Review into the Proposed Amendments to the Data Protection (Jersey) Law 2005 - Report - 19 April 2010

Corporate Services

Scrutiny Panel

Review into the Proposed Amendments to the Data Protection (Jersey) Law 2005

Presented to the States on the 19th April 2010

S.R.6/2010

CONTENTS

1. CHAIRMAN'S FOREWORD........................................................................................................... 3
2. TERMS OF REFERENCE AND PANEL MEMBERSHIP................................................................. 4

1. TERMS OF REFERENCE.................................................................................................. 4
2. SUB-PANEL MEMBERSHIP............................................................................................... 4
3. MAIN PANEL MEMBERSHIP............................................................................................. 4
4. EXPERT ADVISOR............................................................................................................ 5

3. KEY FINDINGS AND RECOMMENDATIONS................................................................................. 6

1. KEY FINDINGS.................................................................................................................. 6
2. RECOMMENDATIONS ...................................................................................................... 8

4. INTRODUCTION .......................................................................................................................... 10
5. BACKGROUND INFORMATION.................................................................................................. 12

1. DATA PROTECTION AND THE EUROPEAN UNION....................................................... 13
2. DATA PROTECTION DIRECTIVE 95/46/EC..................................................................... 14
3. JERSEY AND THE EU..................................................................................................... 14
4. UNITED KINGDOM.......................................................................................................... 15
5. IRELAND ......................................................................................................................... 16
6. GUERNSEY..................................................................................................................... 16
7. HUMAN RIGHTS LEGAL OPINION.................................................................................. 17

6. AMENDMENT ONE...................................................................................................................... 18

1. THE PROPOSAL.............................................................................................................. 18
2. DEPARTMENTAL EFFECTS............................................................................................ 21
3. THE POSITION IN THE UK.............................................................................................. 22
4. THE POSITION IN IRELAND............................................................................................ 26
5. GUERNSEY..................................................................................................................... 27
6. HUMAN RIGHTS.............................................................................................................. 28

7. AMENDMENT TWO ..................................................................................................................... 29

1. THE PROPOSAL.............................................................................................................. 29
2. HUMAN RIGHTS.............................................................................................................. 29

8. AMENDMENT THREE.................................................................................................................. 32

1. THE PROPOSAL.............................................................................................................. 32
2. DEPARTMENTAL EFFECTS............................................................................................ 36
3. THE POSITION IN THE UK.............................................................................................. 37
4. THE POSITION IN GUERNSEY....................................................................................... 39
5. HUMAN RIGHTS.............................................................................................................. 39

9. AMENDMENT FOUR.................................................................................................................... 41

1. THE PROPOSAL.............................................................................................................. 41
2. DEPARTMENTAL EFFECTS............................................................................................ 42
3. HUMAN RIGHTS.............................................................................................................. 43

10. AMENDMENT FIVE...................................................................................................................... 44

1. THE PROPOSAL.............................................................................................................. 44
2. DEPARTMENTAL EFFECTS............................................................................................ 45
3. THE POSITION IN THE UK.............................................................................................. 47
4. THE POSITION IN IRELAND............................................................................................ 47

5. HUMAN RIGHTS.............................................................................................................. 49

11. AMENDMENT SIX........................................................................................................................ 50

1. THE PROPOSAL.............................................................................................................. 50
2. HUMAN RIGHTS.............................................................................................................. 50

12. AMENDMENT SEVEN.................................................................................................................. 53

1. THE PROPOSAL.............................................................................................................. 53
2. HUMAN RIGHTS.............................................................................................................. 53

13. AMENDMENT EIGHT................................................................................................................... 54

1. THE PROPOSAL.............................................................................................................. 54
2. DEPARTMENTAL EFFECTS............................................................................................ 54
3. HUMAN RIGHTS.............................................................................................................. 54

14. PUBLIC AWARENESS................................................................................................................. 55
15. CONCLUSION.............................................................................................................................. 58
16. APPENDIX 1 – THE PROPOSED DATA PROTECTON AMENDMENTS...................................... 59
17. APPENDIX 2 – EVIDENCE CONSIDERED................................................................................... 70
18. APPENDIX 3 – GLOSSARY OF TERMS...................................................................................... 72
19. APPENDIX 4 – JONATHAN COOPER'S HUMAN RIGHTS LEGAL OPINION.............................. 73
20. APPENDIX 5 – ADVOCATE HELEN RUELLE'S REPORT........................................................... 84
21. APPENDIX 6 – MINISTER FOR ECONOMIC DEVELOPMENT: LETTER 23RD MARCH 2010.... 95
22. APPENDIX 7 – MINISTER FOR ECONOMIC DEVELOPMENT: LETTER 3RD MARCH 2010...... 96

1. CHAIRMAN'S FOREWORD

As time goes by, Governments around the world are consistently producing new legislation and amending existing legislation to adapt to the movement of modern day globalisation and particularly the changes surrounding European Union Directives.

Data Protection can be seen as a complex law which is usually incorporated into many areas of legislation throughout various jurisdictions. This legislation is in place to promote and establish common sense amongst all individuals and businesses alike, as many people will be aware personal details are very much that – personal!

Awareness  is  a  key  component  of  data  protection  whereby  we  should  all be  able  to comprehend that if we were to expose a person's personal details without their consent this could impose serious consequences or implications for that person therefore, this could be life changing not only for them but for their family as well.

Taking all these factors into account the Sub-Panel felt it only appropriate to ensure that such changes to legislation were appropriate for the Island in response that it would not cause unnecessary bureaucracy and further misunderstanding of the application of the law.

It has been a belief that Data Protection was introduced to place a responsibility upon an entity, this being a business, which in particular areas can store hundreds of thousands of people's personal details at a touch of a button, especially this day in age.

Unfortunately the Sub-Panel had a tight timeframe in order to complete this report therefore, purely focussed on the draft amendments in relation to data protection. I would like to take this opportunity to thank all Members of the Sub-Panel for their hard work, availability and dedication to this task.

I would also like to thank our advisor Advocate Helen Ruelle for her expertise and legal advice on these matters, it has been very much appreciated.

Deputy T. Vallois

Chairman

Corporate Services Data Protection Sub-Panel

2. TERMS OF REFERENCE AND PANEL MEMBERSHIP

1. TERMS OF REFERENCE

The following Terms of Reference were established for the Data Protection review:

1. To review the proposed amendments of the Law with particular regard to:

1. The implications surrounding the proposed amendments;
2. The language and robustness;
3. A comparison with other jurisdictions, namely the United Kingdom and Ireland.

2. To consider whether the proposed amendments are in the interest to whom the law applies, and whether there are any manpower or financial implications.
3. To consider whether the proposed amendments comply with the Human Rights (Jersey) Law 2000.
4. To examine any further issues relating to the topic that may arise in the course of the Scrutiny Review and which the Panel considers relevant.

2. SUB-PANEL MEMBERSHIP

For the purposes of this review, the Corporate Services Scrutiny Panel established the following Sub-Panel:

DEPUTY T.A. VALLOIS, CHAIRMAN DEPUTY D.J. DE SOUSA, VICE-CHAIRMAN SENATOR S.C. FERGUSON

DEPUTY M.R. HIGGINS

3. MAIN PANEL MEMBERSHIP

The Corporate Services Scrutiny Panel itself comprises of the following members:

SENATOR S.C. FERGUSON, CHAIRMAN DEPUTY C.H. EGRE, VICE-CHAIRMAN CONNETABLE D.J. MURPHY

DEPUTY T.A. VALLOIS

4. EXPERT ADVISOR

The Corporate Services Panel appointed the following expert advisor:

Advocate Helen Ruelle of Mourant du Feu & Jeune

Mrs Ruelle trained and qualified as an English solicitor in 1998 (currently non-practising) and has worked in both private practice and as a senior in-house lawyer for a UK public sector body before joining Mourant du Feu & Jeune in 2001. Mrs Ruelle was sworn in as a Jersey advocate in 2008. Advocate Ruelle specialises in commercial and corporate issues relating to Jersey companies, employment, data protection and competition law.

3. KEY FINDINGS AND RECOMMENDATIONS

1. KEY FINDINGS

1. The wording of proposed amendment one causes concern to the Sub-Panel in its current context.
2. The Sub-Panel acknowledges that a person can appeal against an information notice however, is concerned that not everyone is aware of data protection. If the Commissioner has an increased power in its current format to issue anyone with a notice, the public need to be aware that there is an appeal process.
3. The Sub-Panel is concerned that costs would become apparent in Jersey, although on a lesser scale, and these concerns are enhanced further after learning that the Commissioner's Office consists of a very small team, particularly with the possibility of extending her remit.
4. The Sub-Panel acknowledges Guernsey's decision in adopting an amendment which increases the Commissioner's information notice power because it has been focussed in one particular area - The European Communities (implementation of Council Directive on Privacy and Electronic Communications) (Guernsey) Ordinance.
5. The Sub-Panel acknowledges that the UK Act applies the seven years required experience and accepts that by removing it from the Data Protection (Jersey) Law 2005, could affect confidence levels in the Tribunal.
6. The Sub-Panel is interested to note that there appears to be a discrepancy between Articles 60 and 55. A person may be liable to 2 years imprisonment under Article 55, but a person may also be liable to 5 years imprisonment under Article 60. Article 55 relates directly to an information notice whilst Article 60 may also potentially relate to an information notice.
7. In comparison to the UK, the Sub-Panel has found that a "reasonable belief" Public interest test has not been added to the Data Protection (Jersey) Law 2005 under Article 55, to protect journalistic activity.

