The official version of this document can be found via the PDF button.
The below content has been automatically generated from the original PDF and some formatting may have been lost, therefore it should not be relied upon to extract citations or propose amendments.
Scrutiny Officer
States Greffe
Morier House
Halkett Place
St. Helier
JEl lDD
7 October 2019 Dear Kellie
Re: Economic and International Affairs Panel - Draft Banking Business (Depositors Compensations) (Amendment No.2) (Jersey) Regulations 201-.
Please thank the panel for inviting my comments on the proposition: Draft Banking Business (Depositors Compensations) (Amendment No.2) (Jersey) Regulations 201-. I have reviewed the proposition along with the Banking Business (Depositors Compensations) (Jersey) Regulations 2009 (2009 Regulations) and the Banking Business (Jersey) Law 1991 (Banking Law). I have also been in contact with representatives of the Government of Jersey, who
have provided me with additional information as to the intended purpose of the proposed powers. In accordance with the jurisdiction of my office, my comments concern only the collection and disclosure of personally identifiable data.
The proposition would grant to the Board of the Bank Depositor Compensation Scheme (Board) the power to collect information about the bank deposits of identifiable individuals for the purpose of protecting those bank deposits in the event of a bank failing. The 2009 Regulations allow the Board to collect this data only after a bank has failed.
In order for the Board to meet its statutory timeline to compensate deposit holders in the event of a bank failure, the Board has recently determined that it needs to establish a process and format for transferring data in advance of a failure. It is necessary for the Board to determine the appropriate fields of data and a universal format for data transfer and to communicate this to all banks. This will enable banks to transfer reliable data in a timely manner for the Board to compensate deposit holders in the event of a failure.
The Government has assured me that the Board does not plan to collect and hold data of all deposit holders just in case of a failure. Nevertheless, the Board will require temporary use of data on identifiable depositors from one or two banks for the purpose of establishing a format for data transfer and for testing its electronic system of data transfer. Once the testing is complete, the Board indicates that it will destroy all of the data.
I wish to confirm that I support protecting the bank balances of depositors as being in the public interest. I have no concerns about the use of personal data to assist in establishing and testing an electronic system for the transfer of banking data to facilitate the Bank Depositor Compensation Scheme (Scheme), if it employs reasonable physical safeguards to protect the data against unauthorised access or disclosure.
2nd Floor, 5 Castle Street, St Helier, Jersey JE2 3BT I +44 (0) 1534 716 530 I enquiries@jerseyoic.org
www.jerseyoic.org
I do have concerns about the discrepancy between the limited purposes for which the Government indicates the Board requires the personal data and the broader powers for collecting personal data included in the proposition. The Board would have many of the same powers for the collection of personal data that the Jersey Financial Services Commission has under article 26 of the Banking Law. This includes the power to compel the production of all information that an officer or agent reasonably requires for the purpose of the performance of the Commission's functions under that Law.
I acknowledge that it is clear that the Board must have access to certain personal data of depositors in the event of a bank failure in order to process requests for compensation (as per article 2 of the 2009 Regulations). However, it is less clear the extent to which the Board would reasonably require the data of depositors in normal circumstances where there is no reason to expect that any banks would fail. My understanding is that bank failures in Jersey are rare and that Jersey has created the Scheme out of an abundance of caution.
My concern relates to one of the data protection principles in article 8 of the Data Protection Law (Jersey) 2018 (Data Protection Law). This is the principle of data minimisation, which requires that the processing of data be limited to what is necessary in relation to the purposes for which it is processed. While the plan, as the Government has described to me, meets the principle of data minimisation, the powers granted to the Board in the proposition permit the Board to require further personal data from banks that may be over and above what is required to administer the Scheme.
I have no reason to doubt the good faith and commitment of the Board to the Data Protection Law, but I believe it would be prudent to incorporate into the proposition additional checks and balances or accountability requirements. My primary concern relates to unconfirmed reports of depositor protection schemes in other countries that involve the creation of amalgamated databases of all current account balances within the jurisdiction in personally identifiable form. I suspect that this would pose an attractive target for hackers and others seeking unauthorised access to a large volume of sensitive and valuable data.
Decisions relating to the processing of personal data should balance the risk to privacy to individuals involved against the benefit to them of the processing of their data. Where the benefit, as in this case, is the prevention of harm, this evaluation should take into account the likelihood of harm occurring. Processing is appropriate where the risk of harm to the individual outweighs the risk to their privacy. However, the processing would not be appropriate where the risk to privacy, as well as other risks the processing poses, outweighed the risk of harm that the processing was supposed to prevent.
It is not clear to me that the risks of a bank collapse in this jurisdiction are such as to warrant the same level of data collection as may be the case in other jurisdictions where bank failures are common. Given the currently available statistics on data breaches and bank failures worldwide, it is reasonable to expect that the creation of an amalgamated database of all current account balances in Jersey is more likely to result in a data breach causing harm to depositors than to facilitate the reimbursement of a depositor.
INFORMATION COMMISSIONER
Therefore, I think it would be beneficial for the Board to consult my office in advance, if it were to consider creating such an amalgamated database or otherwise engage in the mass collection and retention of the personal data of depositors.
I regret that I do not have any specific suggestions regarding any legal mechanisms that might address my concern about the mass collection and retention of personal data of depositors in the absence of evidence that any particular bank might fail. However, I would be pleased to comment on any suggestions in the event that others offer them.
Thank you again for inviting my comments. Please let me know if you have any questions. JSar:uiny cFeerdeolyr, a~k ~
Information Commissioner