PRACTICES ARE BEST ILLUSTRATED IN THE FOLLOWING CASES.

The precis of some investigation and enforcement actions highlight the reality of the mis-handling of personal data and the potential impact on the data subjects and the data controllers. These cases bring to life the reality of our mandate, powers and remedies.

A COMPLAINT REGARDING A SUBJECT ACCESS REQUEST AND CONFUSION OVER A THIRD PARTY CONTRACT

An individual submitted a subject access request. The recipient organisation would not provide the personal data stating they did not hold it . They claimed that a third party, which they contracted as their DPO,

held the information. Our investigation revealed that there were complexities surrounding the working relationship and in particular the contract in place between the organisation and the third party. Both parties held copies of the data requested at various stages during its processing. The recipient organisation could not get to grips with the data processing responsibilities between them and their third party DPO service. This complexity and lack of clarity prolonged the investigation and made it difficult to pinpoint the controller of the personal data which had been requested.

The Regulatory Framework

The right of access, more commonly referred to as subject access or a subject access request, is created by Art.28 of the DPJL18. It is most often used by individuals who want to see what information an organisation holds about them. An individual who makes a written request is also entitled to be:

told whether their personal data is being processed by the organisation.

given a description of the personal data, the reasons it is being processed, how long it will be kept for and whether it will be given to any other third parties, including those located in a third country.

given the details of the source of the data (where available).

SUMMARY OF FINDINGS,  FINDINGS CONTRAVENTIONS AND ORDERS

FINDING 1

REPRIMAND ISSUED  Contravention of Art.27(1) of the DPJL 2018

FINDING 2

Contravention of Art.28(1) of the DPJL 2018

ENFORCEMENT & COMPLIANCE  

ORDERS

ORDER 1  

The controller was ordered to provide specific details regarding the improvements that were to be made  following an internal structural framework review; and timeframes for these improvements.  

ORDER 2  

Confirmation of the controller and third-party contractor was ordered to be provided. This was to  include the data protection aspects of the contract and any instruction relating to the DPO provision  from the controller to the third party.  

FORMAL WORDS OF ADVICE & GUIDANCE

The controller was reminded of their obligation to  The Authority noted that this should have been  

cooperate with the Authority during an investigation,  a relatively straightforward complaint for the  

The Regulatory Framework  

as per Art.6(i) of the DPJL 2018. During the  controller to deal with, however, the points raised  

investigation, the Authority: above made the investigation more difficult than it  A personal data breach is defined in Art.1 of the DPJL 18 as a breach of security leading to

needed to be, for all involved. the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access

1. Experienced significant delays in the controller s

to, personal data transmitted, stored or otherwise processed . Under Art.20(1) of the DPJL 18, engagement with the Authority, and  controllers have a specific obligation to notify the Commissioner that a personal data breach (a

2. Noticed a lack of clarity and transparency in the  breach) has occurred without undue delay and at the latest, within 72 hours of becoming aware, way in which the controller responded to both the  unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons . If Authority and the Complainant. full details are not available at the time of notification, further details should be provided as soon as possible. Where the breach is likely to result in a high risk to the rights and freedoms of the individuals affected, the controller is also required to notify them without undue delay. Controllers are required to keep a log of those breaches. It is important for organisations to consider the types of personal data they use and how any breach could adversely affect individuals, for example by

A SELF REPORTED DATA BREACH  causing financial loss, reputational damage or identity fraud.

THAT LED TO AN INQUIRY

OUTCOME

An employee of an organisation in the health and  policies, procedures, and training in place, nor

well-being sector carelessly caused unauthorised  were they registered with our office. We therefore  Although the formal Inquiry did not result in a formal  Once we began working closely with the controller, disclosure of an individual s information and  launched a formal Inquiry to investigate these other  determination, we worked very closely with the  they understood their obligations and took submitted a self-reported data breach (SRDB)  areas of non-compliance which had arisen during  controller to ensure that they had implemented a  them seriously. They had learnt a valuable

to notify us of the unauthorised disclosure that  course of the SRDB. The formal Inquiry also tackled  satisfactory level of data protection technical and  lesson following the SRDB and wanted to ensure occurred. We dealt with the SRDB to ensure they took  the lack of engagement and time taken to get back  organisational measures. This included registering  satisfactory compliance, so also decided to take appropriate actions in relation to mitigating further  to us during the SRDB process. We held a face-to- with our office, creating appropriate policies and  on the assistance of a third-party data protection risk, including consideration of whether to inform  face meeting which was useful as this provided the  procedures such as a privacy policy, a data breach  consultant to ensure their duties were fulfilled in line affected data subject and dealt with the employee  opportunity for them to explain that they did not  log and a retention schedule. The controller also  with the Authority s expectations.