8. Evidence suggests that increasing the penalty to two years imprisonment for unlawful obtaining would act as a deterrent. It was also noted that penalties of imprisonment are incorporated into other Jersey legislation for Data Protection breaches.
9. The Sub-Panel found a potential loophole regarding the amendment to include equipment found on premises, rather than other material' and Article 61 of the Data Protection (Jersey) Law 2005 which refers to any documents and other material.
10. The Sub-Panel noted the inequity between Health and Social Services and other businesses for subject access requests. It was also noted that Jersey should follow the EU Data Protection Directive 95/46EC which states that data should be supplied without excessive expense. During the transitional period when the fee was a maximum of £50 the Health Department used their discretion, on what seemed to the Sub-Panel, a fair basis.
11. The Sub-Panel accepts that there may be an issue of inequality between charities being exempt from the notification fee, and small businesses.
12. Evidence from the Public Hearings suggested that there is a low level of awareness of Data Protection.

2. RECOMMENDATIONS

1. The Sub-Panel would strongly recommend that the Commissioner reconsiders the wording and format of the draft legislation for amendment one as it currently stands.
2. The Sub-Panel recommends that the public are made more aware of the Data Protection Tribunal, and that it is more accessible to the public if an increase in power is to be adopted.
3. The Sub-Panel suggest additional research is carried out into the manpower and financial costs of the proposed amendments, which has been conducted in the UK.
4. The Sub-Panel recommends that Jersey explores the possibility of adopting a Privacy and Electronic Communication Regulation.
5. The Sub-Panel recommends that the seven years required experience for the President of the Tribunal should remain however, a degree of discretion should be allowed. It also suggests that the Law should provide, in addition to discretion, that whilst the person must be a locally qualified lawyer, the seven years' experience need not be as a locally qualified lawyer.
6. The Sub-Panel recommend that penalties for all breaches are clarified before an amendment to increase the maximum penalty for offences under Article 55 is lodged.
7. It is strongly recommended that Jersey should follow the UK precedent by adding a "reasonable belief" public interest test to Article 55 of the Law.
8. The Sub-Panel recommend that there should be a public awareness campaign to address changes in the Data Protection Law. This could be beneficial because it could work in favour of the deterrence factor carried with some of the amendments.
9. The Sub-Panel recommend that the word "equipment" is included in Article 61 to avoid any potential discrepancies in a Court of Law. Furthermore, it recommends that the Law should be revisited to ensure there are no other incidences of potential loopholes.

10. The Sub-Panel suggests that the maximum fee of £50 for subject access requests should be charged across the board. It further suggests that this should remain on a discretionary basis.
11. The Sub-Panel considers charities being exempt from the notification fee as acceptable, however recommends that this is reviewed in the context of small businesses.
12. The Panel recommends that if the amendments were to be adopted, in particular amendment one, the general public and businesses need to be fully aware so that they can comply with the Law.

4. INTRODUCTION

For the purposes of this report:

• Jersey: The Data Protection (Jersey) Law 2005 shall be known as "the Law"
• Ireland: The Data Protection 1988 Act and Data Protection (Amendment) Act 2003 shall be know as the "Ireland" Acts
• UK: The Data Protection Act 1998 shall be known as the "UK" Act
• Guernsey: Data Protection (Bailiwick of Guernsey) Law 2001 as amended shall be known as the "Guernsey" Law.

Globalisation is no longer just a word it is reality – in economic, technological, and social terms.  Data  Protection  is fundamental  in  the global  context.  Regulating  the privacy  of personal  information  and  safeguarding  that  information  is  pivotal  for  governments everywhere. The  amendments  have  been  explored  to  investigate  whether  they  would heighten the Law and make the data protection regime more robust.

On 16th September 2009, the Minister for Treasury and Resources lodged an amendment to the Data Protection (Jersey) Law 2005 (P.147/2009). The amendment called to provide the Commissioner with powers to serve information notices on other relevant persons in addition to data controllers and processors. It also called for the removal of the requirement for the Tribunal President to have seven years' experience standing as an advocate or solicitor.

The Corporate Services Scrutiny Panel took an interest in the amendment and identified that further amendments were to be lodged. The Sub-Panel found it interesting that P.147/2009 stated "that in light of local experience as well as changes made to U.K. legislation, the following amendments to the Data Protection (Jersey) Law 2005 are proposed". This was somewhat ambiguous because the UK has not brought an increased power in this format. The UK has yet to adopt data processors within its Law.

The Minister for Treasury and Resources agreed to withdraw P.147/2009 to enable the Panel to review all the proposed amendments. A Sub-Panel was formed to carry out this review. The  amendments  have not yet been  lodged  by  the  Minister for  Treasury and Resources.

In brief, the proposed amendments to the Law are as follows:

1. Amending the provisions in relation to information notices; if this amendment was adopted, the Commissioner would have an increase in power to serve an information notice on a person other than a relevant data controller or data processor.
2. Amending the professional requirements in relation to the President of the Data Protection Tribunal; if this amendment was adopted, the President of the Data Protection Tribunal would not be required to be of seven years standing as an advocate or solicitor.
3. Amending the maximum penalty applicable to an offence under Article 55 of the Data Protection (Jersey) Law 2005; if this amendment was adopted, the maximum penalty would be increased to two years imprisonment and/or a fine.
4. Amending the power of seizure to include equipment found on premises; if this amendment was adopted, equipment as well as documents and "other material", could be seized under a warrant.
5. Amending the maximum fee chargeable for subject access requests relating to health records; if this amendment was adopted, it would allow data controllers (who are required to respond to subject access requests relating to personal data defined as a health record) to charge a maximum of £50.
6. Amending the provisions relating to subject access exemptions for trustees; if this amendment was adopted, it would allow restrictions on information provision relating to trustees (contained within the Foundation (Jersey) Law 2009) to be recognised within the Law.
7. Amending the provisions relating to subject access exemptions; if this amendment was adopted, it would add Article 41 of the Drug Trafficking Offences (Jersey) Law 1998 to the list of miscellaneous exemption contained within the Data Protection (Subject Access Exemptions) (Jersey) Regulations 2005.
8. Amending the provisions relating to the notification fee from charities; if this amendment was adopted, it would allow data controllers whose sole processing activities relate to charity work to be exempt from the notification fee.

5. BACKGROUND INFORMATION

The main focus of the review are the proposed amendments to the Law, which came into force on 1st December 2005, bringing Jersey into line with European legislation. There are 8 Data Protection Principles[1] which set enforceable standards for the collection and use of personal data:

1. Personal data shall be processed fairly and lawfully;
2. Personal data shall be obtained for only one or more specified and lawful purpose and shall not be further processed in any manner incompatible with that purpose or purposes;
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
4. Personal data shall be accurate and, where necessary, kept up to date;
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;
6. Personal data shall be processed in accordance with the rights of data subjects under this Law;
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data;
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Law has been in force for five years and 2008 saw the end of the "transitional period". The transitional period allowed organisations an opportunity to incorporate the substantial new legal requirements contained within the Law into their processes[2].

The Sub-Panel has studied the proposed amendments and during the review it became apparent that amendments one and three could be the most controversial, out of the eight amendments.

During the Public Hearing with the Data Protection Commissioner, the Sub-Panel asked for the reasoning behind each amendment. It identified that the proposed amendments are not retrospective:

"There is no retrospective-ness about it. I base it on my own experience. I base it on discussions with other regulators. The pressure from my ... there is no other agenda other than local legislations looking to us for remedy and the increase in the amount of data going through Jersey companies, especially fulfilment type companies where you have very, very large databases. That is the basis of this. These have been in train for a couple of years now, I think, to put a bit of perspective on it[3]."

During the review the Sub-Panel felt it was important to research other jurisdictions to explore whether they have already adopted the same amendments that Jersey is proposing. Some of the jurisdictions considered, namely Ireland and the UK, are part of the European Union; therefore the European Union and Data Protection which applies to them must be explained.

1. DATA PROTECTION AND THE EUROPEAN UNION

The advance of computer technology is allowing personal data to travel across borders more easily than ever before. As a result, data relating to citizens of one Member State are sometimes processed in other Member States of the European Union. Consequently, because data is collected and exchanged more frequently, regulation on data transfers becomes necessary[4].

