This content has been automatically generated from the original PDF and some formatting may have been lost. Let us know if you find any major problems.
Text in this format is not official and should not be relied upon to extract citations or propose amendments. Please see the PDF for the official version of the document.
STATES OF JERSEY
Corporate Services
Data Protection Review Sub-Panel
FRIDAY, 19th FEBRUARY 2010
Panel:
Deputy T.A. Vallois of St. Saviour (Chairman) Senator S.C. Ferguson
Deputy D.J. De Sousa of St. Helier
Deputy M.R. Higgins of St. Helier
Mrs. H. Ruelle (Panel Adviser)
Witnesses:
Deputy E.J. Noel of St. Lawrence (Assistant Minister for Treasury and Resources) Mrs. E. Martins (Data Protection Commissioner)
In attendance:
Ms. K. Boydens (Scrutiny Officer)
[13:01]
Deputy T.A. Vallois of St. Saviour (Chairman):
Good afternoon and welcome to the Corporate Services Scrutiny Panel for Data Protection. I would just like to refer your attention to the protocol in front of you to ensure that you are happy with the terms of that? I would like to start off by asking you to provide your name and your title for the recording.
Assistant Minister for Treasury and Resources:
Deputy Noel, Assistant Minister for Treasury and Resources.
Data Protection Commissioner:
Emma Martins, Data Protection Commissioner.
Deputy T.A. Vallois:
Okay. I am Deputy Tracey Vallois, Chairman of the Data Protection Scrutiny Panel.
Senator S.C. Ferguson: Senator Sarah Ferguson.
Mrs. H. Ruelle (Panel Adviser):
Helen Ruelle from Mourant du Feu & Jeune . I am legal adviser to the panel.
Deputy D.J. De Sousa of St. Helier : Deputy Debbie De Sousa.
Deputy M.R. Higgins of St. Helier : Deputy Mike Higgins.
Deputy T.A. Vallois:
Okay. As you are aware we are looking at the proposed amendments that yourselves have put forward and we would like to take this on an amendment-by-amendment basis because it will probably be easier than going all over the place, so I would like to start off with the very first amendment that was put forward, amendment 1 which was asking for provisions in relation to information notices. So just a general question starting off is why do you want this amendment?
Assistant Minister for Treasury and Resources:
Could I just firstly say that the Data Protection (Jersey) Law 2005 provides the position for the Data Protection Commissioner as a corporate role. The terms and conditions of the appointment are also set out in the law. The role of the Commissioner is independent and he or she is required to oversee the compliance of all data controllers. For administration purposes and for administration purposes only the Treasury Minister is responsible for the resources and presentation of reports and so forth for the States. For administration purposes as well the Human Resources Director is required to provide the appropriate assistance in respect to recruitment and other employment issues on behalf of the commissioner. I just wanted to set out that the commissioner's role is an independent role and it is not a Treasury role.
Deputy T.A. Vallois:
We are fully understanding of that but purely because scrutiny have to scrutinise ministerial departments we understand that it is purely administrative and that Data Protection are an independent body.
Data Protection Commissioner:
So if you are happy that I answer the questions and obviously if there are any questions you have for the deputy then please feel free, but obviously it is an administrative route for me.
Deputy T.A. Vallois: Very happy.
Data Protection Commissioner:
I do not have any dealings with the Treasury other than for budgetary purposes and reports so I think it is just to clarify that before we start. So you are happy that I answer the questions?
Deputy T.A. Vallois: I fully understand.
Data Protection Commissioner:
So just to put a bit of background, the 2005 law was pretty wide in its scope when it was brought in compared to the 1987 law. We are a very small team with quite a large remit and very early on in the implementation of that law it was made clear to my staff that if there were any issues relating to the effectiveness or otherwise of the
law, issues that were raised as a result of complaints or inquiries, that they should be flagged and that we should, at the end of the transition period, review any issues that had been raised during that period. We did that, and various things came up during that time and one of the issues, these were largely from those experiences, related to information notices. Now the vast majority of our work is mediatory in its nature and is successful in its nature in achieving compliance first of all but also in dealing with inquiries and complaints and very few get to a regulatory level where we would consider taking any legal action of any sort, any regulatory action. But nonetheless when we do have those complaints escalated to that level they are pretty serious, so they may be few and far between but it does not mean to say that they are not important. One of the issues that has cropped up a couple of times, not just once but that said I still think if things only happen once I think we still need to look and learn from them, was the manner in which information notices can be used by the commissioner. The law as set out at the moment allows the commissioner to ask for information from a data controller and a data processor only. Now a couple of the cases that we have dealt with and a couple that are ongoing, the person in possession of the information which will give us the key as to who the data controller is or was that there is an issue with, be it data security or applying the principles, is not a data controller nor is he or she a data processor. He or she is an individual. Again in the vast majority of cases where that has occurred we have been able to approach that individual and they have been very willing to say: "Yes, we have found this document on the floor" or: "We saw the information in a letter that was sent to me by mistake" but there have been a couple of occasions, and they have been very serious occasions, where the individual has just said: "No, we are not going to assist." It poses a very huge problem for us, because if we do not know where the source of the security breach, for example, is we cannot investigate it, so we have had to walk away on a couple of occasions. Those were regulatory investigations, and that is an important point. That said Article 55 of the law does allow us to consider a criminal investigation for unlawful obtaining or disclosure of data. So if we think the person who has that information has obtained it illegally we could in effect crank that up to an Article 55 investigation and it is something we explored in some detail when we last met the panel. However I am concerned about that, for the reasons that I elaborated at the time, because in not every case is it going to warrant as a proportional response the involvement of the police which largely Article 55 investigations do, because they are criminal in their nature. So there has been more than one occasion where we have walked away from a complaint because we have come to a dead-end and we did not think that invoking our powers under Article 55, i.e. assuming it was a criminal investigation, was a proportional and responsible response to the particular case. On a couple of other occasions we have sought police assistance to further investigate under Article 55 to require that person to provide us with evidence under caution. On those occasions where the police have become involved I still remain slightly uncomfortable that it seems to be a bit of a leap that if we could obtain the information through the regulatory route it would be preferable. It would be less, I have used the word: "heavy handed" in the report and that really to sum it up is how I feel. That notwithstanding on these couple of occasions I have thought that there is a potential Article 55 offence I am not absolutely convinced of that at that stage, but the only way we can progress that or walk away from this individual who has had to make a complaint to us, that his or her rights have been infringed, we have a duty to do what we can for that individual and it is very frustrating to have to walk away. But equally I would not be happy in requesting
police assistance where I do not think it is proportionally reasonable to do so. So this addition, this amendment, would allow us to approach an individual, not just the data controller, and it is going to be in my experience purely a conduit for us, because very often the source of the problem if you think of information, a piece of information, it has been lost, misplaced, if you think about the CDs in the U.K. (United Kingdom) it has been found on a train or something, the person that found it is not at all culpable in legal terms. They may have come across it accidentally. The source of the problem is the person who left it on the train or the organisation that did not look after it in the first place. If it is a medical record, it could be a G.P. (General Practitioner) or an insurance company or the hospital, they have left it somewhere they should not have done. That is where we want to focus our attention. This is not about getting at individuals to demand unreasonable personal information from them that is their own private business. This is information that an organisation is responsible for especially when it is sensitive information and that has somehow got into the wrong hands. We need to know how that has happened and the only way of doing that is asking that person and asking them to give us a response in relation to our questions in that respect. Again it is going to be very rarely used but when it is needed it has proved quite crucial for us and it has proved very impactive on the way in which we have been able to, or not, progress an investigation that we have had.
Senator S.C. Ferguson:
You are really saying that there is not a gap between your law and the various police laws but you feel that the police arrangements are very heavy-handed, so why are you not looking at a better way of working with the police instead of bringing in a heavy- handed one yourself?
Data Protection Commissioner:
I think the involvement of the police, maybe it is a misunderstanding here, our law provides for criminal offences. Most of it is regulatory but there are a couple of criminal offences in the law. While we have the power to investigate those criminal offences ourselves they are very few and far between and they are often very serious so we would normally refer those to the police for assistance, because we do not have the resources or the time or equipment, recording interviews for example. So it would be common to refer them. We are not handing the investigation over to the police, but we are asking for police assistance under our law. So the power is in the law now but there seems to be a gap as everything else seems to be reasonable steps. At each point you can take the next step to move it up a notch. There seems to be a step missing here that either the investigation falls away because you have not been able to get the information off the person or you bump it up to a criminal. At no point are we looking to police powers in that respect here, because we have got our own.
Senator S.C. Ferguson:
But do you have the power to say that an individual has released information incorrectly? You have the power to say this is criminal, correct?
