Skip to main content Skip to accessibility
This website is not compatible with your web browser. You should install a newer browser. If you live in Jersey and need help upgrading call the States of Jersey web team on 440099.
Government of Jerseygov.je

Information and public services for the Island of Jersey

L'înformâtion et les sèrvices publyis pouor I'Île dé Jèrri

CERT Privacy Policy

This privacy policy and retention schedule covers the Cyber Emergency Response Centre for Jersey (CERT) which sits within the Department for the Economy.

The Department for the Economy is registered as a 'Controller' under the Data Protection (Jersey) Law 2018 (the "Data Protection Law"), as we collect and process personal information about you. We process and hold your information in order to provide public services and meet our statutory obligations. This notice explains how we use and share your information.

We will continually review and update this privacy notice to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.

How we collect information about you

Information about you will, in most cases, be collected directly from you. This may be done by you completing a paper or online form, by telephone, email, or by a member of our staff.

In some cases, we may collect information about you from another Government of Jersey department or from third parties with which we intact in order to deliver our duties.

Third party organisations with whom CERT will interact include National Security Agencies, Law Enforcement and Crime Prevention Agencies, Cyber Emergency Response Teams and other National or International Cyber Authorities.

Email

If you email us, we may keep a record of your email address and a copy of the email for record keeping purposes in accordance with our retention schedule.

We suggest that you keep the amount of confidential information you send to us via email to a minimum.

Telephones

We may record or monitor any telephone calls you make to us using recording equipment, and if you leave a message on our voicemail systems your message will be kept until we are able to return your call or make a note of your message.   File notes of when and why you called may be taken for record keeping purposes, in accordance with our retention schedule.  We will not pass on the content of your telephone calls, unless is it necessary for us to do so, either to fulfil your request for a service, to comply with a legal obligation, or where permitted under other legislation. 

Types of information we collect

The types of personal data collected will vary depending on what information you volunteer and the information we need in each circumstance. However, we have listed below the most common categories of information we may collect about you:

  • contact details, for example name, address, phone number, mobile phone number; email address
  • organisation details, for example name of your organisation, job title or role, responsibilities within organisation
  • incident details, for example victim information, data on alleged or confimred criminal activity, information on cyber security vulnerabilities, computer and network forensic information
  • cyber risk data, for example information shared by other national cyber authorities or CERTs including the security and law enforcement services, including highly classified information, personal information and sensitive information relating to cyber incidents and reports
  • technical Metadata, for example IP addresses, usage data on software, systems and the internet
  • publicly available information, for example information collated from public reports and data feeds, which may include information on individuals
  • preferences, for example dietary requirements, opinions or views
  • voluntary Information, for example unsolicited information you may provide to us when you engage with us

How we use the information about you

We need to collect and hold information about you, in order to carry out the public functions of the Cyber Emergency Response Centre. Our legal basis for processing personal data in most cases is that it is necessary for the exercise of CERT's function as a public authority or as conferred upon CERT under an enactment.

We have set out in further detail below why we use your personal data in each instance.

 

Data Collected:
Used for:Legal Basis
contact details, organisation, incident details, cyber risk data, technical metadata, publicly available information, voluntary information

To identify the risk of, respond to, and remediate an actual or potential cyber security vulnerability, event or incident.

Allow the statistical analysis of data so we can amend and adapt our policies and procedures and plan the provision of future services.

 

 

Public functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b)
contact details, organisation details, incident details,voluntary informationCarry out the service you have requested, and to monitor and improve our performance in responding to your service requestsPublic functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b)
contact details, incident details, cyber risk data, technical metadata, publicly available information, voluntary information

For crime prevention and national security purposes.

 

Where necessary, to prevent any unlawful act or detection of crime in the public interest (Schedule 2, paragraph 19a, b)
contact details, incident details, cyber risk data, technical metadata, publicly available information, voluntary information

To maintain awareness of cyber threats, and to share and communicate this information with other national cyber bodies, CERTs, law enforcement and the security services and to maintain an understanding of the Island's ability to prevent, detect, respond to and recover from cyber security incidents.

 

Assist us in fulfilling our safeguarding obligations and protect individuals from harm or injury.