National laws regarding data protection demand good data management from bodies that process data, namely data controllers. There is an obligation to process data fairly and in a secure manner and to use personal data only for explicit and legitimate purposes[5]. National laws also guarantee a series of rights for individuals, such as:

• The right to be informed when personal data was processed and the reason for this processing;
• The right to access the data and if necessary;
• The right to have the data amended or deleted.

In the past, national laws on data protection aimed to guarantee the same rights, although some differences existed. These differences could create potential obstacles to the free flow of information[6].

For these reasons, there was a need for action at European level, and this took the form of EC Directives.

2. DATA PROTECTION DIRECTIVE 95/46/EC

The Data Protection Directive (officially known as the Directive 95/46/EC) on the protection of individuals with regard to processing of personal data and on the free movement of such data is a European Union directive. The Directive regulates the processing of personal data within the European Union. It is important to note that it is a fundamental component of EU privacy and human rights law. The directive was implemented in 1995 by the European Commission[7].

The data protection rules apply not only when responsible parties (called the controller in this EU directive) is established or operates within the EU, but whenever the controller uses equipment located inside the EU to process personal data. Therefore, controllers from outside the EU who process personal data inside the EU must comply with this directive. EU Member States set up supervisory authorities whose job is to monitor data protection levels in that State, and to advise the government about related rules and regulations, and to initiate legal proceedings when data protection regulations are broken[8].

3. JERSEY AND THE EU

The Sub-Panel recognises that Jersey is not part of the EU, however, feels it is important to note that the Law is based on the UK Act. The UK is a member of the EU and therefore complies with EU Directives. The UK Act was brought into force to comply with the relevant EU Directive. The Law was brought into force to bring Jersey in line with other European jurisdictions and to achieve "adequacy".

4. UNITED KINGDOM

The UK Act came into force in 1998. It establishes a framework of rights and duties which are designed to safeguard personal data. The framework aims to balance the legitimate needs of organisations to collect and use personal data for business and other purposes against the rights of an individual in respecting the privacy of their personal details. The legislation is underpinned by a set of eight principles[9], which are very much the same as Jersey's.

1. Personal data shall be processed fairly and lawfully and in particular shall not be processed unless –

1. At least one of the conditions in Schedule 2 is met; and
2. In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under the Act
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection  for  the  rights  and  freedoms  of  data subjects  in  relation  to  the processing of personal data.

The  UK's  equivalent  to  Jersey's  Data  Protection  Commissioner  is  the  "Information Commissioner".  The  Information  Commissioner  is  the  UK's  independent  authority  who upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner has responsibilities in respect of freedom of information as well as data protection[10].

5. IRELAND

The main Irish law dealing with data protection is the Data Protection Act 1988. The 1988 Act was amended by the Data Protection (Amendment) Act 2003. The 2003 Act brought the Law in line with the EU Data Protection Directive 95/46/EC.

6. GUERNSEY

The Guernsey Law came into force in 2001. The Law is intended to bring the level of protection within the Bailiwick up to an adequate standard. The statutory instruments giving effect to the Law were made by the Advisory and Finance Committee in July 2002 and were laid before the States, enabling the Law to come into force on 1st August 2002. Subsequent secondary legislation had been made in 2002, and further amendments to the Guernsey Law came into force on the 1st March 2010.

The Guernsey amendments include:

• Amendment to increase the notification fee from £35.00 to £50.00;
• Amendment to insert a new section "Exclusion of Liability";
• Amendment to ensure a person guilty of an offence under section 55 is liable on  summary  conviction (Magistrates),  to  imprisonment  for  a  term  not exceeding  12  months,  and  a  conviction  on  indictment (Royal  Court),  to imprisonment for a term not exceeding 2 years or to a fine, or both.

7. HUMAN RIGHTS LEGAL OPINION

The Human Rights (Jersey) Law 2000 was adopted by the States in February 2000 and came into force in December 2006. The Sub-Panel sought a legal opinion[11] from Mr J. Cooper of Doughty Street Chambers, London on the following issues:

• What human rights issues are raised by, in particular, amendment one, which increases the Commissioner's power to issue an information notice on a person other than a data controller or data processor?
• Taking into account the issues, is the situation human rights compliant?
• Should it be advised that the amendments are not human rights compliant, what recommendations for changes would render them compatible?

Mr Cooper explained that he expresses particular concern in relation to amendments two and six:

The amendments of particular concern in the above list relate to the professional requirements of the Tribunal President and the effective exemption of Foundations from the scope of the Data Protection (Jersey) Law. Both of these potentially raise serious human rights concerns, whereby the amendment itself (if passed into law) could be found in breach of the Human Rights (Jersey) Law 2000. Consequently, there are doubts that these amendments, as currently formulated, could be given a statement of compatibility under Article 16 of that Law.

Full analyses of Mr Cooper's opinions are explained after each section of the amendments. The Sub-Panel has not had the opportunity to receive comments from the Law Officers Department on Mr Cooper's legal opinion.

The draft legislation for the proposed Jersey amendments can be found in appendix one.

6. AMENDMENT ONE

1. THE PROPOSAL

Amending the provisions in relation to information notices; if this amendment was adopted, the Commissioner would have an increase in power to serve an information notice on a person other than a relevant data controller or data processor.

The Law, in its current form only enables the Commissioner to serve an information notice on a data controller and a data processor only. During the Public Hearing, the Commissioner outlined two cases where an individual, in possession of the required information, had been willing to divulge the information, even though they were not a data controller or processor. Although there had also been two occasions where the individual, in possession of the required  information,  had  been  unwilling  to  divulge  the required information.  The Commissioner said:

"..there  have  been  a  couple  of  occasions,  and  they  have  been  very  serious occasions, where the individual has just said: "No, we are not going to assist." It poses a very huge problem for us, because if we do not know where the source of the security breach, for example, is we cannot investigate it, so we have had to walk away on a couple of occasions[12]."

The Sub-Panel notes that the Commissioner referred to "a couple of occasions" whereby she was unable to acquire information. Considerable concern was expressed with this amendment as the Sub-Panel felt that Jersey may possibly be over legislating for something that occurs infrequently. Even if an individual is not willing to divulge the source of the information, police assistance can be sought by the Commissioner in certain circumstances:

"On  a  couple  of  other  occasions  we  have  sought  police  assistance  to  further investigate under Article 55 to require that person to provide us with evidence under caution. On those occasions where the police have become involved I still remain slightly uncomfortable that it seems to be a bit of a leap that if we could obtain the information through the regulatory route it would be preferable. It would be less, I have used the word: "heavy handed" in the report and that really to sum it up is how I feel[13]."

"PLUGGING THE GAP"

The Commissioner considers there to be a gap in the current Law:

"We are not handing the investigation over to the police, but we are asking for police assistance under our law. So the power is in the law now but there seems to be a gap as everything else seems to be reasonable steps. At each point you can take the next step to move it up a notch. There seems to be a step missing here that either the investigation falls away because you have not been able to get the information off the person or you bump it up to a criminal[14]."

In circumstances where an individual has not agreed to provide information voluntarily and where there are no grounds for a police investigation pursuant to Article 55, the Commissioner has had to cease an investigation where it is believed that there is still a potential breach to be investigated. The Commissioner's view is that there is therefore a gap in the powers available.

It is also the Commissioner's view that in some circumstances dealing with a matter under Article 55 is "heavy handed" and that matters could be better dealt with under the regulatory powers which are sought by amendment one.

Although a balance needs to be identified between the regulatory and the criminal sanction of the Law, the Sub-Panel is somewhat apprehensive that an information notice could be served on an individual such as a neighbour:

"If information about you, if your neighbour comes up to you today and says: "Oh, I hear X, Y, Z about you" and you think: "Well, only 5 people know that and I have kept that information secure" and you complain to us that that information somehow has leaked out from one of those 5 organisations, think about your medical records or a job application or anything that you want to keep private and we say to you: "Sorry" because we cannot approach your neighbour and ask them where they got it from. We do not want to treat neighbours as criminals, we just need them to provide us the information so that we can look to the source. If somebody has left your application form or your medical records somewhere, somebody has not looked after that data properly then we need to know about it and very rarely that route is only available to us via an individual as opposed to an organisation[15]."

However, extending the Commissioner's power may help to prevent an individual, such as a neighbour,  from  being  treated  as  a  criminal  and  ensure  the  Commissioner is  able  to approach the role in a more regulatory manner. It has to be noted that an individual could still be party to criminal action if they do not comply with the information notice that is served upon them. Bearing this in mind, by introducing a wider power such as this, could cause confusion and complications in an already complicated piece of legislation.

KEY FINDING

The wording of proposed amendment one causes concern to the Sub-Panel in its current context.

RECOMMENDATION

The Sub-Panel would strongly recommend that the Commissioner reconsiders the wording and format of the draft legislation for amendment one as it currently stands.