Data Protection Commissioner:
Yes, we have the power to investigate it.
Senator S.C. Ferguson:
So why do you need to add another layer of bureaucracy into the general data protection staff?
Data Protection Commissioner:
I do not think it is a layer of bureaucracy, I think it is the manner in which you respond to complaints and I think to assume that somebody releasing information or getting information is a criminal offence in the first instance is disproportionate in the cases that I have dealt with that deal with it in a regulatory manner and is less heavy- handed. The vast majority of our work is regulatory and there is a world apart from that work to the criminal work and to miss out the middleman, in a sense, I understand what you are saying about a layer of bureaucracy. I do not agree that that is what we are doing, I think it is a disproportionate approach to the complaints that we have dealt with in my experience to bump it to a criminal.
Mrs. H. Ruelle:
My understanding is that obviously if you served an information notice on an individual who then failed to comply then that in itself would also be a criminal matter. So there is an ultimate criminal sanction on an individual for failure to comply.
[13:15]
Data Protection Commissioner:
Yes, and again it would be used very rarely. Only in a case where we have walked away from a case because we do not think it is proportionate to, but the normal protections would apply and yes, I think if you give the commissioner the remit to examine breaches of privacy, data security breaches et cetera but say that you cannot ask people where that problem has come from, it poses a bit of a problem for the regulator. That is my view.
Deputy M.R. Higgins:
But going back to that though, if people would be committing a crime by not giving the information surely you do have a sanction on them that they will either comply or you take them to court and you can set an example without acquiring new powers.
Data Protection Commissioner:
I think you have got to go back a step, I do not want to have to invoke the criminal powers in the first place. I think I would rather not.
Deputy M.R. Higgins:
But if it is as serious as you say that you want an amendment to the law ...
Data Protection Commissioner:
I think we are missing the point here. They can be serious in a regulatory sense in terms of the damage done to an individual. If information about you, if your neighbour comes up to you today and says: "Oh, I hear X, Y, Z about you" and you think: "Well, only 5 people know that and I have kept that information secure" and you complain to us that that information somehow has leaked out from one of those 5 organisations, think about your medical records or a job application or anything that you want to keep private and we say to you: "Sorry" because we cannot approach
your neighbour and ask them where they got it from. We do not want to treat neighbours as criminals, we just need them to provide us the information so that we can look to the source. If somebody has left your application form or your medical records somewhere, somebody has not looked after that data properly then we need to know about it and very rarely that route is only available to us via an individual as opposed to an organisation.
Senator S.C. Ferguson:
But you have got a sanction on the individual. So why do you need extra powers? We do seem to be sliding into Winston Smith territory here, 1984.
Data Protection Commissioner: I would disagree.
Senator S.C. Ferguson:
I mean I do not understand why you need the extra power when you can go to ...
Data Protection Commissioner:
I would argue it is not necessarily an extra power. It is a better way of using the powers that we already have. A better more user friendly less heavy-handed way of using the powers that already exist. That is what I would argue very strongly.
Deputy M.R. Higgins:
If your aim is to obtain the information from the person and you go to them and say: "Look, I require this information because I need to find out where this information has come from and you realise of course that if you do not provide it to me you are committing a criminal offence and you will be prosecuted" do you not think they would give you the information? If not, should they not be prosecuted anyway?
Data Protection Commissioner:
Well I am not sure I understand the question.
Deputy M.R. Higgins:
I am just saying that you have already got the power in a sense that it is a criminal offence if the person does not provide you with information. So you are saying that for example ...
Data Protection Commissioner:
Most people co-operate with us. I think most people would see that and I think you ask the question and you are serious about asking it and there are consequences for not answering it, or you do not ask the question at all. If the States have given me the job of investigating, if you come to me and say: "My information has gone there" but you cannot ask this group of people, you can ask everybody else but you cannot ask this group of people how they have come across your information I am not ...
Deputy M.R. Higgins:
So you are saying that this criminal sanction that you have does not apply to these third parties? It only applies to data controllers or data processors?
Deputy M.R. Higgins:
I think we are maybe at cross-purposes here.
Mrs. H. Ruelle:
Could I ask a question? A number of people this morning have expressed some concerns about this proposal because of involving people who are not otherwise bound by the law, so for example not data controllers and data processors, and a question that has flowed from that is, is this something that is in the U.K. law? As we know that is not something that is in the U.K. law although I understand that the Information Commissioner has lobbied for that in the U.K. Could you give us any insight into why from your knowledge it has not been brought in in the U.K. and is there anything specific to situations that you have had, or Jersey, that might make it more applicable in Jersey?
Data Protection Commissioner:
I do not have any insight into the Information Commissioner's reasoning. I mean we meet once a year. I do feel quite strongly we inherited this law largely from Europe and I have always said from day one that inheriting laws has benefits in that it is already done, it has been packaged up nicely, but equally we are in our own jurisdiction and I have a job to do and when I feel that I am not doing my job to the best of my ability I will examine why I think that is, and why we are not serving the people who this law is meant to protect as well as I possibly could. I think we have to think about it is not just about following suit, it is about responding effectively and proportionately when those matters are raised with me. When we have a couple of cases that we cannot follow through or that we have to treat as a 55 offence my reaction has been: "Is there not a better way?" This is the result of that reaction and it is absolutely a political decision whether or not it is accepted but I have to do what I think is my job which is look after this law the best way I can and look after data subjects who come to me and say: "My neighbour was told this" or: "My data was found here and I want to know and it has caused me a huge amount of stress and damage to my family, what can you do?" and to say: "Not a lot" or: "We have to treat it as a criminal" there seems to be just a little bit missing in the middle. I think the message has got to go out loud and clear this is very unusual that we use these sort of powers very rarely. We have to be very confident that the individual has suffered damage or distress. We take that into consideration, and we get hundreds of people that come to see us and say that they have had their privacy breached or that they are unhappy with the way that their information has been handled. The vast majority are resolved very effectively and very well by our department and by the data controllers and by the individuals themselves. I do not think we run a heavy-handed regulatory organisation by any stretch of the imagination and I would be concerned if people thought we did. There is always going to be a check on our powers in that there is a tribunal, and if ever anything gets to any court then there will be a check. There is always that check on our powers and at the end of the day if you create the position of a Commissioner the States in a sense has to trust that Commissioner to do the job that he or she is there to do, but ensure that the checks and balances are also in place. There is nothing in these amendments that would make me uncomfortable that that would not be the case, that I would be responsible and answerable for every decision that I made in terms of any information or any enforcement notice that I provide.
Deputy D.J. De Sousa:
How many instances have you had so far where if this amendment was in place already you would have used it? You have talked several times about proportionality. Where do you see the proportionality?
Data Protection Commissioner:
Two occasions where we have not continued with the investigation because our view is that it would be disproportionate to consider it a criminal offence and 2 where we have progressed it to a criminal, since the implementation of the law.
Deputy D.J. De Sousa: Is that in 5 years?
Data Protection Commissioner:
At the end of 2005 it came into force, yes.
Assistant Minister for Treasury and Resources: So we are looking at an average of once a year.
Mrs. H. Ruelle:
In the 2 that you felt it would have been disproportionate to take it to the criminal level do you think that in those circumstances it would have been appropriate to serve an information notice on an individual?
Data Protection Commissioner: Yes.
Deputy T.A. Vallois:
Could I ask with regards to the amendment itself and the fact that it would be serving an information notice on an individual as such my understanding of data protection is that it is for providing a regulatory authority over a data controller that holds a lot of personal information and ensuring that they comply with the principles of data protection. To me there is a very fine balance here as to whether we step further away from that mark and go further into compliance on individuals now rather than giving the obligation to the businesses to ensure that they are doing their jobs properly in ensuring that they are complying with data protection.
Data Protection Commissioner:
I do not see that because I think you are. What you are trying to do is to establish which data controller it is that has got the problem. Your flow stops there and really once the information is given to us if the information ... we have had a case where a file was left on the top of a bin in King Street and the person that found it, we do not have any beef with them at all. We need to know where they found it, which office was it near so that we can start looking at where ... there was highly sensitive information in that file and as I say that person walked into our office and said: "Look what I have just found" and we looked at it horrified. We had a number of people, it would have to go to about half a dozen people now but if that person had said: "I saw that office worker dump it on that bin" we need to know that. So as to the individual I see what you are saying about the sanction and ultimately if you are serious about a
law you have to say: "Listen, what we say goes or there is a sanction" but we need to find the source of that problem, so you are focusing on the data controller. We are not looking at individuals and saying you have got a whole regulatory regime to deal with. They have got their domestic use exemption. That all applies. It is just about when and if one individual comes to us and feels that they have had their rights infringed under this law it is how we get to the source of the problem. So I do think it is proportional, I do think it is reasonable.
