Request
A
Can you tell me if any data from States Department systems sent out of Jersey as part of the maintenance or the running of these systems by off island providers?
B
If so to which countries is data sent and in respect of what systems?
C
Have there been any data breaches in the last four years?
D
What is done to ensure Jersey citizen's personal or sensitive data sent off island is protected?
E
Have all transfers of data or access from off island been approved by the relevant Minister?
Response
A
The States of Jersey can confirm that it has engaged with a number of off-island data processors who maintain systems on our behalf.
B
The number of data processing agreements is estimated to be several hundred spread across all Ministries. We estimate that to locate, retrieve and extract the required information from each contract would exceed the 12½ hour limit provided for by Article 16 of the Freedom of Information(Jersey) Law 2011 and associated Regulations (Freedom of Information (Costs) Regulations 2014), and this part of the request is therefore refused.
A project is already underway to collate all data contracts into a single central register, which when complete, should make this information more easily available in the future.
C
In responding to this question, it has been assumed that the applicant is asking for details of data breaches relating to the export of personal data.
An instance occurred in December 2016 with an ISO 27001-approved secure data processor in a third country, which maintains and supports Jersey driving licence and vehicle registration databases.
Under the standard procedure, data is sent in a pseudonymized format (ie in a way that cannot be attributed to a specific individual). On this occasion, data related to approximately 80,000 driving licences and 125,000 vehicle registrations was exported to the secure data processor without pseudonymization.
This error was quickly identified. Access to our databases by our contractor was immediately suspended, and the personal data was pseudonymized within 12 hours.
There was no loss of personal data, since it was sent to the secure data processor only, and no negative impact on any individual has been identified.
The contract has since been reviewed and a new user access policy has been signed, resulting in increased individual accountability, and a clear instruction that all personal data must be pseudonymized prior to transfer.
The Office of the Information Commissioner was notified shortly after the incident and has been kept updated. Given the swift and appropriate action taken, no sanction has been imposed by the Information Commissioner, and since there was no risk of personal data loss, this was not publicly communicated at the time.
D
The States of Jersey takes the protection of personal data very seriously. As stated above, work is already underway to collate and review all existing data processing arrangements to ensure that they are sufficiently robust to meet the requirements of the Data Protection (Jersey) Law 2018, and this will include a focus on ensuring that suitable safeguards continue when data processors are based off-island.
E
As the number of data processing agreements is estimated to be several hundred, we estimate that to locate, retrieve and extract the required information from each contract would exceed the 12½ hour limit provided for by Article 16 of the Freedom of Information (Jersey) Law 2011 and associated Regulations (Freedom of Information (Costs) Regulations 2014), and this part of the request is therefore refused.
Article applied
Article 16 A scheduled public authority may refuse to supply information if cost excessive
(1) A scheduled public authority that has been requested to supply information may refuse to supply the information if it estimates that the cost of doing so would exceed an amount determined in the manner prescribed by Regulations (Freedom of Information (Costs) Regulations 2014).