The Legislation currently sets the onus on the data controller to ensure that any personal information  processed  within  their  organisation  is kept  secure,  from  the  current Commissioner's perspective this will still be the case. The amendment looks to obtain information from an individual in order to identify the data controller who has possibly breached the law:

"What you are trying to do is to establish which data controller it is that has got the problem. Your flow stops there and really once the information is given to us if the information ... we have had a case where a file was left on the top of a bin in King Street and the person that found it, we do not have any beef with them at all. We need to know where they found it, which office was it near so that we can start looking at where ... there was highly sensitive information in that file and as I say that person walked into our office and said: "Look what I have just found" and we looked at it horrified. We had a number of people, it would have to go to about half a dozen people now but if that person had said: "I saw that office worker dump it on that bin" we need to know that. So as to the individual I see what you are saying about the sanction and ultimately if you are serious about a law you have to say: "Listen, what we say goes or there is a sanction" but we need to find the source of that problem, so you are focusing on the data controller. We are not looking at individuals and saying you have got a whole regulatory regime to deal with. They have got their domestic use exemption. That all applies. It is just about when and if one individual comes to us and feels that they have had their rights infringed under this law it is how we get to the source of the problem. So I do think it is proportional, I do think it is reasonable[16]."

This in turn heightened the interest of the Sub-Panel as to the checks and balances that will be in place to ensure the power could not be used unnecessarily. The draft legislation as currently formatted would require the Commissioner, when serving an information notice, to explain her reasoning for doing so, at which point if the person of which the information notice has been served upon does not believe this is appropriate, they can call upon the Data Protection Tribunal to appeal against the notice.

KEY FINDING

The  Sub-Panel  acknowledges  that  a  person  can  appeal  against  an  information  notice however, is concerned that not everyone is aware of data protection. If the Commissioner has an increased power in its current format to issue anyone with a notice, the public need to be aware that there is an appeal process.

RECOMMENDATION

The Sub-Panel recommends that the public are made more aware of the Data Protection Tribunal, and that it is more accessible to the public if an increase in power is to be adopted.

2. DEPARTMENTAL EFFECTS

The views from the States of Jersey Police were sought, in relation to the effect on police workload of amendment one, if it was adopted. The Sub-Panel found it interesting that cases relating to this amendment were not common:

"The number of cases specific to this amendment are few and far between. It is anticipated  that  some benefit  may  result  in  terms  of  potential  reduction  in  Police workload due to introduction of this amendment. This is due to the fact that at present, where the Commissioner has narrower' powers to serve and information notice, then the Commissioner is reliant on a need to seek police assistance to progress the matter by use of specific police powers[17]."

3. THE POSITION IN THE UK

The Information Commissioner in the UK has been pressing for the same increase in power. Currently the Information Commissioner's information notice power under the UK Act only enables him to require information from the data controller, whereas the Commissioner in Jersey already has the power to serve an information notice on both a data controller and a data processor. The Information Commissioner has some information gathering powers under the Regulation of Investigating Powers Act, but these can only be used in the investigation of criminal offences. These are circumstances where he needs to obtain information from someone other than the data controller in order to investigate non-criminal data protection breaches. This happens most commonly in relation to breaches of the Privacy and Electronic Communications Regulations 2003 (PECR), where it may be necessary to identify for example, who the subscriber to a particular phone or fax number is, or who is behind' an e-mail address or website[18].

The Sub-Panel sought the views of the Deputy Information Commissioner in the UK. Regarding this matter, he stated in an email to the Sub-Panel:

"The most pressing reason why we have argued for such a power is to enable the investigation of breaches of the Privacy and Electronic Communications Regulations 2003. When an unsolicited phone call, fax or email is received it is not always clear to the recipient who the originator of the message is. It is this originator who will be the relevant data controller on whom the regulations bite. They therefore need to be identified by the Commissioner. Typically it is the provider of the relevant telecommunications service who holds the information necessary to identify who the subscriber to a particular phone number is, or who is "behind" an email address or website. Without access to such information it can prove impossible for the Commissioner to either identify the sender of an offending message or tie an offending message evidentially to a particular sender. The Commissioner therefore needs the power to serve an information notice on a telecommunications service provider and not just on a data controller."

The Sub-Panel found it interesting that the case put forward by the Information Commissioner appears to have been based predominately but not exclusively on the need to address concerns in relation to investigations concerning PECR. This was also a concern of the Minister for Economic Development, who raised the issue in his letter dated 3rd March (appendix 7):

"Although the Commissioner's Report states that difficulties have been encountered in obtaining information in the course of investigations, no details are provided and I am not aware that PECR breaches are of particular concern in Jersey. I would therefore question the need for the Commissioner to have the extended powers that were requested, but ultimately not granted, in the United Kingdom[19]."

The Deputy Information Commissioner also mentioned that they have been pressing for an increase in power in order to help:

• make the initial identification of the relevant data controller, assisting our investigation of cases where a number of organisations are involved in a complex data processing operation;
• obtain evidence of a data controller's breach from someone other than the data controller themselves;
• investigate the processing of personal data carried out on behalf of a data controller by a data processor;
• obtain further information where a security breach by a data processor may be causing problems for a number of data controllers that it provides services for, whose identity we may not know and who may themselves be unaware of the problem.

CORONERS AND JUSTICE ACT 2009 IN UK

The Coroners and Justice Act 2009 received Royal Assent on 12 November 2009 and in comparison to Jersey's amendment one, included measures to:

• amend the UK Act to strengthen the Information Commissioner's inspection powers

In an impact assessment (enhancing the inspection powers of the Information Commissioner), the Ministry of Justice published a paper in January 2009 to summarise the invention and options in amending the UK Act for the Information Commissioner to have enhanced powers when issuing inspection powers.

Enhancing the inspection powers of the Information Commissioner would ensure, according to the Ministry of Justice, that the Information Commissioner has access to the information he  requires  to  effectively  carry  out  his  duties,  particularly  when  the Information Commissioner suspects a data controller is trying to evade investigation.

The  paper  also  outlined  the  cost of  promoting  good  practice  and  encouraging  data controllers  to  come  forward  for  advice, and  enforcing  compliance  and  enhancing  the inspection powers of the Information Commissioner:

Figure  1:  Impact  Assessment  Enhancing  the  inspection  powers  of  the  Information Commissioner

It found that there would be significant costs to the Information Commissioner's Office. The Ministry of Justice is currently looking into the funding arrangements of the Information Commissioner's Office for his increased data protection work.

The Sub-Panel is aware that this does not relate specifically to amendment one and would not incur the costs as quoted above, however it does demonstrate that thorough research has been carried out in the UK. The Sub-Panel would expect there to be some costs to the Commission, but this would be significantly lower for a small jurisdiction such as Jersey. The Commission maintains that no such costs are envisaged with the proposed amendments. The Sub-Panel is concerned that this has not been explored fully as it has been within the UK. The Commissioner in Jersey mentioned that she is working with a very small team which consists of herself, a Deputy Commissioner and two administrative support staff:

"I am fiercely tight when it comes to money and I am fiercely protective of what is a very effective team with very limited resources and a very wide remit. There are huge advantages to having a small team but what I have found is when I first started in this job it was a very proactive task I had to educate, get out there and talk about the message, especially when the law was coming in. In a sense, I am sort of reaping the rewards of that now because ... also it is a change in climate generally, but people are much more willing to come forward and complain. The one thing that does concern me, for the record, is our capacity for dealing with complaints. We are struggling[20]."

KEY FINDING

The Sub-Panel is concerned that costs would become apparent in Jersey, although on a lesser  scale,  and  these  concerns  are  enhanced  further  after  learning  that  the Commissioner's Office consists of a very small team, particularly with the possibility of extending her remit.

RECOMMENDATION

The Sub-Panel suggest additional research is carried out into the manpower and financial costs of the proposed amendments.

FREEDOM OF INFORMATION CAMPAIGN

The Sub-Panel sought the views of Mr Maurice Frankel, Director for the Campaign for Freedom of Information in the UK. Mr Frankel asks whether this amendment might allow information about journalists' sources to be obtained without following the Law's existing safeguards for journalism.

Mr Frankel explained that currently, media organisations have special protection from the data protection provisions because Article 10 of the European Convention on Human Rights which recognises the need to protect freedom of expression.

Pursuant to the Law, personal data which are processed only for the purposes of journalism are exempt from, most notably in these circumstances, a data subject access request if:

• the processing is undertaken with a view to the publication by any person of journalistic material; and

• the data controller reasonably believes publication would be in the public interest having regard to the special importance of the public interest in freedom of expression; and
• the data controller reasonably believes that in all the circumstances, compliance with the relevant provisions of the Law is incompatible with the purposes of journalism.

Mr Frankel queries whether it may be possible that the enhanced power to serve information notices might allow a notice to be served on someone suspected of being a journalist's source,  requiring the individual to provide information confirming that he or she is the source. He goes on to state:

"At present, no information notice could be served on such individuals. There may also be other implication for media reporting, or the uncovering of wrongdoing. The result might be to permit an interference with freedom of expression of a kind which the existing Law seeks to restrict."

The Sub-Panel acknowledges Mr Frankel's point that even with the current safeguards around "special purposes" additional safeguards have been introduced in the UK.