who caused breach appropriately.  have a great deal of data protection experience or  ensured that all employees undertook adequate

knowledge, plus other difficulties they were facing  data protection training that was suitable and

Based on our findings following a review of the SRDB,  with some business changes. It was still a challenging  relevant for their roles and responsibilities within  which included seeking clarification on basic data  Inquiry at times however, with persistence and the  the organisation.  

protection obligations and regime, it transpired that  

help of an external DPO service (who they chose to  

the controller did not have adequate data protection

hire), satisfactory compliance was achieved.

46 47

A COMPLAINT REGARDING THE MISUSE OF PERSONAL DATA AND THE PROCESSING OF IT ON SOCIAL MEDIA

An individual complained to the Authority that  and raised a concern with us as a complaint . This a small trades and services organisation had  resulted in a formal investigation during which it disclosed their personal data on social media. The  quickly came to light that the organisation did not individual had asked the organisation to remove the  have adequate measures of data protection in place. information/post, but they were not co-operating

The Regulatory Framework

Art. 6(1)(a) of the DPJL 2018 confirms that a controller is responsible for and must be able to demonstrate compliance with the data protection principles. The data protection principles detailed in Art.8 of the DPJL 2018 relevant to this particular matter included the following:

1. which requires that a controller only process personal data where they have a lawful basis to do so, it is fair for them to do so and they do so in a transparent manner, i.e. with a privacy policy detailing the required information. This is known as the lawfulness, fairness and transparency principle.
2. which details that a controller should only collect and use personal data for a specific, explicit and legitimate purpose and should not further use that personal data for a purpose that is not compatible with the original purpose for which it was collected. This is known as the purpose limitation principle.

(f) which requires that an organisation has appropriate technical and organisational measures to ensure that all personal data is handled in a manner that keeps it secure and protected from unauthorised or unlawful use and accidental loss, destruction or damage. This is known as the integrity and confidentiality principle.

SUMMARY OF FINDINGS, CONTRAVENTIONS AND ORDERS

FINDING 1

Contravention of Art.6(1)(a) of the DPJL 2018

FINDING 2

Contravention of Art.8(1)(a)(b) and (f) of the DPJL 2018

FINDING 3

Contravention of Art.9(1) of the DPJL 2018

ORDERS

ORDER 1

The Controller will take steps to review its policies and procedures regarding its obligations as a controller under the Data Protection (Jersey) Law 2018.

ORDER 2

The Controller will ensure that all staff are aware of their obligations under the Data Protection (Jersey) Law 2018 and have a sufficient understanding to fulfil their responsibilities. Therefore, the Authority requests that all staff will receive a level of data protection training that is appropriate for the role they are carrying out.

We did not issue any Words of Advice or a Reprimand on this occasion as it was the first time the controller had any interaction with our office. We had a lot of difficulty getting the controller to engage at first and we had to work very closely with them by having regular meetings, until they had completed all of the orders. It became evident that the lack of initial engagement was due to feeling very overwhelmed and out of their depth.

After working closely with the controller to ensure they better understood their obligations and practical measures to help with compliance, they recognised the importance of data protection and the importance of correctly handling personal data.

Breach Reporting

Under the DPJL 2018 in the case of a personal data breach, the controller must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach in writing to the Authority (Article 20). In relation to breaches we also have an obligation under Art 11 1. (e) of the DPAJL 2018 to promote the awareness of controllers and processors of their obligations under this Law and the Data Protection Law .

2024 SRDB CASES OPENED BY ORGANISATION TYPE

184

CASES OPENED

The chart above highlights that 29% of the breaches  to breach reports, that said we are not shy in holding reported to us were from the financial and  organisations to account if they fail to mitigate a professional services sector. It should be noted that  breach and reappear with a similar breach.

this sector has a culture of reporting and monitoring

Most reported breaches do not warrant the breaches throughout their activities.

conducting of a formal regulatory response and/ Due to the severity, nature of the data (for example,  or the imposition of a formal sanction. However, special category data) and the possibility of repeat  the Authority may impose an Administrative Fine in breaches following the submission of a self-reported  a case of deliberate, wilful, negligent, repeated or breach, we may open a formal Inquiry. Two Inquiries  particularly harmful non-compliance. It is important were commenced following the submission of self- to note that failing to report a breach, where reported data breaches in 2024, the entities involved  required, could result in a severe penalty.

were from leisure and fitness and public authority.