Mrs. H. Ruelle:
In that circumstance that you have just described, and I understand what you are saying, your beef is not with the individual who found the file, but obviously they are potentially going to be concerned if you suddenly serve an information notice on them that says: "And if you do not comply you are going to be potentially before the magistrate." I suppose then that does put some onus on you and your office to educate the public about this power and I suppose 2 questions I am sure you have thought about it, but how would you do that and are there manpower implications for you and your team in relation to this amendment?
Data Protection Commissioner:
In terms of manpower implications no. I mean we do what we can do. We have had to think about implementing a triage response to complaints because we have so very many. There is very little I can say because it is all in the doing, this law, as to how confident people can be as to how I regulate and how my team regulates. We take the role very, very seriously. We think very hard before taking any action of a regulatory or legal nature. We very often seek external legal advice in situations like that to make sure that we are responding in a proportionate, fair way. But equally if you are serious about a piece of legislation and there has been a breach then you have to be serious about getting to the bottom of it. So it will be very rarely used but my feel on the 2 occasions when we have had to bump it up to criminal is that if those individuals had been told that this is a power that we have to ask you that they would have provided it. They would have been out of the picture at that point. If the evidence then shows that they stole the data or obtained it illegally then it would automatically invoke a 55 by that.
Deputy M.R. Higgins:
I have got some questions here. In the 2 cases that you have had that have proceeded to court have they been resolved yet? Has there been any judgment?
Data Protection Commissioner: No.
Deputy M.R. Higgins:
Okay. Can you indicate the sectors that those people are from? Not the particular case or the individuals but the sectors that those people are from?
Data Protection Commissioner:
That the individuals are from that we would like the information from?
Deputy M.R. Higgins:
That you are going to the court, taking them to the court.
Data Protection Commissioner:
We are not going to the courts, we are requesting assistance in relation to a potential 55 investigation. There is a difference.
Deputy M.R. Higgins:
Right, and do you have any idea? Are they from banking, from the finance industry?
Data Protection Commissioner:
Where the source of the data is or where the individual is?
Deputy M.R. Higgins: Where the individual is.
Data Protection Commissioner:
There is no consistency across the 4. They are random.
Deputy M.R. Higgins: Four?
Data Protection Commissioner:
The 2 that we dropped and the 2 that were ...
Deputy M.R. Higgins:
Okay, so the 2, can you give an indication of what areas they are?
Data Protection Commissioner:
I would not like to, because they are current.
Deputy M.R. Higgins:
I am not asking you to name the people or anything else, just the sectors.
Data Protection Commissioner:
I know but the people that are involved, this is a public hearing. That is the advantage of having a private hearing.
Deputy T.A. Vallois:
They could possibly be identified by the situation.
Data Protection Commissioner:
That is why it is quite useful having a private hearing with the panel before.
Deputy M.R. Higgins: Okay.
Assistant Minister for Treasury and Resources:
That information that Deputy Higgins was asking for was disclosed at a private hearing.
Deputy M.R. Higgins:
Was it? Okay, I will look at the transcript.
Data Protection Commissioner:
I have given more detail in the private hearing because I do not want the individuals that we are working very closely with to think that I am using this as any sort of evidence in a public way about them, because obviously it is very sensitive for those individuals so I just want to respect those individuals' privacy.
Deputy M.R. Higgins:
Okay, I will leave it that way. But how about I think you have mentioned this already, this would not affect journalists, would it?
Data Protection Commissioner:
Journalists are already covered. This would not add anything to journalists, no. Journalism is already covered.
Deputy M.R. Higgins:
Okay. How about let us say for example myself as a politician. Someone gives me ...
Data Protection Commissioner:
You are covered. You are already a data controller.
Deputy M.R. Higgins:
Already a data controller? So you get ... would you try and use your powers in that way, to stop a politician for example putting it in the public domain?
[13:30]
Data Protection Commissioner:
I would use my powers to make sure there is compliance with the law. There is a distinction. I do not use the power to stop things as a means to an end, it is about complying with the law. There are very large carve-outs for journalistic purposes, for public interest purposes et cetera and those carve-outs are reasonable and effective and proportionate. So if you can benefit from an exemption, if you have done something, then so be it. So my sole aim is to achieve compliance with the law as it stands.
Deputy M.R. Higgins:
Okay, so if it was a public interest matter that I felt strongly about you would not be trying to use your power to try and find out where I got my information from?
Data Protection Commissioner:
I cannot answer that without being given specifics because there is almost an infinite list of examples of processing of disclosure, of obtaining, that you could give me that there would be a different answer for each one.
Deputy M.R. Higgins:
But providing I did not steal it?
Well, even unlawful obtaining, there is a defence for that, so it is impossible for me to answer that in any detail I am afraid. If you give me a specific example even then I would be struggling because these matters of public interest require considerable analysis, but as I say you are already covered in the law. This is not about existing journalists or States members.
Deputy T.A. Vallois:
Is everyone happy with the questions on amendment 1? Okay. I will move on to amendment 2 because time is flying. Okay, so amendment 2 was the professional requirements for the process of the Data Protection Tribunal. Can you explain a bit about why it is that you would like this amendment?
Data Protection Commissioner:
Yes. It is very practical terms. It is to widen the pool of people. It is not my job to worry about the tribunal because obviously they have to be completely separate to me and not influenced in any way by me which is the way it should be and the way it is. So that is a role for Treasury, an administrative purpose. So it is really to widen the pool of people that we have to choose from, because data protection is necessarily quite specialised, so if you reduce the 7-year thing you will have more people to choose from and I think a couple of the individuals that would have wanted to go for it were debarred by that. So it did not seem logical when we looked at other tribunals that were set up in Jersey that did not have that constraint on it, so it just seemed illogical that we ... obviously Treasury want to be able to have a nice base of people to choose from who have a specific expertise in this area.
Deputy T.A. Vallois:
Because it is currently 7 years, is it not?
Data Protection Commissioner:
Yes, and I think that is just ... it does not make any sense. People coming from the U.K., I mean, it is ...
Mrs. H. Ruelle:
I think it is 7 years advocate or solicitor, is it not, which means you have to be Jersey qualified.
Data Protection Commissioner:
Yes. There have been a few people from the U.K. that would have been fantastic, and in a sense that would be even better because they are completely ... there is no baggage or anything. We will not know them. So I think it is just to increase the availability of people to come forward.
Assistant Minister for Treasury and Resources:
It is a practical amendment to a practical problem at the moment because at the moment we do not have a ... not even a small number of people willing to be on a tribunal, let alone a large number.
Mrs. H. Ruelle:
Do you consider, however, that it would be appropriate for there to be a qualification of some sort, whether that be advocate, solicitor or, you know, is it ... are we saying it would just be a removal of the 7-year requirement but they would still need to be Jersey qualified?
Data Protection Commissioner: Yes.
Mrs. H. Ruelle: Okay.
Data Protection Commissioner:
Yes, it is purely the timing of it. I still think that is very important because some of the issues that ... I mean, I have only ever been to tribunal once and that is not, I would hope, a testament that we do not do any work, but it is a testament to the fact that actually when we do take action it is very, very well considered. It has only got to that stage once and you do need somebody in the chair that really can get to grips with a whole raft of very complicated issues. So I think that is still very important but I just think we are constraining ourselves unnecessarily with the 7 years.
Deputy T.A. Vallois:
Okay, I will move on quickly to amendment 3, which was amending the maximum penalty applicable to an offence under Article 55 of the Data Protection (Jersey) Law 2005. And again, just a basic understanding of why it is that you are looking for this amendment.