4. THE POSITION IN IRELAND

In contrast to the UK and Jersey, the Ireland Act already allows the Commissioner to issue an information notice on any other person.

The Sub-Panel was provided with written submission from the Deputy Commissioner in Ireland explaining that an information notice had not been issued and the amendment was brought in because it would be useful' to have the ability to issue a notice to any other person:

"the Commissioner has not served an information notice on any entity that is neither a data controller or a data processor but certainly as we see more individuals send unsolicited emails etc it would seem that having an ability to serve an information notice in such circumstances is useful."

The Sub-Panel understand that if this amendment is adopted it may not be used frequently, if at all, and would not necessarily mean it would not be a desirable aspect of the Law. However noting the Sub-Panel's earlier comments relating to serving an information notice on an individual such as a neighbour it should be duly noted that the Deputy Commissioner provides an example with regards to electronic communication.

5. GUERNSEY

The Sub-Panel found it interesting to note that Guernsey had adopted  The European Communities (Implementation of Council Directive on Privacy and Electronic Communications) (Guernsey) Ordinance, in 2004. The Ordinance states:

"The purpose of this Ordinance is to implement in respect of the Islands certain provisions concerning the processing of personal data and the protection of privacy in the electronic communications sector as referred to in the Directive, with the intent that standards of protection within the Islands meet or are consistent with the standards provided for by the Directive [2002/58/EC on privacy in the electronic communications sector]."

As explained in section 6.3, the UK Information Commissioner has put forward his case for extended power in issuing information notices to any person primarily, but not exclusively, because of the need to address concerns in relation to investigations concerning privacy and electronic communications breaches.

This Ordinance has been amended into the Guernsey Law to allow the service of an information notice on any relevant person, with effect from 1st March 2010. These Regulations accord closely with those which came into force in the UK at the end of 2003.

The Sub-Panel found it interesting to note that no such regulations concerning Privacy and Electronic Communications have been adopted in Jersey. It is also worth pointing out that Guernsey has enacted the Ordinance into its Law, consequently focussing it into privacy and electronic communications breaches. Jersey draft legislation on the other hand, allows a notice to be issued to any person, not relating it specifically to privacy and electronic communication breaches. Therefore, the Sub-Panel questions the need for amendment one.

The Sub-Panel's advisor, Advocate Ruelle, also makes a point in her report[21], in relation the PECR Regulations and Guernsey:

It is understood that the Data Protection (Bailiwick of Guernsey) (Amendment) Ordinance 2010  (the  "Amendment  Ordinance")  amends  the  Guernsey  Law.   The  Amendment Ordinance appears, in summary, to extend the Guernsey Commissioner's powers to serve information  notices,  in  certain  circumstances,  on  data  processors  in  addition  to  data controllers. Prior to the coming into force of the Amendment Ordinance, it is understood that the  Guernsey  Commissioner  was  only  able  to  serve  an  information  notice  on  a  data controller.

[The]  Guernsey  law has  been  amended  to  allow  the  service  of  information  notices concerned with alleged breaches of electronic communications regulations on any person (although the author of this report has been unable to locate the amending provision to the Guernsey Law which effects this).

Therefore, it appears that in Guernsey, the power to serve information notices on any person only extends to alleged breaches of the electronic communications regulations, which the author takes to mean the Ordinance or subordinate legislation thereunder.

KEY FINDING

The  Sub-Panel  acknowledges Guernsey's  decision  in adopting  an  amendment  which increases the Commissioner's information notice power because it has been focussed in one particular area - The European Communities (Implementation of Council Directive on Privacy and Electronic Communications) (Guernsey) Ordinance 2004.

RECOMMENDATION

The Sub-Panel recommends that Jersey explores the possibility of adopting a Privacy and Electronic Communication Regulation.

6. HUMAN RIGHTS

Mr.  Cooper of  Doughty  Street  Chambers  and  a  human  rights  expert welcomes  this amendment to the Law. He believes that Article 43 as amended, and coupled with existing safeguards built into the Law, which guarantee the right to appeal, and the suspension of the process whilst the appeal is pending, as well as the duty to make a statement explaining why the information notice is being served, will enhance the data protection regime in Jersey[22].

7. AMENDMENT TWO

1. THE PROPOSAL

Amending  the  professional  requirements  in  relation  to  the President  of  the  Data Protection Tribunal; if this amendment was adopted, the President of the Data Protection Tribunal would not be required to be of seven years standing as an advocate or solicitor.

According to the Commissioner, amending the professional requirement of the President of the Data Protection Tribunal would "widen the pool of people that we have to choose from[23]". Data Protection is a specialised area, and by removing the requirement for the President to be of seven years standing as an advocate or solicitor would allow more people to choose from.

2. HUMAN RIGHTS

Initially  the  Sub-Panel  was of  the  view  that  this  amendment  is  not  controversial, and therefore accepted the reasoning behind it. However, the legal opinion sought from Mr J. Cooper suggests that this amendment could undermine confidence in the Tribunal.

Mr Cooper goes on to state that the Data Protection Tribunal, by definition, would be dealing with  matters  of  law and  fact of  significant  complexity.  He  believes  that  if  proposed amendment one is accepted, that complexity will be increased. Therefore, the President of the Tribunal has to have sufficient standing, as well as its appearance, to be able to manage these issues and inspire confidence in all concerned. Mr Cooper considers removing the professional requirement qualification of seven years standing could undermine confidence in the Tribunal.

Mr Cooper has referred to Article 6 of the European Convention on Human Rights (ECHR), in order to fully understand the human rights compliance issues with this amendment. The right to fair trial is provided for in Article 6 of the ECHR. The reference in this right to an independent and impartial tribunal established by law has been interpreted to require that an independent and impartial tribunal is a competent one which necessitates that the tribunal is appropriately qualified. Mr Cooper states that a tribunal, for these purposes, need not necessarily be composed of professional judges, but the tribunal will need to have proven experience in the application of law.

Mr Cooper's advice goes on to state:

It is acknowledged that there is an appeal from the Tribunal to the Jersey judicial system (on a point of law only), and, whilst this provides additional fair trial safeguards, it will not be enough, in my opinion, to cure any original structural defects in the first instance hearing. I am, therefore, of the view that this proposed amendment, without further safeguards being built in, could be challenged as violating both the right to a fair trial and the right to privacy, with its built in procedural safeguards, as guaranteed by the ECHR.

For  this  amendment  to  be  compatible  with  the  Human  Rights  (Jersey)  Law,  the authorities will have to be able to guarantee that the President is appropriately qualified and that the tribunal is competent to guarantee a fair hearing. There may be other provisions of Jersey law and practice that can be referred to that can ensure that the composition of the tribunal can guarantee the fairness of the hearing.

Mr Cooper concludes by recommending that before amendment two is put to the States, the removal of the professional requirement for the President of the Tribunal is reconsidered.

The Sub-Panel agrees with Mr Cooper that the removal of the professional requirement of seven years could have a significant effect regarding confidence levels in the Tribunal. It is interesting to note that the seven years is also requested under the UK Act which states that the person needs seven years' general qualification.

The Sub-Panel has taken into consideration the points Mr Cooper has raised, and believes that the Law should provide a degree of discretion, which would permit a candidate with at least three years experience to be considered if they were otherwise suitably qualified. The Sub-Panel also suggests that, whilst the person must be a locally qualified lawyer, the seven years' experience need not be as a locally qualified lawyer. The Sub-Panel considers it important to employ a President who is senior because effectively, he or she may need to overturn what the Commissioner has decided.

KEY FINDING

The Sub-Panel acknowledges that the UK Act applies the seven years required experience and accepts that by removing it from the Data Protection (Jersey) Law 2005, could affect confidence levels in the Tribunal.

RECOMMENDATION

The Sub-Panel recommends that the seven years required experience for the President of the Tribunal should remain however, a degree of discretion should be allowed. It also suggests that the Law should provide, in addition to discretion, that whilst the person must be a locally qualified lawyer, the seven years' experience need not be as a locally qualified lawyer.

8. AMENDMENT THREE

1. THE PROPOSAL

Amending the maximum penalty applicable to an offence under Article 55 of the Data Protection (Jersey) Law 2005;  if this amendment was adopted, the maximum penalty would be increased to two years imprisonment and/or unlimited fine.

The Commissioner is requesting that a period of imprisonment and unlimited fine should be adopted under Article 55 of the Law:

"This is something that has been in the pipeline in the U.K. for some time and it is something that has been raised in meetings with the information commissioner and the other islands over the last couple of years. They have clearly been pushing for this amendment over there[24]."

It was also reasoned to be a deterrent factor:

"I will not use any names but, you know, ABC.com, if it is selling C.D's or whatever and it has been offered £5,000 for 5,000 names to be sent to India, he is going to be sitting there, or she is, saying: "Well, is it worth my while if my company just gets fined or I might get the sack and I will go somewhere else", but if he or she is going to be possibly hauled before a court and possibly imprisoned for a maximum of 2 years, there may well be a deterrent factor[25]."