As previously noted, we take every opportunity to

damage for businesses. The JOIC team works  29%

educate and support any organisation reporting a  Breaches from breach. Breaches can be traumatic for organisations  Financial & to manage and can carry serious reputational  Professionals

Sector sympathetically, yet professionally, when responding

SELF REPORTED DATA BREACHES  OPENED FOR 2024, BY BREACH TYPE

SPECIFICALLY

116

Self-reported data breaches were due to  unauthorised disclosure (emails sent and  received in error) but in all circumstances,  the breaches were appropriately mitigated,  presenting no risk to the data subject.  

62

Self-reported data breaches involved a number  of different issues including malware, phishing  attacks, lost data and other processes leading  

to breaches. In all circumstances, the breaches  were appropriately mitigated, presenting no risk  to the data subject.

Enforcement Audits

Enforcement audits contribute to our Strategic Outcome - Achieving and maintaining the highest standard of data protection in Jersey . The primary purpose of an enforcement audit is to provide the Authority with an insight into the extent to which the audited entities are complying with the particular areas audited and highlight any deficient areas in their compliance.

We will be executing risk-based enforcement audits, commencing with a virtual desk-top approach and if necessary, developing into a face-to-face audit. We will also be undertaking remedial audits to track progress and the effectiveness of implementing the recommendations.

We will be executing risk-based enforcement audits, commencing with a virtual desk-top approach and if necessary, developing into a face-to-face audit. We will also be undertaking remedial audits to track progress and the effectiveness of implementing the recommendations.

Article 22(7) of the DPAJL 2018 details our power to conduct or require data protection audits

1. The Authority may

1. conduct a data protection audit of any part of the operations of the controller or processor; or
2. require the controller or processor to appoint a person approved by the Authority to

1. conduct a data protection audit of any part of the operations of the controller or processor, and
2. report the findings of the audit to the Authority.

2. The Authority must specify the terms of reference of any audit carried out under sub-paragraph (1).
3. The controller or processor concerned must pay for an audit required under sub-paragraph (1)(b).

In 2024 we undertook 54 virtual compliance audits, conducted across two different sectors both of which process significant amounts of special category data. Complaints have been submitted to us in relation to one of the sectors regarding personal data security/

unlawful sharing. Whistleblowers raised concerns  The audits, complaints and self-reported  over the absence of data protection registrations in  data breaches appear to have common  the other sector.  threads evident in each outcome or  

breach.  

The lessons learned and key findings from the virtual  

audits will be published early in 2025. Lack of relevant data protection  

training and refreshers.

The full audit, which began in 2023, was completed  

in 2024 and the lessons learned published on our Effective, proportionate, implemented  website. The full audit focused on one important  and communicated data protection  local Public Sector data controller which processes  policies and procedures.  

significant volumes of personal data. The scope of  

Personal data security- including  

the audit focussed on the risk of non-compliance  

access and visibility.  

with applicable data protection principles, with  

specific reference to two key areas.  Organisations should be getting the  

1. Training and awareness The provision and  basics right to avoid breaches which can  monitoring of staff data protection training and  cause distress and harm to individuals  the awareness of data protection requirements  and reputational damage.  

relating to their roles and responsibilities; and

2. Security of personal data The technical and  

there is adequate security over personal data  Data Protection Registrations  

organisational measures in place to ensure that  

held in manual or electronic form. The number of entities registered with the Authority for the purpose of processing personal data increased  We consider that it is important to highlight areas  by 4.5%, from 7,366 in 2023 to 7,697 in 2024. This growth is net of de-registrations, as organisations cease  

of good practice in industry, as well as areas for  trading, in total we had 297 de-registrations in 2024. This figure was slightly down on de-registrations for 2023  improvement and to explain what remedial action  which stood at 330.  

was required, and why. The economic climate, business confidence and disposable income all impact on our registration income as  We identified strengths in the controller s breach  businesses start-up, thrive and grow. As productivity and the economy shrinks so do the number and size of  

management procedures, with the majority of  entities registering for the purpose of processing personal data.

employees stating they were able to identify a data  

protection breach and felt comfortable reporting  

breaches.