 

Public functions: The processing is necessary for the exercise of any function of Crown, the States or any public authority (Data Protection (Jersey) Law 2018, Schedule 2, paragraph 4b)
contact details, preferencesTailor events to meet your dietary requirements 
contact details, organisation details, preferences

Keep you informed about developments in cyber security, our services and events, and where appropriate information on third party events

Consent

Data sharing

We may need to pass your information to other Government of Jersey Departments or organisations (for example, law enforcement agencies, national security bodies, and cyber response teams) for the purposes stated above.

We have set out, in the table below, the organisations we most frequently need to share personal data with. We may disclose information to other public authorities where it is necessary, either to comply with a legal obligation, or where required under other legislation. Examples of this include, but are not limited to: where the disclosure is necessary for the purposes of the prevention or detection of crime; for national security purposes; for the purposes of meeting statutory obligations; or to prevent risk of harm to an individual, for example.

We may need to share the information you provide to us with other public authorities in order to fulfil your request for a service. This information may contain personal data and if it does the legal basis for us processing the data will, in most cases, for the public function in line with CERT.JE mission to prepare, protect and defend the island against cyber threats. Further details on the legal basis we rely on is set out below. 

In some instances, this data sharing may require us to transfer your personal data outside Jersey, however, we shall only do this with the necessary safeguards in place and where it is lawful because it is necessary and proportionate for the proper discharge of our statutory functions.

Purpose for useData usedLegal Basis
National Security AgenciesAll data collected and mentioned above can be used
​ ​

1. necessary for the exercise of any function of CERT as a public authority

2. necessary to protect the vital interests of the data subject

3. carried out in the public interest or is in the exercise of official authority

​ ​
Law Enforcement and Crime Prevention Agencies
Cyber Emergency Response Teams and other National or International Cyber Authorities

Your personal data may be processed on our behalf by certain third parties who provide service to us, so that they can provide those services. We have strict contracts in place with these service providers to ensure they process your data only on our instructions and with appropriate security in place. The categories of third parties who may receive your personal data in order to provide us with a service are:

  • email and data storage providers such as Microsoft and HubSpot
  • IT support or security service providers such as Prosperity 24/7
  • automated email providers such as DotDigital and Revue
  • online survey providers such as SmartSurvey

At no time will your information be passed to organisations for marketing or sales purposes or for any commercial use without your prior express consent.

Publication of your information

We may need to publish your information on our website for the following reasons:

  • where we are required by law to publicise certain information (although we will keep any personal data published to a minimum and anonymise the data where possible)
  • in the interests of demonstrating a fair and transparent decision-making process, although your data will be anonymised to protect your identity
  • where we are required to provide statistical information about a group of people; although your data will be anonymised to protect your identity
  • where you have responded to a consultation, although your comments will be anonymised to protect your identity where the contribution is made in a private capacity. If it is from a person on behalf of an organisation views and connection with the organisation may be attributed
  • where you have contributed content to the website

We will not publish any of your special category data unless there is a requirement for us to do so in order to carry out our statutory functions.

How long we store the information about you

We will keep your information accurate and up to date and not keep it for longer than is necessary. In some instances, the law sets the length of time information has to be kept. Please ask to see our retention schedule for more detail about how long we retain your information.

Cookies and the CERT.JE Website 

The CERT.JE webpage does not use cookies. If this should change in the future, a link to our Cookie Policy will be available here.

Your rights

See the Government of Jersey website for details of your rights under the Data Protection Law and how to exercise them.

Complaints

If you have an enquiry or concern regarding CERT processing your personal data you can contact the Central Data Protection Unit.

If you believe that CERT has contravened the Data Protection Law and the contravention affects your data protection rights, you have the right to make a complaint at any time to the Jersey Office of the Information Commissioner (JOIC).

We would, however, appreciate the chance to deal with your concerns before you approach the JOIC, so please contact us in the first instance.

Changes to this policy

We may, at any time, revise this privacy statement without notice so you should check it regularly. The most updated Privacy Notice will be available on the Cyber Emergency Response Centre's website or available upon request.


Back to top
rating button