The Sub-Panel accepts that amendment three of Article 55 may act as a deterrent, however, would like to note the uniqueness of a small jurisdiction such as Jersey. A balance needs to be struck as to how the legislation is used.

A letter received from the Minister for Home Affairs mentioned that he was advised that the draft Sex Offenders Law did not need to be re-drafted because the Data Protection Law would provide an appropriate remedy, provided that the penalties were increased:

".I did indicate to the Assembly during the debate on the Sex Offenders (Jersey) Law 2010  that  there  were  no  specific  criminal  penalties  for  wrongful  disclosure  of information contained in that Law. It followed from this that we would be relying upon the penalties created in the Data Protection Law. I then indicated that I was firmly of the view that these would need to be increased in order to include a power of imprisonment for up to a maximum of two years[26]."

In comparison, the Sub-Panel found it interesting that a maximum penalty for unlawful obtaining of data can also be seen in other legislation in Jersey. The Banking Business (Depositors Compensation) (Jersey) Regulations 2010 were approved by the States on 3rd February 2010 and came into force on 10th February 2010:

14 Restricted information

1. Except as provided by paragraphs (2) and (3), a person who receives information relating to the business or other affairs of a person –

1. under or for the purposes of these Regulations; or
2. directly or indirectly from a person who has received the information under or for the purposes of these Regulations,

is guilty of an offence and is liable to imprisonment for a term of 2 years and a fine if he or she discloses the information without the consent of the person to whom it relates and, if sub-paragraph (b) applies, the person from whom it was received[27].

If a maximum penalty of two years is found in other legislation in Jersey, the Sub-Panel are of the opinion that it would only be logical for legislation to complement one another.

DISCREPANCIES BETWEEN ARTICLES

Under Article 60 (false information) of the Law it states:

2. Any person who knowingly or recklessly provides the Commissioner, or any other person entitled to information under this Law, with information that is false or misleading in a material particular shall be guilty of an offence if the information is provided in connection with an application under this Law.
3. A person who is guilty of an offence against this Article shall be liable to a term of imprisonment of 5 years and to a fine.

The Sub-Panel wonders why the penalty for a person providing false or misleading information to the Commissioner is a penalty of five years and a fine, and the penalty, if amendment three was adopted, for unlawful obtaining of personal data under Article 55 is two years. As explained in Section 6, failure to comply with an information notice may be an offence under Article 55. However, Article 60 could potentially apply to failure to comply with information notices.

Under Article 47 of the Law it says that a person is guilty of an offence for failing to comply with an information notice. It also states that the person is guilty if a statement is made that the person knows to be false in a material respect:

47 Failure to comply with notice

1. A person who fails to comply with an enforcement notice, information notice or special information notice is guilty of an offence.
2. A person is guilty of an offence if the person, in purported compliance with an information notice or special information notice –

1. makes a statement that the person knows to be false in a material respect; or
2. recklessly makes a statement that is false in a material respect.

3. It is a defence for a person charged with an offence under paragraph (1) to prove that the person exercised all due diligence to comply with the notice in question.

Both Article 60 and 47 refer to knowingly making false statements, and according to the Law it would seem that a person who knowingly makes a false statement to the Commissioner is liable for five years imprisonment, and a person who unlawfully obtains personal information is liable to two years imprisonment. The Sub-Panel questions this discrepancy between the Articles and strongly suggest that penalties for all breaches are clarified, before the amendment is lodged.

This discrepancy was also highlighted in Advocate Ruelle's report:

There appears, therefore, to be some inconsistency and uncertainty in the penalty that the Court may impose in relation to information notices, for example:

• it is clear that failure to respond to an information notice at all is an offence for which the penalty is a fine;
• however,  if  an  individual  were  to  provide  false  information  in  response  to  an information notice, this appears to be an offence both under Article 47 and Article 60. It would appear to be the case that given the specific reference in Article 47 to offences in relation to providing false information in response to an information notice and  that  Article  60  is a  more  general offence,  Article 47  would apply  in these circumstances. If that is correct, then the penalty would be a fine alone. However, if a prosecution were instead to be brought under the provisions of Article 60, then the penalty would be up to 5 years imprisonment and/or an unlimited fine. It may, of course, be the case that offences in this regard would be committed under both Articles 47 and 60. This, however, leads to a situation where the penalties which may be imposed for essentially the same offence are dramatically different;
• a  further  difficulty  arises  in  situations  where  an  individual  provides  misleading information  in  response  to  an  information  notice.  In  this  case,  this  would  not constitute an offence under Article 47 (which only deals with the provision of false information) but it does appear to be caught by the offences set out in Article 60. In this circumstance, therefore, a person may be liable to a term of imprisonment of up to 5 years and an unlimited fine for providing misleading information when under Article  47  read  in  conjunction  with  Article  61,  the  penalty  for  providing  false information, which would appear to be the more serious offence, is a fine alone.

It is suggested that the issues relating to penalties for breach of Article 47 should be considered further if this amendment is to be adopted.

The Sub-Panel notes that a penalty of imprisonment refers to the maximum term which can be imposed for the offence, as set out in the "Interpretation (Jersey) Law 1954".

KEY FINDING

The Sub-Panel is interested to note that there appears to be a discrepancy between Articles 60 and 55. A person may be liable to 2 years imprisonment under Article 55, but a personal may also be liable to 5 years imprisonment under Article 60. Article 55 relates directly to an information notice whilst Article 60 may also potentially relate to an information notice.

RECOMMENDATION

The  Sub-Panel  recommend  that  penalties  for  all breaches  are  clarified  before  an amendment to increase the maximum penalty for offences under Article 55 is lodged.

2. DEPARTMENTAL EFFECTS

In his letter, the Minister for Home Affairs clarified that an increased penalty of two years imprisonment for unlawful obtaining would not have an impact on the States of Jersey Police or the HM Prison.

Statistics provided to the Sub-Panel from the States of Jersey Police indicate that since the introduction of the Law, there have been seven crimes recorded under Data Protection legislation  in  Jersey. Within  the  statistics  it  was  also  noted  that  an  additional  thirteen offences were recorded against the Computer Misuse (Jersey) Law 1995, where experience frequently revealed that such offences may originate from investigation of alleged breaches of the Law, according to the Acting Chief Officer.

When questioned about the effects amendment three would have on the business fraternity, the Minister for Economic Development was of the opinion that the current system of a fine was already appropriate':

"A law to be effective has to have again an appropriate sanction otherwise it is going to be open for abuse. I mean the level of financial penalty is probably more appropriate, I think. An imprisonment or potential imprisonment is quite a heavy sanction[28]."

Further to the Public Hearing, the Minister for Economic Development provided a letter to the Sub-Panel (see appendix 7) which reiterated some of the concerns he expressed during the  Hearing.  Enclosed  was  also  a  letter  from  Jersey  Finance,  outlining  its  Members' concerns.

JERSEY FINANCE

Jersey Finance believes that a new amendment should be proposed, which would amend the obligation to make a notification. It believes that exemptions should be proposed to this clause in relation to where the personal data is kept:

1. in connection with the share and option plans for employee, directors and consultants of the company, any of its subsidiaries or any company in which the company is a shareholder (since participation in such plans is voluntary so any person will volunteer their personal data in order to participate); and
2. for any reason stipulated in a company's articles of association (Jersey listed PLC's often include provisions in their articles which seek to replicate provisions under English law which give rise to, for example, a shareholder to nominate a person to have "information rights" to receive notices of a meeting).

4. THE POSITION IN THE UK

In relation to Jersey's amendment three, sanctions currently available to the Information Commissioner in the UK under the UK Act are primarily concerned with bringing an organisation's future to comply with the UK Act. Mostly, they do not allow a penalty to be imposed for breaches that have already taken place. In some limited areas, the UK Act creates criminal offences, which may lead to prosecution. This is where the offence is sufficiently serious to warrant a criminal penalty. The principal offences are:

• Section 17 – processing without registration
• Section 55 – unlawful obtaining of personal data

These offences are currently punishable by a fine of up to £5000 in a Magistrates' court or an unlimited fine in the Crown Court. Similarly to Jersey, draft legislation to introduce the possibility of a custodial sentence for a section 55 offence is now before Parliament[29].

FREEDOM OF INFORMATION CAMPAIGN

As with amendment one, the Sub-Panel sought the views of Mr Maurice Frankel. Mr Frankel explained that a similar amendment to the UK Act has been enacted but not yet brought into force. According to Mr Frankel, the amendment in the UK has caused controversy because it is thought capable of affecting legitimate journalistic activity.

Mr Frankel goes on to say that the new and still dormant UK provision contains a safeguard for journalism not found in the current Jersey proposal. This takes the form of an improved public interest defence for a person who shows that he (a) acted for the special purposes'; (b) with a view to the publication of material for one of those purposes; and (c) in the reasonable belief that in the particular circumstances the obtaining, disclosing or procuring [of the information] was justified as being in the public interest.