A number of deficiencies in systems and controls  were identified, however, which if left unremedied,  would have likely resulted in further enforcement  activities taking place, as such will expose the  controller to risk in terms of the potential exposure  of the personal data handled by them (which could,  in turn, impact on affected data subjects).

7697

TOTAL REGISTRATIONS

Organisations must have in place robust controls,  policies, procedures, technology, and provide  appropriate training to ensure the safety of  individuals data and mitigate potential risks and we  publish lessons learned so industry can learn from  the audit outcomes.  

8

COMMUNICATIONS, ENGAGEMENT

& OUTREACH

Sarah Moorhouse

COMMUNICATIONS AND PR LEAD

Susan Fernandes

COMMUNITY ENGAGEMENT LEAD

Industry Engagement

Part 2 Article 11e of the Authority Law states one of the functions of  the Jersey Data Protection Authority is to promote the awareness of  controllers and processors of their obligations under this Law and the  Data Protection Law .

Our industry engagement activity for 2024, aligned  

with our strategic outcome to achieve and maintain  

embedding data protection policies and procedures  99%  

the highest standard of data protection in Jersey,  

was to connect with organisations of all sizes to raise  

awareness of their obligations and how they are  

within their organisations, to drive a culture whereby  

Of individuals representing a controller/ privacy feels instinctive for all. processor reported their knowledge of data  

Our programme aimed to enhance organisations  protection obligations improved following  awareness to meet their obligations by: participation in a JOIC outreach session.

Helping participants gain a clear understanding  of the role of our office. to gain direct updates and feedback from our senior  

Helping participants to understand about their  leadership team, including our Operations Director  obligations under the Data Protection (Jersey) Law  and Compliance and Enforcement Manager.  

2018 and how they can support those with data  

Interactive workshops explored:

protection responsibilities.

Increasing knowledge of data protection and JOIC s enforcement activity and Data Protection  promoting good data protection practices. Compliance Audit Programme.

Providing relevant practical information, Myth busting about local data protection law and  actionable insights, to help participants  application.  confidently perform their role. Subject Access Request handling.

The Dos and Don ts of Employee Surveillance.  

Our events programme for 2024 began with an  

opportunity for organisations to hear directly  Let s Go DPO continues to be popular, with those that  from the Information Commissioner regarding  attend reporting they appreciate the opportunity  our mandate and regulatory and enforcement  to explore common data protection themes and  philosophy, which set the scene for our further  network whilst gaining support, insight and guidance  guidance sessions throughout the year. from our office. Of those that completed our post  

Let s Go DPO event feedback surveys, 98.5% said  the session would benefit them personally and/

or professionally. For 2025, we are seeking to  

All the information I was  significantly increase membership and attendance  given has been useful and  at these sessions and link the topics to our thematic  

helpful. Event Attendee enforcement areas.  

Our Board Support Squad initiative continues  

Our Let s Go DPO network, a forum which provides  to be well received by the Island s senior leaders.  Data Protection Officers and those that lead on  The programme gives board level teams the  

data protection in Jersey the opportunity to explore  opportunity to work with us to stress test their  common scenarios with industry peers, tackled key  data protection practices in a safe space, whilst  challenges industry were telling us about. These  embedding positive and impactful data protection  interactive sessions also gave attendees the chance  cultures and behaviours within their organisation.

Support for Less than 10s  FOCUS GROUPS

To gain a deeper understanding of the needs  

and opinions of organisations with less than 10  

Our Excelling in Regulation cornerstone  SUPPORT FOR LESS THAN 10S' employees, we undertook moderated focus groups.  

demonstrates our commitment to maintaining  Outcomes from those focus groups included:

strong data protection standards for the  6000 Increasing the frequency of our information sessions.

Island s economic growth and we lead by  5830

example in compliance and enforcement  5500 Using more accessible language and avoiding technical

to ensure others understand and act on  5490 jargon in our communications.

their data protection obligations. The Raising awareness of our physical location and contact

5000

Jersey economy is comprised of over 89% of  5088 details.

businesses with less than 10 employees. 4884

Given the economic landscape, business  2021 2022 JERSEY OPINIONS AND  

4500

pwreo rfielecoagnndis teodbween enfiete oduerdI tsolaenndgcaogme mwiuthn ity,  LESS THAN 10 EMPLOYEES LINEAR (2LE0 S2 S3 THAN 10 EMPLOYEE2 S0 )24 LIFESTYLE SURVEY

smaller sized organisations to improve data  To further gauge an understanding of attitudes towards privacy and  protection compliance and understanding,  Penicgtaugreedm: eDnut r winigth 2  0o 2u 4r ,  o wffie c ree  cfroormde tdh ae   rs imsea il nl b ruesgi inste rsas t  icoonm amndu nity. data protection among our community, during 2024, we submitted  

with the aim of:  questions to the Government of Jersey for inclusion in their Jersey  

Opinions and Lifestyle Survey 5 (JOLS).