Data Protection Commissioner:
This is something that has been in the pipeline in the U.K. for some time and it is something that has been raised in meetings with the information commissioner and the other islands over the last couple of years. They have clearly been pushing for this amendment over there. There are areas where we do think quite carefully about the U.K. amendments and whether they are applicable here. There are a whole raft of things like fines and enforced notification for breaches and stuff which we are just not ready ... in my view, we are not ready to go down that road yet. So we do cherry pick the areas that we think are relevant and would mean something when we are looking at amendments. I think what I have seen in the last sort of 18 months is that other bits of legislation and other laws are looking towards the Data Protection Law. The one law that did concern me in recent months has been the Sex Offenders Law because it does not have its own sanctions within the legislation for breaches, security breaches. Bearing in mind you are dealing with some of the most sensitive data - I mean, policing, health, social services data is some of the most sensitive and should be some of the most well-protected data - I think it is incredibly important that you have a deterrent factor for unlawful breaches and unlawful obtaining. That combined with experience in the U.K. specifically where you have had mass selling of databases on C.D .s (compact discs), thousands of records going to India to be sold for thousands of pounds, so again you want the deterrent factor for employees who are sitting in fulfilment companies in Jersey now who are handling millions of bits of data from across the world. So it is sort of twofold, really. The reasons I would like to see this amendment succeed is that one is the local pressure where T.V. (television) licensing regulations recently had a penalty of 2 years for unlawful disclosure, and I think that is entirely appropriate. I think if you are handling sensitive information about people with disabilities or special needs, any breach of those security requirements should be
treated very seriously. So I think we are lagging behind if you look at the penalties for T.V. licensing purposes. But here again it is just a maximum penalty and some of the questions ... I do not know whether you want to go on to them in a bit anyway, but you talk about impact on the prison and how many people we see behind bars. Well, hopefully none because if an individual is sitting at ... I will not use any names but, you know, ABC.com, if it is selling C.D .s or whatever and it has been offered £5,000 for 5,000 names to be sent to India, he is going to be sitting there, or she is, saying: "Well, is it worth my while if my company just gets fined or I might get the sack and I will go somewhere else", but if he or she is going to be possibly hauled before a court and possibly imprisoned for a maximum of 2 years, there may well be a deterrent factor. So I think it is good for us locally and I think it is good for Jersey reputationally to match these standards, I really do.
Deputy T.A. Vallois:
There is something that I picked up in the last sitting that we had, was that the Economic Development Minister brought forward the penalties for breaching information sharing on the Depositor Compensation Scheme, and this had exactly the same - what you are asking - amendment, if they broke the information sharing that there would be a maximum penalty of 2 years.
Data Protection Commissioner:
Really? I did not ... I was not aware of that, so that is useful.
Deputy T.A. Vallois:
So, I mean, I was quite ... I asked in relation to data protection as well because I would have thought ... I do not know what your view is but it would be nice to understand exactly how that would work across ... I think it is just going across different laws as well because if they are breaching that information sharing order but it crossed purposes with something else that it does not cover because of data protection, I mean, how does that work?
Data Protection Commissioner:
Well, to be fair, that is a question that arises not infrequently at the moment because you have ... if you have issues of data security you may have elements of computer misuse, you may have elements of other laws, you may have elements of data protection, and what the law enforcement agencies should be doing and what certainly we do with the police on computer misuse, for example, is sit down together and say: "What are the key areas? What are the strongest areas? What are the areas where one law can take over?" That will be the pragmatic, reasonable approach. So I would imagine the same, that if you have legislation which is parallel in terms of penalties, you will need to look where it sits most comfortably, and there will not always be a straightforward answer to that. But I think as long as the agencies are speaking about that, you may well have 2 agencies running parallel investigations but there should be good reasons for doing so if they are doing that. So I feel very comfortable and it is good to hear, in a sense, because I think we need to just bump it up a little bit in this. I think the environment has changed, the data protection environment has changed pretty radically in the last ... even since I have been there, that the impact on individuals, the impact on organisations with mass illegal selling is huge now, much more than it was 5, 10 years ago, I think. So we need to respond to that, we need to evolve with that as well.
Mrs. H. Ruelle:
Are we already seeing those sorts of serious breaches in Jersey or is this more a ... you know, we are aware that it may happen?
Data Protection Commissioner:
Article 55 allegations are pretty far and few between. What I would like to think is this is a pre-emptive strike because with other laws like the Sex Offenders Law which is coming in, that needs to work. If that is going to work it has to work from day one. There cannot be any doubt that the rules that apply to that legislation need to work otherwise the whole system will be undermined. So, it is quite nice to be in a situation where you are not just reacting to problems. Largely these are the information agencies. This is a reaction to what I think is a problem in the way I can regulate. This is talking to the Home Affairs Department, this is talking to other regulators who are saying: "Listen, we have big problems with data selling going on here." It would be nice not to have to get to that point where we are having to react to those sort of allegations, where the guys and girls sitting at the fulfilment companies know that there are standards here and that they will be individually potentially liable in a criminal court should they breach those rules. I think it is quite nice for me in a sense to be in a position where you are looking from a position of pro-activity rather than reaction.
Deputy D.J. De Sousa:
Are you looking to implement this amendment either as a deterrent or is it because the commission has already dealt with cases where this amendment could have been used?
Data Protection Commissioner:
There is no retrospectiveness about it. I base it on my own experience. I base it on discussions with other regulators. The pressure from my ... there is no other agenda other than local legislations looking to us for remedy and the increase in the amount of data going through Jersey companies, especially fulfilment type companies where you have very, very large databases. That is the basis of this. These have been in train for a couple of years now, I think, to put a bit of perspective on it.
Deputy D.J. De Sousa:
Bearing in mind that in the last couple of years we have seen more of the fulfilment industry coming to Jersey, have you actually had any cases whereby, followed through, this amendment, these sanctions, would have been used?
Data Protection Commissioner:
No, which is good to report. Very well behaved they are, too. [Laughter] As far as we know.
Deputy M.R. Higgins:
I can see where you are coming from; it is pre-emptive, in a sense. But you have not brought forward, for example, any amendment to do with the breaches on rehabilitation of offenders.
It is not my law.
Deputy M.R. Higgins:
Sorry. Well, in a sense if data is being released or if people are trying to get around different legal requirements as to how they obtain information, surely that is part of your ...
Data Protection Commissioner: It could be a 55 offence, absolutely.
Deputy M.R. Higgins:
But you have no concerns at all about how, for example, information ...
Data Protection Commissioner:
If an individual has obtained information illegally and it is in breach of the rehab law, then a 55 sanction could apply, absolutely. We have taken regulatory action in respect of rehab standards, absolutely.
Deputy M.R. Higgins:
How about situations where ... and this may not be your area. I am trying to explore to see where it is. For example, we know that in the Island many firms are now saying to people: "Go and get a police check yourself and give us the details to come back", so they are getting around Rehabilitation of Offenders Law in that way.
Data Protection Commissioner:
I am afraid I could go on for a very long time about rehab law and I will not because I know you have to get home this side of next Tuesday, but I think it is a law that has been neglected. I think it is a law that was brought in without any mechanism for individuals to exercise their rights under it. I have felt that very, very strongly over the period of a number of years and I have tried to address that the best I can in my position. If an individual is required to ... it is incredibly complicated because if an individual is applying for a job, largely its because they need that job. If they are told by the potential employer: "I want you to go to the police station. Here is the form, bring back what you have" and that person has a spent conviction, he does not have to declare it. He either discloses that spent conviction to his potential boss, who might say: "Oh, you have a conviction, I am not going to take you on", or he does not ... he says: "I am not going to show you" in which case he probably will not get the job anyway. Either way, he has his rights completely and utterly trampled over but the power afforded to him in that relationship is nil. He does not have the power. Very, very few come to us with their names. They come to us and say: "What do I do? Here is my sheet. I nicked a Mars bar 20 years ago. What do I do with it?" and it has been a deep source of frustration for me that they are not prepared to follow it (the compliant) through but I absolutely understand why. We have worked tirelessly over the last 4 or 5 years to progress this and I am thrilled - I genuinely say thrilled - that we have it largely resolved in terms of using Scotland Disclosure Office so that what we do now is direct people to the Scotland Disclosure Office so they can get a certificate, a printout, which takes out spent convictions. So any employer now that comes to us is directed to Disclosure Scotland. I am afraid that that ... the subject access route still goes on an awful lot in Jersey and I feel very passionately about it. Indeed, as I said earlier, we have taken action with employers that have ... one of the
principles is not to collect excessive data. Asking an individual to provide evidence of spent convictions if the profession is not an exempted profession is collecting excessive data and we have and we will continue to take that very, very seriously.
[13:45]
The difficulty is getting those individuals empowered enough and confident enough to come forward because they often feel that it will blacken their name. Once it is highlighted that they have a conviction, albeit spent, they feel very, very vulnerable, understandably.
Deputy M.R. Higgins:
But it does fall within your remit, this whole problem?
Data Protection Commissioner:
Any personal data, the way that the police handle conviction data absolutely is, and if they disclose it unlawfully. The trouble is the data protection ... a bit of a double- edged sword here because the D.P. (data protection) law provides individuals with rights of access and that is a right for themselves, it is not a right for anyone else. But what employers are doing is saying: "You exercise that right and then give it to me" which ... well, it is illegal for a start. But again, the power is so out of kilter in those situations that the potential employee will often say: "Well, I am just going to disclose it anyway" or: "I am not going to apply now." That is dreadful because they have a legal right to not declare that.