The Sub-Panel noted that this new defence is in addition to an existing public interest defence found in the UK Act and in Article 55(3)(d) of the Jersey Law. Both apply where disclosure can be shown to have been "justified as being in the public interest". It is worth noting that the additional UK public interest defence goes beyond this, in that it introduces a "reasonable belief" element into the public interest test. Mr Frankel explains that this is intended, in part, to address concerns that legitimate journalistic activity might be otherwise inhibited by the existing public interest test.

Mr Frankel concludes by saying:

"The reasonable belief public interest test is still an objective test (i.e. the test is whether a reasonable person would have believed the disclosure to be in the public interest). If the current Jersey amendment is proceeded with there would be a strong argument for following the UK precedent and adding such "reasonable belief" public interest test to Article 55."

The Sub-Panel noted that a public interest test is already found in Article 32(1)(b) of the Jersey Law, though it serves a different purpose there. It is interesting to note that the Commissioner commented on journalistic activity, when questioned about whether journalists are covered:

"Journalists are already covered. This would not add anything to journalists, no. Journalism is already covered[30]."

This issue was also highlighted by Advocate Ruelle:

Article 55 of the [Jersey] Law currently provides that a person will not commit an offence if the person can show that "in the circumstances of the case, the obtaining, disclosing or procuring was justified as being in the public interest." There is no equivalent of the "reasonable belief" text.

KEY FINDING

In comparison to the UK, the Sub-Panel has found that a "reasonable belief" Public interest test has not been added to the Data Protection (Jersey) Law 2005 under Article 55, to protection journalistic activity.

RECOMMENDATION

It  is  strongly  recommended  that  Jersey  should  follow  the  UK  precedent  by  adding  a "reasonable belief" public interest test to Article 55 of the Law.

4. THE POSITION IN GUERNSEY

The Sub-Panel learned that Guernsey has already adopted an amendment that would add a prison sentence for a section 55 offence:

Assistant Commissioner, Guernsey:

"These amendments have been approved and are coming into force as from 01/03/10, i.e. within the next week. Then there will be prison sentences available for section 55 offences.

To date there has only been one prosecution under section 55 of our law. This concerned a policeman who disclosed the criminal record of his girlfriend to his live-in partner. He was found guilty of one count under section 55 and two counts under the Computer Misuse Law. He received a fine (about 2.5K) and was dismissed from the force.

I confirm that the penalties which Jersey is proposing for section 55 offences concur with the penalties to be available in Guernsey as from 01/03/10."

5. HUMAN RIGHTS

Mr  Cooper's  advice  explains  that  presuming  the  sentencing  powers  are  exercised proportionately; it is unlikely that any human rights concerns would arise under amendment three. He believes that this amendment would provide greater clarity and certainty.

KEY FINDING

Evidence  suggests  that  increasing  the  penalty  to  two  years  imprisonment for  unlawful obtaining would act as a deterrent. It was also noted that penalties of imprisonment are incorporated into other Jersey Legislation for Data Protection breaches.

RECOMMENDATION

The Sub-Panel recommend that there should be a public awareness campaign to address changes in the Data Protection Law. This could be beneficial because it could work in favour of the deterrence factor carried with some of the amendments.

9. AMENDMENT FOUR

1. THE PROPOSAL

Amending  the power  of  seizure  to  include  equipment  found  on  premises;  if  this amendment was adopted, equipment as well as documents and "other material", could be seized under a warrant.

This  amendment was  reasoned  by  the  Commissioner  as  making  the  Law  more "watertight"[31].

"if we are going in on a data protection issue and the only area where that data is present is on a computer, we want to take the computer, get the data, and return the equipment. The advice given to me is that it is probably okay to do that now but I do not want "probably". I want "definitely" [32]."

During the review the Sub-Panel found a potential loophole in relation to this amendment and Article 61, which concerns general provisions relating to offences. It states:

(3)  A court by or before which a person is convicted of –

1. an offence under Article 21(1), 22(7), 55 or 56;
2. an offence under Article 21(2) relating to processing that is assessable processing for the purposes of Article 22; or
3. an offence under Article 47(1) relating to an enforcement notice,

may order any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence to be forfeited, destroyed or erased.

If the proposed amendment is clarifying the Law by adding equipment and separating it from other material, this could potentially cause problems in a Court of Law. Article 61 only refers to "any document or other material" which a Court may order relating to a case. The Sub- Panel question whether the person convicted could refuse to provide equipment on the basis of this loophole.

The Sub-Panel are of the opinion that if equipment is included in Schedule 9, it should be included, where appropriate, in other provisions of the Law such as Article 61. Furthermore, it recommends that the Law should be revisited to ensure that there are no other incidences of potential loopholes.

Advocate Ruelle also mentions this loophole in her report:

On one reading of the Law, as drafted, there is some concern that given that equipment is mentioned only in the context of inspection, examination, operation and testing, the power to seize may not extend to equipment.

There is also, however, a suggestion that the power to seize "other materials" may extend to a power to seize equipment. However, there is a lack of certainty in this regard. The Sub- Panel  heard  evidence  from  the  Commissioner  that  this  lack  of  certainty  is  a  concern especially given that much personal data is today stored and processed electronically.

It does, therefore, seem to be the case that this is a possible loophole which, for the sake of certainty and clarity, should be closed.

KEY FINDING

The Sub-Panel found a potential loophole regarding the amendment to include equipment found on premises rather than other material' and Article 61 of the Data Protection (Jersey) Law 2005, which refers to any documents and other material.

RECOMMENDATION

The Sub-Panel recommend that the word "equipment" is included in Article 61 to avoid any potential discrepancies in a Court of Law. Furthermore, it recommends that the Law should be revisited to ensure there are no other incidences of potential loopholes.

2. DEPARTMENTAL EFFECTS

The Sub-Panel sought the views of amendment four from the Minister for Home Affairs. In a letter provided to the Sub-Panel he asserted the proposed power would be used by the Commissioner:

"In relation to Amendment 4, the Police have already made the point that they have other more general powers of search under the PPCE [Police Procedures and Criminal Evidence] Law. The proposed powers would be used more so by the Data Protection Registrar  [Commissioner]  if the Registrar were to develop an investigative role independent of that of the States of Jersey Police[33]."

The Sub-Panel accepts the reasoning behind tightening up' the Law in Jersey however, it notes that the covering report states that there would be no financial or manpower implications for the States arising. The Sub-Panel is of the opinion that if an investigative role were adopted the Data Protection Office would require more resources. As per evidence obtained from the Public Hearing with the Commissioner would suggest that the office is already struggling (see section 6.3).

3. HUMAN RIGHTS

Mr Cooper believes that there are no particular human rights concerns with the fourth amendment, providing that it would be implemented proportionately with regard to privacy, property and fair trial rights.

10. AMENDMENT FIVE

1. THE PROPOSAL

Amending the maximum fee chargeable for subject access requests relating to health records; if this amendment was adopted, it would allow data controllers (who are required to respond to subject access requests relating to personal data defined as a health record) to charge a maximum of £50.

The year 2008 saw the end of the transitional period, in which the fee for subject access requests was brought down to £10.00. This followed the request from the Health and Social Services Department to the Commissioner for the fee to be raised back up to £50.00. The Commissioner had reasoned this amendment by stating that it was proposed because of a request from the Health and Social Services Department:

"So, the argument came to me, which I thought was very convincing, from Health that during the transition period of the law they had a maximum chargeable fee of £50 for their subject access requests. ..So I think they have a legitimate reason to ask for us to reconsider the £10[34]."

Even though the Commissioner believes that the Health and Social Services Department have a legitimate reason in requesting for the fee of £10 to be reconsidered, she also believes a fee of £10.00 is reasonable:

"£10 is very low but it is very low for a very good reason, that (a) to encourage organisations to have a good records management system so they can identify the data, but (b) it should not be a deterrent for people to exercise their own rights. So I think we have to find a balance[35]"

The Sub-Panel was concerned about specifically amending the fee for Health and Social Services records only. The Commissioner was asked whether there was a potential inequity between other people who also deal with complex data and health:

"Yes, to be brutally honest. There is and I think it is a question of looking at the arguments[36]."

The Sub-Panel sought the opinion of the Deputy Commissioner in Ireland, as to what his views were on the Jersey amendments. In relation to amendment four he provided an email to the Sub-Panel which mentioned the EU Directive:

"The proposed amendments would seem to be very positive and should certainly be of assistance in enforcing data protection legislation. In this respect I know that Jersey has a finding of adequacy from the Commission under the EU Data Protection Directive. The only point I might make therefore would relate to the proposal to charge a fee of £50 for access to health related personal data. No doubt you have considered this in the context of Article 12of that Directive which provides that personal data shall be supplied without excessive expense".

The Sub-Panel noted that in Article 12 of the Data Protection Directive, it is the data subject's rights of access to data. The Article states that Member States shall guarantee every data subject the right to obtain from the controller, without constraint at reasonable intervals and without excessive delay or expense.

