This content has been automatically generated from the original PDF and some formatting may have been lost. Let us know if you find any major problems.
Text in this format is not official and should not be relied upon to extract citations or propose amendments. Please see the PDF for the official version of the document.
STATES OF JERSEY
Corporate Services Data Protection Sub-Panel
FRIDAY, 19th FEBRUARY 2010
Panel:
Deputy T.A. Vallois of St. Saviour (Chairman) Senator S.C. Ferguson
Deputy D.J. De Sousa of St. Helier
Mrs. H. Ruelle (Panel Adviser)
Witness:
Mr. R. Shead (President, Jersey Chamber of Commerce)
In attendance:
Ms. K. Boydens (Scrutiny Officer)
[11:16]
Deputy T.A. Vallois of St. Saviour (Chairman):
Good morning. Welcome to the Corporate Services Scrutiny Panel for Data Protection. I would like to first of all refer your attention to the protocol in front of you and ensure you are happy with that.
President, Jersey Chamber of Commerce:
I have been here before. I have read that, yes, so that is fine.
Deputy T.A. Vallois:
I would just ask you to provide your name and title, if that is possible.
President, Jersey Chamber of Commerce:
Yes. Ray Shead, President of the Jersey Chamber of Commerce.
Deputy T.A. Vallois:
I am Deputy Tracey Vallois, Chairman of the Data Protection Scrutiny Sub-Panel.
Senator S.C. Ferguson: Senator Sarah Ferguson.
Mrs. H. Ruelle (Panel Adviser):
I am Helen Ruelle from Mourant du Feu et Jeune and I am the panel's legal adviser. We have met.
President, Jersey Chamber of Commerce:
We have met where you scared the hell out of our members when you told them all about employment law.
Mrs. H. Ruelle: That is it.
President, Jersey Chamber of Commerce:
That made, especially the small businessmen, a lot of them petrified.
Mrs. H. Ruelle:
I am sorry to hear that.
President, Jersey Chamber of Commerce: It was interesting but it did terrify them.
Deputy D.J. De Sousa of St. Helier : I am Deputy Debbie De Sousa.
Deputy T.A. Vallois:
We are here today basically to talk about the proposals for the amendments to the Data Protection (Jersey) Law and we would just like to find out, first of all, exactly what the views of the Chamber of Commerce are on the proposed amendments.
President, Jersey Chamber of Commerce:
Yes, okay. Well, I have had a look through them, I have discussed them with our legal adviser, who unfortunately cannot be with me today or else it would be like a double act. I do not think that a lot of our members, especially the smaller companies, are really very familiar at all with the Data Protection Law. It really does not come across their radar except if you are holding rather than account information, like in my day job, but depending on the size of your business as to whether or not you are registered with the Data Protection Authority and whether you pay the fees. I know, for example, the chamber we do pay £150 a year, which I think we should be under the charities here but whether that will work I am not sure. Larger companies, I am sure, are involved much more. They have compliances and this sort of thing, compliance systems in place, but as far as smaller members are concerned I think this does not hardly feature on their radar at all. We know about data protection, that it exists, but I do not think a lot of businesses are very much involved in it at all or possibly even think about it too much. That is sort of like a general comment, let us put it like that. I have gone through some of the amendments that have come forward. I have got some notes here and I would like to put it in a different way rather than 1, 2 and 3. I would like to start with the ones that are from a different viewpoint.
Deputy T.A. Vallois: That is fine.
President, Jersey Chamber of Commerce:
Firstly, if I can say amendment 2. I do not really see a problem there at all because somebody locally does not have to be a high powered competition lawyer who could be president. It really needs more perhaps someone with - how can I put it - nous and common sense because it needs to fit into the local environment here. I think one of
the problems sometimes in government that you are getting in very high powered people for maybe not such high powered solutions that are applicable to Jersey. That is the point that I am making. So I do not really think there is a problem there at all with that one. Amendment 5, thinking in particular of medical records and this sort of thing where doctors would charge a patient, people have a right to have their medical records, to know their medical records. I am given to understand that sometimes this might turn out to be a lot of a work for doctors and I think it is fairly fair that a charge is made for it, and the £50 figure has been suggested, but people do have a right to ... but whether or not you get from your doctor your full medical history, which is what you may need and especially if there is any sort of litigation or legal procedures going on, if you want it I am afraid it is one of the ones ... I say this with some trepidation. It is a sort of user pays policy; if you want it, well really, you have got to pay for it. It is a bit like having to pay for your credit check and this sort of thing. Obviously I guess there is quite a lot of work involved but I do not see that that is an issue. You are not denying anybody the right to see their medical record but if you want to see the whole lot, depending on your personal history, that might be a lot so therefore there is quite a lot of work involved and I guess that is something that really has to be paid for. Can you hear me okay with this?