Deputy M.R. Higgins:
Have you at any time actually publicised the fact that it is illegal for employers to do it?
Data Protection Commissioner:
Many times. I have a file like that in my office where we have done ... every year or so I try and get together with probation to do a little press release on it, but it is like a broken record. But I will say that Disclosure Scotland is a huge breakthrough for us and I have to put credit where credit is due in terms of the Home Affairs Department and the police, who have done an extraordinary amount of work as well, but I have gone on, I have banged the drum on this for many years because I see these people come into my office who sit there distraught, desperate for work, but stuck between the devil and the deep blue sea and they are not prepared to take the complaint forward or give me their name so that we can deal with it because they think it will stop them from getting any employment in Jersey because it is such a small place. So it is a huge problem.
Deputy D.J. De Sousa:
It can create a vicious circle, then, with reoffending and the rest of it.
Data Protection Commissioner:
And we have had one individual ... one individual had progressed a complaint with us and has been unable to find work and I ... you cannot help but think because the employer has got wind of the fact that he is difficult, but he is just exercising his rights.
Deputy M.R. Higgins:
I must say I am pleased you feel so passionate about this, but is there anything that you can do, any amendment that you can bring to the law to try and alleviate the problem?
Data Protection Commissioner:
I can do what is ... we are given the powers already in the law and we need to respond effectively to those cases. It needs a more holistic approach than just in the Data Protection Law, though. It is a very good example of how you cannot just bring a law in and it will look after itself. The rehab law needed nurturing and I do not think we collectively nurtured that law enough because I think many people have not had their rights respected in that law over the years that it has been in force. Disclosure Scotland is a big breakthrough and it allows individuals ... and certainly for employers we are saying now: "Use Disclosure Scotland" and a lot of them are. So we are getting there but very slowly. If there is anything else I can do I would like to know because I will do it.
Deputy M.R. Higgins:
Okay. That is what I was asking: was there any amendments you could bring? It is more a question of enforcement and ...
Data Protection Commissioner:
It is a question of ... the rehab law sits on its own anyway. This law will look to the way in which employers seek to gain access to information about previous convictions and it absolutely does kick in. As I say, we have ... and we take it very, very seriously, a couple of very serious cases on individuals that we have dealt with over the years that involve this very question. So I think the way I ... the only powers I have I think available to me is constant media attention on the matter which we try to do with probation every so often. We do a bit of a splurge on it with Mike Cutland and so forth. The other is looking at this law and looking at the remedies it provides where there have been cases of breaches of rehab as well, which we do do.
Deputy T.A. Vallois:
I think we are going to have to move on because time is running ...
Data Protection Commissioner: Sorry, yes, my pet subject, I am sorry.
Deputy T.A. Vallois:
... and we have still got 5 amendments to get through.
Data Protection Commissioner: Apologies.
Deputy T.A. Vallois:
The next amendment that we were looking at was amendment 4, was for the power of seizure to include equipment found on the premises. Again, why is it that the amendment is required?
Data Protection Commissioner:
The wording at the minute ... I do not know if you have had a chance to look at the detail, but the wording is not wonderfully clear. The wording could arguably allow us to go in and if we see the data to take a ... we think the data is on the computer, to take the computer. I am not ... I do not think "probably" is good enough. If I go in with a warrant, which is incredibly rare ... the surgery was the most recent example at the waterfront. I mean, it is very, very rare that we use those powers and it really is the end of the line as far as we are concerned, but if we go in and the only ... if we are going in on a data protection issue and the only area where that data is present is on a computer, we want to take the computer, get the data, and return the equipment. The advice given to me is that it is probably okay to do that now but I do not want "probably". I want "definitely". I want to be able to go in ... if we are taking such extreme measures as in possibly breaking into someone's premises and removing things from the premises, I need it to be solid. So it makes no sense, again, if you have a question of data and you cannot take the data. It is that simple, really. Largely there is a lot of manual data in organisations but it is very often reflected equally on the computer. So all the normal protections apply. We would use any of those powers in accordance with the P.A.C.E. (Police and Criminal Evidence Act). We have to return that equipment very, very quickly, so we would use, again, the police to take copies of the data and return the equipment. It is a very, very high bar for us to reach to get that warrant in the first place, as it should be. It is very time consuming and we need to be spot on with it. So I do not want there to be any doubt if the words ... at the minute it is "other material" and I do not think that is particularly helpful to me. I think: "Is a computer material? Probably not but ..." I just need clarity on that.
Deputy M.R. Higgins:
Have you asked the Law Officers for an interpretation of that?
Data Protection Commissioner:
Yes. I think the interpretation is that I probably would be okay but I want more than "probably be okay". I want it to be clear. The way that it uses the word "equipment" in a previous sentence would imply to me that other material risks not covering that. So I need that point to be clarified because it is quite important if we go in on a serious breach, which it has to be serious to get a warrant, that we do not go in and say: "Oh, we cannot take anything anyway after all that. Just note it all down and we will just go away."
Mrs. H. Ruelle:
Just out of interest, we had again a discussion this morning. I was asked about the U.K. position on this. My understanding in the U.K. - and again it is quite hard to follow it through - that it is not ... they rely on the other materials rather than the equipment.
Data Protection Commissioner: They do.
Mrs. H. Ruelle:
But I hear what you are saying.
Again, it is something ... you know, I respect that. The last thing I want is in a very difficult case to fall down on a point of procedure. You know, we get to the court and the court says: "Actually, you should not have relied on that and you cannot take that." I want to be watertight when we are taking that sort of action.
Mrs. H. Ruelle:
Could you just as well ... because another of the concerns that we have heard about this morning is, of course, the impact on business if you remove the computer.
Data Protection Commissioner: Yes, absolutely.
Mrs. H. Ruelle:
Which is potentially huge and, you know, I think the phrase this morning was: "That shuts me down once my computer has gone." I suspected that what you were saying was the case but could you ... I mean, have you got any idea of how long it takes to get that computer back into operation within the business? Are we talking hours, days, weeks?
Data Protection Commissioner:
Well, the first thing I would say is that in order for a warrant to be provided the breach has to be very serious. So if you weigh up the potential breaches in data protection terms with the individual organisational needs, notwithstanding that, there is a legal requirement for us to return that data as quickly as possible. We have very good co-operation with the police. The recent case at the waterfront, we did not need them to be present with us but we asked them to be present with us because of the sensitivity of the data concerned, the medical information. In such cases we could turn that around in 24 hours because we could use their forensics to take a copy. In a case such as the medical records, there may be concerns about returning the data if there was risk of ongoing breaches. Again, it is going to be so incredibly rare but the law has to allow some flexibility. You know, if a person is routinely breaching security requirements and there is no ... he or she is unable to guarantee that that will be looked after when you return it, you have to be asking questions in that respect. But what we want is co-operation. We very rarely have to resort to a warrant. We more often than not go into an organisation and will sit down in front of the computer with them and say: "Right, if there is a particular person that has complained, let us get that record out." And that happens 99 per cent of the time, and 99 per cent of the time that works. So it is for the one or 2 occasions in those hundreds where the ... in this particular case, the individual was uncontactable and the data had been abandoned so, again, we had left it over months ... quite a few months of trying to make contact and there was very, very real security risk for that data so we took that judgment call, but again, very, very rare.
Deputy M.R. Higgins:
In the last 5 years, how many times have you used a warrant?
Data Protection Commissioner: Three.
Deputy T.A. Vallois:
Anything else at the moment? No. We will move on to amendment 5. This was the maximum fee chargeable for subject access requests. Just we had Health and Social Services in this morning, which was very interesting and very helpful, as I am sure Deputy Noel is aware [Laughter]. So we just want to understand exactly the reason behind raising the fee and whether this will have any effect on individuals' subject access requirements.