The Sub-Panel recognises that although the States of Jersey are in the process of looking at cost recovery, there is a need to emphasise Article 12 of the EU Directive. Costs should not prevent a subject from accessing their personal data.

2. DEPARTMENTAL EFFECTS

It was noted during the Public Hearing with the Minister for Health and Social Services, that there might be the possibility of a further request for the fee to be increased, as it does not cover the costs of the Department:

Expert Advisor:

"There seems to be not a lot of difference between £10 and £50"

The Minister for Health and Social Services:

"... well, the law says £10 and to be up to £50, it is still not meeting the costs, especially of third party. The other 2 we can argue about but when you are looking at third party litigation, which Health just provides the information and that is it, £50 is not enough[37]."

The Minister for Health and Social Services provided the Sub-Panel with statistics as to the number of subject access requests that came into the Department in 2009:

Table 1: Approximate number of requests per year for records covered under Law

Table 2: Size of Request – Number of Pages

3. THE POSITION IN THE UK

The UK Act gives an individual the right to apply for a copy of personal information. A request would be made in writing, by letter or email, and sent it to the person or organisation that holds the information. Under the UK Act the organisation can ask for a fee of up to £10.00 for each request made.

In relation to health records, the UK Act gives an individual the right to see their health records. This would be in written format to the person or organisation concerned and would clearly describe the information sought. If the records are held on computer, an individual can be charged up to £10. If the records are manual or a mixture of manual and computer records, an individual can be charged up to £50. The individual would receive a reply to the request within 40 days.

4. THE POSITION IN IRELAND

Under Section 3 of the Data Protection Acts, an individual has the right to find out, free of charge, if a person (an individual or an organisation) holds information about them. An individual also has the right to be given a description of the information and to be told the purpose(s) for holding that information.

Under Section 4 of the Ireland Acts, an individual also has the right to get a copy of their personal information. This applies to all types of information for example, written details about an individual held electronically or on paper, photographs and CCTV images.

According to the Acts, an individual may have to pay a fee for some types of subject access request but this cannot exceed 6.35 (approximately £5.70).

In relation to health records, the Data Protection (Access Modification) (Health) Regulations, 1989 state that health data relating to an individual should not be made available to that individual, in response to an access request, if it was likely to cause serious harm to the physical or mental health of the data subject. It also states that a person who is not a health

professional should not disclose health data to an individual without first consulting the individual's own doctor or some other suitably qualified health professional:

Explanatory Note

These regulations prohibit the supply of health data to a patient in response to a request for access if that would cause serious harm to his or her physical or mental health. They provide also that such data is to be communicated only by, or after consultation with, an appropriate "health professional" normally the patient's own doctor.

The Sub-Panel fully accepts the Irish Law in not charging a data subject for a request, however, believes that this would not be appropriate in Jersey. This point of view is supported by the evidence gathered during the Public Hearing with the Health and Social Services Department.

FREEDOM OF INFORMATION CAMPAIGN

Mr. Frankel considers amendment five questionable, on the grounds that even complex data may be reproduced on a CD (compact disc) lowering the cost considerably. Experience from the UK, he explains, often acts as a disproportionate barrier to people seeking their health records. The £50 charge has not been limited to complex forms of data, but has often been adopted as the standard charge, even for requests involving a few sheets of A4 paper. He provided an example of this:

"One NHS Trust in the UK has an online application form for patients seeking access to their health records. The first line of the form states: "Please Note: There is a charge for this service - £50 payable with requests, cheque payable to Stockport NHS Foundation Trust"

Mr. Frankel is also of the view that it would be unlikely that the Commissioner in Jersey would have any power to question even a clearly unreasonable £50 charge, for example, where the request was limited to a copy of a single letter from a hospital to the patient's GP.

He goes on to say that this amendment would also abolish the free access permitted to an individual's paper based health records, where these have been changed in the past 40 days[38]. Such free access is permitted in the UK. The rationale is that the provision of information about their own health to patients currently undergoing treatment is good practice which should be encouraged, according to Mr. Frankel. The proposed change would make the Jersey provisions more restrictive in this respect than those in the UK.

[It was noted that Deputy M.R. Higgins dissented from recommendation 3.2.10 in relation to this amendment. He believes that the £10 fee should remain because he is opposed to Health and Social Services charging higher for providing information to ordinary members of the public. He is also of the opinion that not all medical records would cost £50, as M.R.I (Magnetic Resonance Imaging) and C.T (Computerised Tomography) scans can be placed on DVD (Digital Versatile Disc). However, Deputy Higgins agreed to a £50 charge, in relation to third party requests for example law firms and insurance bodies.]

5. HUMAN RIGHTS

Mr  Cooper  recognises  that  the  data  protection  directive  requires  that  Member  States guarantee every data subject the right to obtain from the controller data relating to him or her without  excessive  expense'.  The  issue  relating  to  the  £50  fee  from  a  human  rights perspective is the extent to which that fee will have an effect upon a data subject's right of access to data relating to them.

It  is  important  to note that the data protection  regime, even on  an  international  level, envisages a fee, Mr Cooper believes that the issue is what the appropriate level ought to be. His  view on  this  amendment  is  that  it  is  not  incompatible  with  Jersey's human  rights obligations, however on a case-by-case basis he believes issues could arise. He then also said that Jersey authorities may wish to build in a degree of flexibility.

KEY FINDING

The Sub-Panel noted the inequity between Health and Social Services and other businesses for subject access requests. It was also noted that Jersey should follow the EU Data Protection Directive 95/46EC which states that data should be supplied without excessive expense. During the transitional period when the fee was a maximum of £50 the Health Department used their discretion, on what seemed to the Sub-Panel, a fair basis.

RECOMMENDATION

The Sub-Panel suggests that the maximum fee of £50 for subject access requests should be charged across the board. It further suggests that this should remain on a discretionary basis.

11. AMENDMENT SIX

1. THE PROPOSAL

Amending the provisions relating to subject access exemptions for trustees; if this amendment was adopted, it would allow restrictions on information provision relating to trustees (contained within the Foundation (Jersey) Law 2009) to be recognised within the Law.

This  amendment  would  allow  restrictions  on  information  provision  relating  to  trustees contained within the Foundation (Jersey) Law 2009 to be recognised within the Law. The Commissioner's  reasoning  for  this  amendment  was  that  there  are exemptions  in  the Foundations Law for the provision of information to individuals and there would be a risk of conflict if the two were not joined up.

"The Data Protection Law provides rights of access to information but if the trustees have been told not to provide that information to a beneficiary for certain reasons, by the settler or whatever, the Trust Law and the Foundations Law says that you are not obliged to disclose that. I think in the U.K. what had happened is some of the charities had sent round thousands of subject access requests to all trusts to see if they were going to benefit from any people's wills or trusts or whatever. So it would allow an exemption to the access request in relation to Foundations Law as it does now with Trust Law[39]."

2. HUMAN RIGHTS

Initially, the Sub-Panel supported this amendment in respect of its purpose to tidy up' both Laws, and the reasoning behind it was therefore accepted. However, the legal opinion from Mr J. Cooper of Doughty Street Chambers suggests that this amendment may not comply with human rights.

Mr Cooper explains that amendment six cannot, without further explanation, be justified under human rights law. Article 7 of the Data Protection (Jersey) Law identifies that subject access is a fundamental right. Therefore, if Foundations are processing personal data, an individual who is affected by that processing of data must be able to make a subject access request.

Even though there are exceptions to subject access provision, these are clearly defined. Mr Cooper goes on to explain that:

For this amendment to comply with Jersey's human rights obligations the Jersey authorities will need to give compelling reasons why the exemption is being proposed. A blanket exemption will almost certainly be found to be disproportionate. The Human Rights (Jersey) Law does anticipate the circumstances whereby the authorities may opt to introduce legislation in breach of the Convention, leaving the courts [European Court of Human Rights] with no alternative but to declare that legislation incompatible. However, this does not preclude a data subject from pursuing their claim before the Court. In the absence of compelling reasons for the exemption which are directly linked to those identified in the EU Data Protection Directive, the exemption will be found to violate Article 8 ECHR.

The Sub-Panel considered Article 8 of the European Convention on Human Rights to enhance its understanding of Mr Cooper's opinion on amendment six. Article 8 states:

• Everyone has the right to respect for his private and family life, his home and his correspondence.
• There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well- being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The Sub-Panel accepts the opinion of Mr Cooper and acknowledge that he is relating the human rights issue to the Foundations (Jersey) Law 2009, as opposed to the Data Protection Law. Therefore, the Sub-Panel reiterate its original view that this amendment is not controversial. Advocate Ruelle also noted that Mr Cooper was referring to the Foundations Law:

The Foundations (Jersey) Law 2009 (the "Foundations Law") provides that except as specifically required by or under the Foundations Law or by the charter or regulations of the foundation, a foundation is not required to provide any person (whether or not a beneficiary) with any information about the foundation. In particular, information about:-