Deputy T.A. Vallois: Yes, thank you.
President, Jersey Chamber of Commerce:
On amendment 6, and this is advice that I have had, that the foundations are a bit like a trust or a bit different between a trust and a company, but foundations should be treated under the law the same as trusts. So, beneficiaries can only request certain information on their accounts. I really think this is much more of a finance thing. I am sure Jersey Finance could comment on that in a lot more detail than we can and I can at chamber but it is just equality, let us put it like that, of the 2 types. The difference between a trust and a foundation is a bit of a moot point legally, which I must admit I do not fully understand but it seems my advice is there is not a lot in it, it is just a different way of doing things and it really is purely a financial structure. I think maybe Jersey Finance are best to advise on that. As I have already alluded to, on amendment 8 an exemption of fees for charities is good. There is not much point in raising money and then paying it back to the Government again. So I put my hand up. Whether the chamber counts as a charity I am not quite sure but, anyway, we do pay our data protection fees. I think that when you are talking about the powers of the Data Protection Commissioner most of our members are going to be fairly neutral about this. You have got amendment 3 which has put the penalties up. Well, I do not see that anybody is going to be too worried about that one, from our membership perspective anyway. Number 4, the police already have the power to seize computers and whatever, as we know. I think that is really just bringing the law up to date. I think people ... my business, my BlackBerry, we have a lot of data on computers and if there is a criminal investigation going on it is documents as well as, I think, the computers can be done, so long as it is done correctly and sensitively and I think that is really important. Amendment 7, drug offences. Well, I do not in any way condone or support drugs and drug offences and whatever needs to be done needs to be done to the full extent of the law. If that needs to be amended to cover drug offences, well so be it. I am speaking more for myself personally now than our members but nobody would support any form of drug dealing of any sort so therefore if the law is going to give more power to the commissioner to change that I am certain that is the right way to go. We do not have a problem with that at all. As you probably realise now, by a bit of trial and error, we are a little bit concerned perhaps about amendment 1. I am given to understand that this goes a lot further than U.K. (United Kingdom) current law and would allow the commissioner to ask for information relating to possible breaches of the law. At the moment, so I understand, it is just restricted to data controllers and data processors. I have got a lot of sympathy for what they want to do but I think there might be a problem here where you are getting people who are not involved in great detail in the collection of data to be answerable if there is an investigation going on. I think it is an area, possibly a grey area, that needs to be perhaps considered a bit more as to who would be liable and how far do you dig, to put it mildly in a way, and are you calling up people to maybe give evidence, give sworn statements and this sort of thing, who are really maybe not fully up to speed on all the aspects, a bit like somebody who is formally in compliance as a data controller or data processor. Do you see the point that I am making? It is just a possibility that it might involve people who are really not fully clear on where their responsibilities lie.
Deputy T.A. Vallois:
Like you said at the beginning, data protection, all the members of the Chamber of Commerce are aware of it but it is not necessarily that they have to deal with it constantly on a day-to-day basis so they do not have the full understanding of the complexities of the law. Therefore if this amendment was to be served upon any other person do you see that being a problem as in people understanding?
President, Jersey Chamber of Commerce:
It is a question of understanding, yes. I think the people who are, I guess, at compliance level ... I am thinking of some our larger members who would have all these procedures in place and would be fully compliant, if for some reason you had to go down to say, I do not know, a person in the accounts department or something and started asking them questions they might feel a bit concerned about that. That is a difficult area because whoever is in charge, like the compliance officer, or I guess in many cases somebody like the legal officer of a company, the company secretary, they would understand it and they would know. I would have thought to have that so that if there is an investigation it would be for them to go down and talk to whoever of their staff has been involved in a particular issue and to get the information back. I think it is a sort of grey area there. I am not saying completely against it but it does give a bit of concern that if you are asking people, to put it nicely, lower down the chain sort of thing to get involved what sort of protection do they have. That is an issue as well. I do not know how often this has come up and I am not clear whether this has been an issue, whether this has been something that the Data Protection Commissioner has had trouble with in the past. I do not know. I am not aware of anything but then, as I explained earlier, I am not 100 per cent up on this area.