Data Protection Commissioner:
I think ... well, to be brutally frank, this amendment is put in because I have been asked to do so. We are responsive to comments made to us from industry and from public sector about how the law is working for them and I will look at it and if it seems reasonable it is up to ... you know, this law was not created by me, it was created by the States of Jersey, and if I am provided with submissions about improving it or making it more workable for them, then I will pass that to you guys to consider. So, the argument came to me, which I thought was very convincing, from Health that during the transition period of the law they had a maximum chargeable fee of £50 for their subject access requests. I think from personal experience Health deal with some of the most complex requests for data that I ever see, largely because of the nature of data, sort of X-rays, equally because of the number of people that can be involved in care, could be U.K. consultants, private consultants, a vast array of different organisations possibly involved. It is a very complex web of data handling in terms of ... or potentially. So I think they have a legitimate reason to ask for us to reconsider the £10. £10 is very low but it is very low for a very good reason, that (a) to encourage organisations to have a good records management system so they can identify the data, but (b) it should not be a deterrent for people to exercise their own rights. So I think we have to find a balance between not penalising the organisation in terms of the reality of the cost because it is expensive to go trawling; it is expensive to go to ask a consultant for consent to release a particular document; it is expensive to get a copy of an X-ray or an M.R.I. (magnetic resonance imaging) scan or something like that, so I think we cannot ignore that. So I am very receptive to that request. I have had banks moaning at me about the £10 for ever and I have very little sympathy because I think they try to charge £4 per page for statements and stuff and they cannot do it. So, again, in a sense my judgment is - and it is a personal judgment - that those sort of organisations it should be just a click of a button and they are just trying to get a bit more money. But actually I have a lot of sympathy for Health because I have seen firsthand the nature, and having had to go through the 5,000-odd records that we seized the other day I have absolutely full sympathy with them because they are voluminous, some of them. Some of them are not but ... What I would like to see if there is an increase is ... and they demonstrate it already, is a flexibility so that if a record is very straightforward they see that £50 as a maximum, not as an absolute, so that if it is a very straightforward one they can say: "We will give that to you for free" or for £10 or whatever. So I think ... and in my experience again I have found them very, very receptive to that flexible approach.
Mrs. H. Ruelle:
There is potentially a perception, and you have spoken about banks, and obviously a lot of data in those circumstances may be very straightforward, but equally in some cases data subject access requests within any organisation are complex. So, for example, if you are talking about tape recordings of telephone calls or C.C.T.V. (closed circuit television) footage, which actually takes an awful lot of manpower to find, copy, redact, all of those things - and those are just 2 examples that I am sure you are aware of - I suppose the question is, is there a potential for inequity between other people who do also deal with quite complex data and Health on this?
Data Protection Commissioner:
Yes, to be brutally honest. There is and I think it is a question of looking at the arguments. I have had no formal submission from anyone else. I have had a lot of moaning from organisations that have received requests and only had to be paid £10, but there has been a very grown-up dialogue with Health very early on who have said: "This is not just about us baulking. Where we can we let them have it for free." It is that approach that I have been impressed with, whereas a lot of the banks, they have lost their ... the ones that have the problem is the records management it actually comes down to, but if you look at the nature and complexity of applications, I mean, the police are another example who have to deal with really complex ones and they invest thousands of pounds in staffing for it but I have not had a formal submission. So, again, I am putting to the States what I have been asked to put to them. If a submission was made by a bank, P.L.C. (public limited company), I would communicate that to the Minister. I do not just write it off. I do not mean to say that I have had formal submissions and I have just gone: "Get lost." No, if I had had formal submissions I would present them and we would discuss them.
Assistant Minister for Treasury and Resources:
This is one area where there may be some political interference. It is well known that I am a great believer in obtaining the full cost of recovery for services.
[14:00]
Deputy T.A. Vallois:
But you are aware of the rights of an individual to be able to access their information.
Assistant Minister for Treasury and Resources: Yes.
Deputy T.A. Vallois:
So, in order to charge more money, you would actually be possibly ...
Assistant Minister for Treasury and Resources:
Health are ... and it is a piece of work that has been ongoing and has come to light very, very recently. Health may be putting a submission in to increase the request further than the £50. That has currently been requested for third party medical record requests that exclude medical disclosures, where it is part of a litigation case against a hospital, so there is a move to charge insurance companies and law firms full costs of recovery. That has come to light recently and it is part of the C.S.R. (Comprehensive Spending Review) programme that is starting to happen within ... throughout most States departments. Currently, Health employ one individual 20 hours a week purely to deal with third party cases.
Deputy T.A. Vallois:
It is interesting that you are talking about cost recovery because I actually questioned a couple of times this morning how much does it actually cost to do this and I could not get an answer. So I think it is fair to say that it is not fair to actually increase a fee like this unless you know exactly how much it costs because you cannot recover a cost that you do not know.
Data Protection Commissioner:
And I would not like to see full cost recovery on any access request. It is not meant to reflect true costs ... it is meant to encourage organisations to have an openness with data subjects. So I still think there is room for dialogue in terms of individual cases; that is why I am pretty receptive to Health's request. I think they put forward a very strong argument. But I do think we need to steer clear from the concept of "what it costs you pay" because it is meant to be a fundamental right, a plank of the law that is incredibly important from a principle perspective.
Assistant Minister for Treasury and Resources:
I would like to make clear that Health are purely looking for a greater level of cost recovery for third party enquiries.
Mrs. H. Ruelle:
Absolutely, but there is a distinction, is there not, between this law which is about data subjects' access to their own records and requests made during litigation by third parties when the argument is potentially there is another route to obtain that information.
Data Protection Commissioner:
I think you will know more than I do, probably, that a request from the data subject ... data access request under this law may not provide the data that full disclosure would provide so ...
Deputy D.J. De Sousa:
The 2 that we had in from Health this morning at great length went through some figures for us and they are nowhere near cost recovery, but they also said they were aware that it had to be proportionate so it did not deter or differentiate, that people could not get their records.
Assistant Minister for Treasury and Resources: That is why it is always a maximum.
Data Protection Commissioner:
I think that is really good for me to hear because it proves that they are actually having this dialogue themselves about what is reasonable. That is one thing I have been incredibly impressed with Health, actually. I should not say it ... there is no agenda here other than saying that what you are seeing is an engaged dialogue about the reality of these charges, what they actually mean to people and not deterring people, so I am impressed by that.
Deputy D.J. De Sousa:
Yes. The Health Minister at great length this morning said this has really opened her eyes. She did not realise how much it actually cost the department within their budget to deal with it.
Data Protection Commissioner: Yes.
Mrs. H. Ruelle:
And they did also stress that it was very much an "up to" because I asked the question. So, you know, again, exactly what you just said, they said sometimes it is nothing, sometimes it is £10 and sometimes it is a bit more.
Data Protection Commissioner:
Yes, and that is a really good ... that is a very positive way, I think.
Mrs. H. Ruelle:
So, that was very much reiterated this morning as well.
Data Protection Commissioner: That is good.
Deputy T.A. Vallois:
Just moving on to amendment 6, it is the amendment for the provisions relating to subject access exemption for trustees within the Foundations Law.
Data Protection Commissioner:
The specific exemption in the law as it stands for ... to fit in with the Trust Law and it is about giving information to beneficiaries specifically. The Foundations Law is a new law but I defer to the experts here. It is not my area of expertise. But there are exemptions in the Foundation Law for the provision of information to individuals and at the minute if you do not marry the 2 there is a risk of conflict. So this is purely to sit tightly with the Foundations Law. The same applies ... if we can bulldoze through to point 7 as well, exactly the same applies there because there are carve-outs for providing information under the Drug Trafficking Law which actually - and it is probably my fault, I shall probably have to take the blame for it - should have been put in the original law with Article 41 of the Drug Trafficking ... It is just to marry up the bits of legislation so that the Data Protection Law is not forcing someone to disclose information that another law is saying: "You must never disclose" so they sit comfortably.
Deputy D.J. De Sousa:
Who will it actually affect and in what manner, amendment 6?
Data Protection Commissioner:
If an individual were to ... if we use a trust as an example, if an individual is a beneficiary and the trustees have been told not to inform that beneficiary until he or she is 21 or whatever, then there is a carve-out ... interrupt me if I am wrong. I hear in very simple terms when it comes to trusts, I am afraid. The Data Protection Law provides rights of access to information but if the trustees have been told not to provide that information to a beneficiary for certain reasons, by the settlor or whatever, the Trust Law and the Foundations Law says that you are not obliged to disclose that. I think in the U.K. what had happened is some of the charities had sent round thousands of subject access requests to all trusts to see if they were going to benefit from any people's wills or trusts or whatever. So it would allow an exemption to the access request in relation to Foundations Law as it does now with Trust Law. It would also ... in exactly the same way in terms of access request, drug trafficking offences; if by providing the information to an individual you are tipping them off that there is an investigation going on about them, you do not have to disclose it. So it is just tidying that up, really.
Deputy T.A. Vallois:
Is there anything ...? No. We might as well skip straight to number 8, then. I think it is probably ...
Data Protection Commissioner: I like number 8. [Laughter]
Deputy T.A. Vallois:
This is the amendment for the provisions relating to the notification fee for charities. Again, it is simply what is it that is required for this amendment and how are you going to push forward?