Engendering a greater understanding of the  We recognised there is a need to raise awareness  

Issued annually, the survey seeks to explore the experiences and  data protection law and the obligations of  of data protection obligations among organisations  

opinions of Islanders to help inform Government policy by gathering  organisations with less than 10 employees  with less than 10 employees in the Health and  

views on a wide range of social issues.

Wellbeing, Trades and Construction and Retail  

Increasing compliance via awareness of  sectors. More than 3,500 households were selected at random to statistically  registrations obligations.  represent islanders. We are able to glean extremely helpful insights  

To raise awareness, in line with our business plan  from our questions.  

Our interventions and engagements led to a  deliverables, we delivered a mix of face-to-face

6.25% increase in the number of registered small  sessions, drop-in clinics, radio advertising and social

businesses during 2024. media communications.

98% 80% Rcoenspceornndeedn atsb aoruet  vthe ery s oerc  uq ru itit ye   64%

of their personal data when

making transactions online.

Thank yI noprotw fection obligations. eel morou for a re c eally infonfident about mEvent Aormativttendee e session. y data  Riicttmhoeiemspsiporvporepatnrenaydrni eseotosnrt n thiqsmaaulit p nidtldeeai mtcaae.t net   71% Respondents agree they  Rtshheeasypreofenpldte repsnroetnss asaulg drreea ettao  , such as at a checkout

strong privacy  felt pressure to share more

counter, on the phone measures to protect  personal data than they were

comfortable with when signing  or on a website.

up to an app or service.

COLLABORATION  We continually collaborate with other local  

AND PARTNERSHIPS stotahkeelhpouldsecrass, caanddet hanisdcaomntpinliufye do uthr rkoeuyg mhoeusst a2g0e2s4.  Fcroonmtintuheiswsuitrhvethye a onudt oreuarc ohw pnr oreg sraemarmche, two e r wai is lle   WStea taisreti ccsoUllanbitoarantdinwgewhitahv ethfeo rGmouvleartnemd epnr tivoafc Jye rsey

We liaise and work with Jersey Business and Jersey  awareness to empower islanders to make informed  focussed questions to be incorporated in future JOLS We also partner with and supported Jersey Cyber  Chamber of Commerce, as well as industry bodies  decisions regarding their personal data to help  survey so as to measure privacy at the population

Security Centre as an advisory panel member for  and associations, to help us communicate with  protect the community, privacy becoming instinctive  level as part of the broader Island Indicators. We

a series of incident response exercises specifically  a broad range of data controllers/processors.  and Jersey is a good place to do business. The  hope to rerun the 2023 privacy JOLS question in due tailored for small businesses, charities and the  Including the Construction Council, Association of  results are shaping the 2025 communications plan,  course to help measure the impacts of outreach from finance and hospitality sector.  Jersey Charities, Genuine Jersey and Customer and  deliverables and activities.  us and other partners.

Local Services business hub.

5 Jersey Opinions and Lifestyle Survey (JOLS) - https://www.gov.je/StatisticsPerformance/StatisticsCommunityPeople/pages/socialstatistics.aspx

Outreach and Education

Part 2 Article 11 (d) of the Authority law states one of the functions of the Jersey Data Protection Authority is to

 promote public awareness, risks, rules, safeguards and rights in relation to processing especially in relation to children .

In line with our strategic outcome to protect our To raise individuals awareness of their privacy future generations by putting children and young  rights.

people first the learning outcomes of our young To increase knowledge of key privacy issues and persons programme for 2024, were as follows.  promote good privacy behaviours for privacy to

To raise awareness of our role and obligations and  become instinctive.

how they can support individuals in protecting To provide practical, actionable insights to help their personal data and privacy rights. individuals confidently protect their personal

data.

IN 2024:

NUMBER OF YOUNG PEOPLE

We engaged with  4000

26% of the total  3654 population of Jersey s  3500

under 18 year olds

across 18 different  3000

schools. 2486

2500

2000

86% of the young

people we engaged  1500

with said their  1235

 knowledge of JOIC,  1000

protection of their  505

personal data and  500

understanding their

0

personal data rights