Deputy T.A. Vallois:
In particular this amendment 1, just to give you a bit of background, it has been lobbied for by the Information Commissioner's Office in the U.K. for many years now and they still have not introduced this amendment as yet but Ireland have had it since the inception of their law anyway. So, just to give you a bit of a background as to why we are looking into this because of the point that although Ireland have had it, they have had it since the beginning, and U.K. are still yet to decide whether to introduce it because the I.C.O. (Information Commissioner's Office) has been lobbying for it for years. So we are trying to see whether what is being proposed is proportionate to Jersey, whether it is really required and if it does what it is required to do.
President, Jersey Chamber of Commerce:
Sometimes Jersey has a propensity, if that is the right word, to use a sledgehammer to crack a nut. What I would be interested to know, and maybe to give a more definitive opinion on, is the question I asked earlier: are there instances where the Data Protection Commissioner has started an investigation into something and then hit a blank and said: "I am not able to question the people I want to question who would know about it"? Maybe, as a sort of compromise in a way, that should be that if the Data Protection Commissioner wanted to speak to people below the level of a data controller in a company she maybe would have to make the case to the court first. Maybe that is too complicated and too long winded, I do not know, but that is just an observation that maybe that is the way it should be done rather than have a blanket law across the board. As I said, it would be interesting to know how often there has been this issue where it has not been possible to get the information or to get the right level of information, if you see what I mean. Are there any instances of this at all that you may be aware of?
[11:30]
Deputy T.A. Vallois:
In the course of our review of this we do not have the Data Protection Commissioner under this afternoon but, say for example, if we were to identify that the commissioner was able to do her job pretty well 99 per cent of the time but 1 per cent of that time there is a difficulty in being able to obtain the information, would you say that it was proportionate to bring this amendment in to be able to provide that 1 per cent?
President, Jersey Chamber of Commerce:
In a way it depends how important the 1 per cent is. That is really the important issue. A lot of things you go on, it is the usual story, you spend 99 per cent of your time dealing with the regular stuff but it is the 1 per cent that is the real difficulty. That is an issue that just needs to be clarified as to the number of instances that that 1 percent is needed and what effect that has on the investigations that are being carried out. I think that is really the difficulty. I am sorry to say I am being so vague on it but that is why I am being a little bit cautious on this particular amendment because I would like to know if possible how often this happens.
Deputy D.J. De Sousa:
Do you foresee any implications with this amendment upon your members?
President, Jersey Chamber of Commerce:
Not really, not on the bulk of our membership. Obviously a lot of our members are in the finance industry and they have their association with Jersey Finance, the Jersey Bankers Association and the trust companies who are much more up in the law and the law of compliance. So I am sure that they are pretty well advised. On some of our larger non-finance companies, as I have said, people like the company secretary and they would have legal advisers, so they would be covered, I would have thought, on this sort of thing and staff would be covered as well as part of liability of working for a large company. But I am trying to get my head round where a smaller business, not necessarily a 2-man business like mine but smaller businesses, may be caught up in something like this and that I would find quite difficult to imagine what circumstances would even provoke an investigation by the Data Commissioner, if you see what I mean, although we are always talking hypotheses all the time. So that is what makes it quite difficult.
Deputy T.A. Vallois:
If we were to say, for example, that your business, you had the Chamber of Commerce and you are data protection compliant, so you pay your notification fee and you comply with data protection principles, and if one of your members were to have information and they released that information but left the Chamber of Commerce there is nothing that the Data Protection Commissioner can do because she can only serve a notice on the data controller of the Chamber of Commerce and a data processor. That person has moved out of that remit so therefore they are untouchable. If that was to happen ...
President, Jersey Chamber of Commerce:
I see where you are coming from but I think you are painting a picture that would not exist in reality because the chamber's involvement with data protection is only on our membership database in effect. We do not control what our members do. We do what they want us to do, or we try to anyway, because of our function as a lobby group.