Data Protection Commissioner:
The law does provide an exemption to notification for charities, but we have a number of charities in Jersey that process data beyond that which the exemption allows for. Because it talks about just membership and ... if you think about a very general small charity which is just people who give money, supporters and stuff as members of a charity, so that applies quite a lot to organisations, but if you think about somewhere like the hospice, not only are they holding information about donors and financial supporters, they are also holding a lot of medical information. They go beyond just the management of charity administration, if you like. So, there are a number of them. There are not that many in Jersey but I just in a very human sense felt very uncomfortable taking their £50 off them. So I do not think it will impact ... I think there is a Treasury person ... I have to be careful because we are running short of cash, as everyone is, so I am very conscious that I do not want to decrease the income, but my job is not just about getting money in, it is about doing morally what is right. And I think it feels better to me to say to places like Jersey Hospice that: "You have to notify with us. We have to know what you are doing because the nature of the data is so sensitive. Obviously the rules have to apply but we will not charge you." I would like that very much.
Deputy D.J. De Sousa:
Following on from what you have just said there, would this reduction of income cause any difficulties?
Data Protection Commissioner:
No. I mean, there is a handful of them. Most of them are exempt anyway but the few that ... those organisations that process the sort of extra data but actually have a caring role, they are the ones that sort of fall into the net at the minute and I do not think they are really ... if I thought about it more carefully at the time, I probably would have been clearer when the law came in, but it did not occur to me at the time so ...
Deputy D.J. De Sousa:
Would it lead you possibly to raise extra revenue in increasing fees for other registers?
Data Protection Commissioner:
That is not my call. I will not be calling for an increase in fees myself but obviously that is a political decision. There is pressure because we have a very limited budget and a very wide remit.
Deputy D.J. De Sousa:
Where does that pressure come from?
Data Protection Commissioner: Budgetary pressures.
Deputy M.R. Higgins: Treasury. [Laughter]
Assistant Minister for Treasury and Resources: The fees have not gone up ...
Data Protection Commissioner:
It went up when the law came in about ...
Assistant Minister for Treasury and Resources:
That is it. That is 5 years ago and we have had 5 years of staff pay increases.
Deputy T.A. Vallois:
So that is a way of saying it is going up.
Deputy D.J. De Sousa:
So it would be Treasury requesting ...
Assistant Minister for Treasury and Resources:
You asked where the pressure was coming from. That is where the pressure is coming from. The revenue base has not(?) necessarily increased. You have more people registering now.
Data Protection Commissioner:
We are trying to do our best to capture as many ...
Assistant Minister for Treasury and Resources:
But the cost base has been increasing so at some point the 2 are going to have pressure against each other.
Data Protection Commissioner:
Yes, and certainly in the U.K. the maximum fee now is £500 a year for big organisations.
Mrs. H. Ruelle:
That has got complex, has it not, with the tiering system?
Data Protection Commissioner:
Yes, and we did look at that at the time. We looked at that because it seems a bit unfair that you get the little window cleaner paying £50 a year as well as Barclays or another ... any big firm. It does seem ... but the trouble is when you look at the reality of managing that, I would need a whole new person just to work out the fees. I want my team to be doing our job rather than admin-ing a whole new set of bureaucratic processes to work out who pays what. So I think I would like to charge nothing but that is not going to happen.
Deputy D.J. De Sousa:
Therefore, following on from what the Assistant Minister for Treasury and Resources has said, if the fees were to increase to increase revenue, would those increases automatically be going back into the commission or would Treasury be looking to siphon off those increases?
Assistant Minister for Treasury and Resources:
The amount of revenue that comes into data protection is ...
Deputy D.J. De Sousa:
Would it stay within that department?
Assistant Minister for Treasury and Resources:
It is not something that Treasury would get excited about. Basically ... [Laughter]
Deputy D.J. De Sousa:
You are still not fully answering my question: would Treasury be looking to siphon off some of those funds for elsewhere to fill deficit gaps or would all that money be going back to the commission?
Assistant Minister for Treasury and Resources:
Providing the fee being generated covers the cost of running the commission, surely then it serves its purpose. It is not a tax.
Deputy T.A. Vallois: Anything further?
Deputy M.R. Higgins:
I have a question, just going back, actually. It is on amendments 1 and 4. We skirted round some of the questions, and basically it is the relationship between your powers or proposed powers and the police procedures and criminal evidence powers used by Jersey police. I would like to know have you worked with the police in these areas and have you relied on the police powers in any particular situations and, if so, how?
Data Protection Commissioner:
I hope I did not skirt round anything. I hope I have answered everything ...
Deputy M.R. Higgins:
No, we did not ask the questions.
Data Protection Commissioner: Oh, I thought you said I had, sorry.
Deputy M.R. Higgins:
No, we did not ask the questions.
Data Protection Commissioner:
The vast majority of our work is not related to any criminal investigation. That is the first thing to say. Where there is an allegation of criminal offence, and that largely is about Article 55, it seems logical to me to get the assistance of the police from relatively early on, not least because our main area of expertise is regulatory. That is where we are most comfortable. We do not get involved in criminal investigations very often. So, it is helpful to have the expertise around us; for example, with the search warrants and so forth it is good to have someone that understands the process, that can help us with things like the bagging and sealing and so forth. It is done on ... there is no formal agreement with the States of Jersey Police, but nonetheless they are obliged to investigate crimes, allegations of crime. So an individual can report an alleged crime to us but equally - and you will probably find that is where the stats maybe will not match up if you get them from the police - they may have had more complaints on data protection than we have had because they are quite at liberty to investigate that themselves and to conduct investigations into data protection breaches themselves. So, each case is taken on its merits. Each case if we want police assistance we have to convince them why and convince them that it is a good use of their resources and that we have exhausted everything that we need to do. Quite rightly, that can be a bit of a process because we do not want to be running to them just because we have not got the manpower. So, we think about it very hard and we only refer cases to them either for assistance or a bulk transfer of that investigation, which has happened, on very rare occasions.
Deputy M.R. Higgins:
That was my next question but you have already answered that part. In terms of police powers under the P.A.C.E., what particular powers do they have that you would find useful?
Data Protection Commissioner: None.
Deputy M.R. Higgins:
None in particular? I am just saying ones that you do not have.
Data Protection Commissioner:
I have never relied on P.A.C.E. for ...
Deputy M.R. Higgins:
I am just wondering are you relying on them in some cases. You say you have handed things over or you have worked with them. Are you relying on their powers rather than your own powers, or deficiencies in your own powers, to achieve the end that you are trying to seek?
I am not, no.
Deputy M.R. Higgins: Okay, thanks.
Deputy T.A. Vallois:
Anything else? No. Can I just ask on a basic knowledge of the actual Data Protection Commissioner role, how many people are in your office?
[14:15]
Data Protection Commissioner: Four.
Deputy T.A. Vallois:
Do you feel restricted to a certain extent in enabling to do what you could do or are able to do in data protection terms?
Data Protection Commissioner:
I am fiercely tight when it comes to money and I am fiercely protective of what is a very effective team with very limited resources and a very wide remit. There are huge advantages to having a small team but what I have found is when I first started in this job it was a very proactive task I had to educate, get out there and talk about the message, especially when the law was coming in. In a sense, I am sort of reaping the rewards of that now because ... also it is a change in climate generally, but people are much more willing to come forward and complain. The one thing that does concern me, for the record, is our capacity for dealing with complaints. We are struggling.
Deputy T.A. Vallois:
Are you seeing the complaints on an increase?
Data Protection Commissioner:
Yes, very much so, and the complexity of them has dramatically increased. So what would take a couple of days possibly to resolve, we have ones that have taken months, if not years because of the hurdles we have to get over and the number of areas we have to examine. Yes, they can be very, very complex and it can be very, very tough with a very small team. Actually, there is only 2 of us doing data protection work because the other 2 are admin. So, yes.
Deputy T.A. Vallois:
So the actual proactiveness from the beginning that you had is ...?
Data Protection Commissioner:
It has gone. Very rarely will you see us out talking to organisations now and if we do so we want a large audience so we can capture as many people as possible. In my first few years of being in the department I would go and talk to, you know, the church mouse if he asked me. We would go out and do talks to small teams. We would go to organisations and do ... run sessions, not training, I am not a trainer, but we would go out and talk, do Q. and A.s (questions and answers) with very small teams, H.R. (human resources) teams, and now I desperately would like to do that because it keeps the message out there. But we have to prioritise. The people that complain to us have to come first. We are coping and it is an amazing team, motivated and very clear of their focus, but nonetheless I could probably do with one full-time enforcement officer. That would be my gut feel now. But you do what you can do and some complainants are not happy that we cannot do more for them, but that is the nature of it. You have to decide what you do and where your priorities lie.
Deputy D.J. De Sousa:
I realise we have taken up more of your time than was ...
Data Protection Commissioner:
I have taken up more of your time, probably.
Deputy D.J. De Sousa:
But expanding on from what you have just said and the fact that Treasury are looking to increase the money and the ...
Assistant Minister for Treasury and Resources:
I did not actually say we were looking to increase money. You asked if there was ... where the pressures were coming from and I gave you an example of where the pressures were coming from.
Deputy D.J. De Sousa: Yes, well ...
Deputy T.A. Vallois:
If there could be possibilities of increases.
Deputy D.J. De Sousa:
Following on from that, you have said that you would rather still be proactive, and bearing in mind that the number of complainants have increased, would you be looking for or asking for an increase in your revenue to employ somebody to keep that proactive side of it going so that people are more aware of what is expected of them as well as data controllers?
Deputy D.J. De Sousa:
I have thought very, very long and very, very hard about that question in the last few years. I would like to think - and I will be careful what I say in the presence of Treasury - that there is some acknowledgement of how tough we are about spending. Every penny my department spends is taxpayers' money and I am painfully aware of that. I want to give good value for money. I do not want to be running to Treasury or the States if we are just experiencing a spike in complaints. If I was to be brutally honest, I would like one more post. I am not sure that at this stage I could evidence a sufficient long-term need because next year may well be quiet, but I think you are right in the sense the proactive work has gone by the wayside. Nonetheless, I think you still do see us ... the only way we have of getting the message across is the media. We do not have the money for glossy leaflets or adverts in the J.E.P. (Jersey Evening Post). So you do see us popping our head up occasionally, and with Tracey the other week, so we try ... I try and balance the 2. I focus a little bit more on the large complaints and the proactive and my deputy is now doing pretty much full-time
enforcement work, which is just as well that he is an ex policeman so it is very useful in that respect. But I sensed when I recruited him that I might need that and it has proved to be true and it is incredibly valuable to have that resource. Nonetheless, I would like him to do a bit more. So, it is a very difficult question and it is a question that you grapple with because you do not want to be running, as most people are most of the time, for more resources. You want to try and do what you can the best you can with the resource you have in a very difficult environment. The States has to weigh up what benefits we are providing with the cost ... but we cost you just 250K, whatever, a year, so I feel very comfortable with what we provide. We do not keep everyone happy all of the time but in terms of value I am very happy. I would like a dialogue in the next 12 months, 18 months, with Treasury. I hope you do not mind me speaking honestly, but I would like to start that dialogue about resources, bearing in mind we have the F.O.I. (freedom of information) on the horizon. I think that would be ... I have always seen that as maybe an opportunity to reassess where we are and look to a more multi-skilled team that can straddle the 2. So if we have a spike in data protection work we can move across an F.O.I. officer and vice versa. So, that is my vision but I have been maybe a little backward in coming forward to ask for money. I have always fought on our budget to keep the budget and not to increase fees. I feel very strongly about that. But in terms of more money I am a little bit reticent to do so in this environment.
Deputy T.A. Vallois:
Can I ask on that basis, then, your caseload probably increases year on year, and just out of curiosity, since your department was set up how much has your budget increased, if at all?
Data Protection Commissioner: It has gone down.
Deputy T.A. Vallois: Right, okay. Interesting.
Data Protection Commissioner: We are trying to ...
Deputy T.A. Vallois:
Because I understand that the States ... I have been in the States for only 20 months now, something like that, and I am becoming increasingly aware of how bad we are at bringing things in and forgetting about them and not reviewing them and ensuring that we are getting best value for money, et cetera. We are notoriously bad for it. I think with this in particular I think people ... especially from the evidence we have received this morning in hearings, is how unaware people are at how important this data protection is. It is concerning because, as a politician, bringing a law in is a big thing. Nobody likes more red tape but if it is going to be in there it needs to be effective. That is my view. With us reducing budgets, increasing workloads and then it is ... and it is just concerning me, hearing especially we have reduced the budget and expecting you to be able to ...
Data Protection Commissioner:
There are a number of ... well, there is a clear benefit to having the commissioners independent because there is no political influence even from Treasury and I just say what I feel, which is great. You need that. You need to have someone ... but again it is a bit of a double-edged sword because you do not have anybody ... and it is absolutely no criticism of Treasury because it is not their role, but there is no one spearheading it politically. So, you have to make judgment calls about what you are putting on your report about resources and how you submit for further funds and in a sense that is the time you could do with some political lead to say ... it is not actually about me, it is not about what Emma wants, it is about the department and what it needs. Whether I am here today and not tomorrow, it does not matter because the issues remain the same. I mean, we are not at crisis point but I think I am very reflective a lot more these last couple of years about where we need to look to the future and how I need to support my staff, apart from anything else, to dealing with their workload and supporting them in their workload. So, I am very proud of them for a start. It sounds a bit trite but it is very true because they work an enormous workload in often very difficult circumstances, but we are also very clear about what we are doing and why we are doing it, which helps. I do not want to be running to Treasury but I would like the dialogue about how effective we are, are we value for money and, if not, actually can we repeal the law? Can we save 220K a year for the taxpayer? I do not mind having those discussions but I think we do need to think about that collectively over the next year or 2 because if it carries on it will become unmanageable.
Deputy M.R. Higgins:
With the problems you have described and if freedom of information comes in and if it is placed within your department, how are you going to cope?
Data Protection Commissioner:
Well, there is allowance for extra resources and I have put a submission in for that.
Deputy M.R. Higgins:
What sort of extra resources are you seeking?
Data Protection Commissioner: Two staff.
Deputy D.J. De Sousa:
Do you feel that would be sufficient?
Data Protection Commissioner:
It is very, very hard to say because it is almost impossible, I would suggest. You can only go by examples, you know, equivalent jurisdictions that have had F.O.I. implemented. The environment in the U.K. is very, very different so it will be ... I am not sure it would be terribly useful to use figures from the U.K. but anything I have submitted to the P.P.C. (Privileges and Procedures Committee) in respect of F.O.I. is that we need a bedding-in period and you need to ... if I do not need 2 and I only need one, then you can have one back. I am not into empire building. I am into value for the taxpayer. But if after a year I need another 2 because we are not ... if you bring a law in and it does not work, that is a disaster. You need to bring the law in with a commitment to make it work. F.O.I. will be actually less work at the coalface for us than data protection because a lot of the decision-making process will have been carried out and we will be reviewing those, disclose or not disclose, whereas data protection what we have to do is very detailed investigative work, you know, literally traipsing from one data controller to another and liaising with complainants, processors, data subjects. Very complicated investigations which you will not necessarily see in F.O.I., so I am more concerned about D.P. resourcing than I am about F.O.I. but they need to be very serious about funding it for us, yes.
Deputy M.R. Higgins:
I am wondering how you are going to manage your time between the 2, then.
Data Protection Commissioner:
As commissioner, how the commission will manage the 2? I think it would be a good decision to put them together. Again, not about empire building but in cases where they have split them, in jurisdictions where they have split them, very often these cases rest on judgment calls and it is not a question of black and white. They are a question of public interest, of confidentiality, about sort of area, so if you have 2 people you are going to have much more conflict, 2 people regulating 2 different areas. Certainly, in cases like in Scotland where they have 2 different commissioners it is more problematic for the individuals who are trying to work their way through these laws. We deal with queries on the code of practice all the time and it sits very, very comfortably from a conceptual point of view. So I have always been very relaxed about the responsibility of F.O.I., not about the resourcing, but about how it sits with the functions of Data Protection Commissioner. I think the 2 have absolutely ... the D.P. law is misunderstood as stopping information from going anywhere and F.O.I. would be good for its image in that sense because it is about openness and transparency of the appropriate data at the appropriate time and the non-disclosure of data which is about privacy. The 2 should marry as long as you have the control of a commissioner's behaviour and tribunals and all the rest of it in place where judgment calls may be flipped by tribunal or court, which is absolutely the way it should be. I think it would make no sense to me, you know, even if I resigned tomorrow, for the new person, it makes no sense to me to have 2 people, the expense of 2 commissioners where you are more likely to end up in tribunal and, therefore, escalate the costs again, and a whole new set of team, admin, offices. It does not seem to make sense to me but, again, that is a political decision. I am happy either way. If I do not get it, I love the job and I will do it, but if F.O.I. comes my way then we will embrace it with the appropriate resources.
Deputy T.A. Vallois:
Okay. Well, thank you very much. Very much appreciated. I am sure you will see everything in public, transcripts, be interesting ... Thank you very much.
Data Protection Commissioner: Thank you. Nice to see you.
[14:28]