Senator S.C. Ferguson:
So suppose one of your members sold your email list of members?
President, Jersey Chamber of Commerce:
Firstly, I think my view and the view of our council would be to kick them out. Where we stand in the legal thing I would have go to back to our legal adviser, I am afraid, on where we stand on that. We get asked for, we have been asked by a number of people doing marketing campaigns and this sort of thing: "Can we have your database?" and the answer is: "No, you cannot, not at all." It is not what we do. We do not give out that sort of information. We publish a list of members on our website which is for people who want to find out what sort of services and what businesses are available but we do not go into any ... we do not give out the information. We say: "If you want to talk to one of them, there is their email address; go talk to them", sort of thing, and we do not give our list out or anything of this at all.
Deputy T.A. Vallois:
But if you were to move that scenario, not saying Chamber of Commerce but into an actual business scenario, the data controller would be still be liable for at the moment what would be a fine for allowing that to happen, that information being able to get out. However, this person who has the information or has breached and done this or that, et cetera, the commissioner just needs more information to find out how far down the line or the extent it has gone to. She is unable to go to them because the law restricts her in that way unless she goes to the police and uses what would be classed as, I think she says, the heavy duty powers on the report to enable her to get that information.
President, Jersey Chamber of Commerce:
I think if it is something like that and the person does not work for the company any more, I think there are adequate powers under the law using the police to go and say: "Listen, you have a legal obligation to do this" and if necessary that person could be taken to court. Surely there is in the small print somewhere down the line which gives the commissioner to ask the police to get involved, and that is another issue if someone is being genuinely uncooperative. There is enough law about that at the moment, am I right, or have I got that wrong?
Mrs. H. Ruelle:
Yes, there are certain powers. I think you are right, it is understanding to what extent there is a gap in the law at the moment and I think that is something, as Deputy Vallois said, that we need to explore with the commissioner.
President, Jersey Chamber of Commerce:
Yes, I think that is something you will need to ask the commissioner as to what gaps there are in the law that make her feel that she needs this amendment. Going through the proposal, this is the only one that has a sort of area of doubt, put it like this, and that is a difficult one. The judgment really is how often does it happen ... well, you cannot say how often you expect it is likely to happen but are there instances of it happening in the past where there is not enough information available that you have to call in the full force of the law, which does happen from time to time but then in a way that is the backstop that you have for the law.
Deputy T.A. Vallois:
Do you think it is appropriate that the commissioner should ask the police to assist in being able to obtain that information or do you think the commissioner should be able to go and obtain that information herself?
President, Jersey Chamber of Commerce:
I think it is a question of resource, is it not, really? I think that one would assume that if the commissioner tried to get the information and could not get it and then felt that this information was necessary to pursue the case or the complaint that was being handled then I think, yes, you have the fallback position of going to the police and I think that is there. The only thing is in the public perception, let us put it like that, you do not want it too heavy handed but if that is what has to be done that is what has to be done, so long as they are clear within the law as to where the information might be and what they need to do and how obstructive whoever was involved in it was in providing that information anyway.
Deputy D.J. De Sousa:
You touched on amendment 4 and said that the chamber does not have a problem with this. This is the seizure of equipment. A lot of companies, big or small, keep an awful lot of their data on their equipment these days. Is there a perception that this amendment could affect businesses if their equipment was seized?
President, Jersey Chamber of Commerce:
Well, obviously, yes. For example, my business, if I did not have a computer I could not trade. That is very straightforward although obviously I do have a backup on my server and everything like this. So that is a problem there but I think all this seems to me, and this is really more a personal opinion, that you are bringing things into the 21st century, because if it is just papers that you want under the law, as I understand it, the Data Commissioner can get the papers that she needs but, as you have just said, that information is stored on computer now, which is quite normal in a way, whether it means seizure of computers or does it mean seizure of discs and whatever. You cannot take someone's computer away and then not allow them to trade. There has got to be different ways of ... there are ways of doing that, I would have thought. In other words, you take the information from the hard drive and there it is but you allow people to get on and run their businesses. But, as I referred to, it is just where a lot of the information is and you cannot ignore modern technology when investigations are being made. Whether you physically take someone's computer away or take their hard drive, you have got to prove that. I guess what I am saying is you have got to prove that in a court of law that you feel that the information that you are looking for is on somebody's computer, which it could well be. On the other hand, of course, you never put anything on email or on your computer that you would be unhappy to share with anyone else. Let us put it like that, if you see what I mean. I try not to commit myself to writing things on email that somebody might find to have a go at me about a bit later. So it seems to me that this is a mechanical thing rather than anything else. It is a question of the data; it is just a question of bringing this up to the 21st century, I would say. I guess there is a possible problem there but I would have thought, especially with larger businesses they have liability insurance and this sort of thing and you are covered to a point on this sort of information. Perhaps it is a greyer area than I originally thought but I think there you are in a way reliant - and I am only referring to this for companies, not with regard to individuals - on people using good practice and complying with the law and being compliant. If you are really found to be not compliant maybe you do need the full threat of the law because Jersey has to be seen as being law abiding and following the law. I think that is really it.
Deputy T.A. Vallois:
On that basis with regards to following the law and just taking you back to amendment 3 about the penalty, they are changing it to a prison penalty. So you could have a maximum of 2 years in prison for breaching data protection. Obviously there has to be discretion used on that. How do you feel that that would be seen by either your members or other bigger businesses who are data controllers? Do you think that that would make data protection much more out there and noticeable to the ordinary person?
President, Jersey Chamber of Commerce:
I think it would highlight to the data controllers the problems and the possibilities if things go wrong. I think that prison is probably the ultimate sanction for what to me seems to be partly a civil offence. Maybe some of it is criminal but I think that is the ultimate sanction that I think the court would ... really that is the last resort and that is your backstop, my cricketing analogy there, that is so far down the line I think that it would really have to be very, very serious for the court to impose any sort of custodial sentence, although I can see fines are a different matter. But I think maybe it just brings it home to people that you cannot do this. It is a bit like various other offences: you cannot drink and drive and this sort of thing. I just think it is something in the background that you have that should make people more aware of their responsibilities.
Deputy D.J. De Sousa:
I just have one more on amendment 1, the one that you said causes you concern. Have there been any cases within the chamber where data protection have come to you or the chamber and said ...
President, Jersey Chamber of Commerce:
Not that I know of, no. I have been president since last May and nothing has come then. Prior to that, the previous 3 years, I was chair of the retail committee and I have been on the Chamber Council for a number of years. I have not had any incident at all where we have been asked to do anything or been involved in anything or been informed by any of our members that there are any data protection issues that have come to light. Apart from people saying data protection, it is more a sort of thing between departments: "Why do we have to tell the taxman? Why do we have to make the same returns to all sorts of different government departments?" that sort of issue of data protection, yes, that comes along. We get told by tax: "We cannot pass your information on. You have got to do 3 lots of the 5 lots of forms", which is a bureaucratic thing, red tape, where I think there could be some sense applied there. But in general I think that - and I did check around before I came here - over the past 4 or 5 years nothing at all has come across that I can think of that has anything to do with any data protection issues, specific issues. As I said, we do have the problem of how many times you give government departments pieces of information, which is another matter of red tape, as I would call it, but not specific issues no.
Deputy D.J. De Sousa:
Do you see any implications of any of the amendments affecting any of your smaller businesses, bearing in mind we are in a recession?
[11:45]
President, Jersey Chamber of Commerce:
A difficult one. If you are in a recession you would not like your computer taken off you because you would find it hard to replace it again. I am not sure the recession in a way has anything to do with it. I really do not think it has. This is why probably it has not crossed people's mindset in a way because they are just too busy running their businesses and keeping themselves afloat. Life is very tough out in the marketplace, very tough, and a lot of small business owners are spending all their time just keeping everything together, let us put it like that, and this is why I think data protection really comes way, way down their list of priorities, if it even figures at all. Maybe you have got to think about perhaps if you make the law stronger people will think: "Hang on a minute, I had better watch this." It is just another thing that you as a business owner have to watch but it is the way of things in the future and it is the way things are going now. People do keep a lot of information on a lot of people and you do need a law, you do need a control of it. You cannot just have that information and just use it willy-nilly. It has to be based in law.
Deputy T.A. Vallois:
Thank you very much for your time. It is very much appreciated.
President, Jersey Chamber of Commerce:
That is okay. I hope it has been of some help anyway.
Deputy T.A. Vallois:
Yes. Thank you very much.
[11:46]