Data Protection Board Minutes (FOI)
Data Protection Board Minutes (FOI)Produced by the Freedom of Information office
Authored by Government of Jersey and published on 23 October 2023.
Prepared internally, no external costs.
Please provide copies of the minutes of all meetings of the Data Protection Board that took place in the period from (and including) 1 June 2022 to (and including) the date of this request. (27 September 2023)
There is no Data Protection Board, so the information requested is not held.
Article 3 of the Freedom of Information (Jersey) Law 2011 applies.
Article 3 - Meaning of “information held by a public authority”
For the purposes of this Law, information is held by a public authority if –
(a) it is held by the authority, otherwise than on behalf of another person; or
(b) it is held by another person on behalf of the authority.
Internal Review Request
I am writing to request that an internal review of the response to the above Freedom of Information request and response to be carried out, without delay.
As you are aware, in accordance with the Office of the Information Commissioner - Code of Practice on the discharge of Scheduled Public Authorities’ functions under the Freedom of Information (Jersey) Law 2011, issued in accordance with Article 44 of the Freedom of Information (Jersey) Law 2011, amongst other things, the review:
- must be a fair, thorough and independent review of the process adopted and decisions taken by the scheduled public authority pursuant to the Freedom of Information (Jersey) Law 2011;
- should enable a fresh decision to be taken on reconsideration of all the factors relevant to the request;
- must be undertaken by someone senior to the original decision maker where this is reasonably practicable; and
- should take into account any further matters raised during the investigation of the complaint.
The request (the "Request"), submitted on 27 September 2023, was as follows: "Please provide copies of the minutes of all meetings of the Data Protection Board that took place in the period from (and including) 1 June 2022 to (and including) the date of this request." (27 September 2023)
The Response, dated 23 October 2023, denies that there is any Data Protection Board, stating: "There is no Data Protection Board, so the information requested is not held."
Copies of the Request and the Response are attached to this email, for ease of reference.
The Response is not consistent with the terms of the "Agreement for the provision of Services DPO as a Service" (Data Protection Services) (the "Calligo Agreement"), between the States of Jersey and Calligo Limited.
The Calligo Agreement is referenced in the response to a previous FOI Request - "List of Agreements between Calligo and Government of Jersey (FOI)".
List of Agreements between Calligo and Government of Jersey (FOI)
The response to that FOI Request confirms that the Calligo Agreement is currently in force, stating that the Calligo Agreement relates to the provision of services from the period 4 December 2021 to 3 December 2024.
A partial copy of the Calligo Agreement was disclosed in response to a separate FOI Request - "Agreement between Calligo and Government of Jersey".
Agreement between Calligo and Government of Jersey (FOI)
Paragraph 4 (Description of Services) of Schedule 1 (Services & Service Levels) of the Calligo Agreement lists certain "General Privacy Tasks” that the Contractor (i.e. Calligo) should provide as part of the services. The General Privacy Tasks include the following: "Data Protection Board: the DPO Service will chair the Data Protection Board on a monthly basis to address and advise on all cross-Government data protection matters" (see paragraph 4.2.3 of the Calligo Agreement, page 55).
Accordingly, it appears from the Calligo Agreement that there should be a Data Protection Board. The Response, which denied that such a Data Protection Board exists, therefore does not seem correct.
It may be that the Data Protection Board in practice operates under a different name. If there is a board or group, involving Calligo, that "meets to address and advise on all cross-Government data protection matters", then (for the purposes of the Request) that should have been considered to be the Data Protection Board (since it would be consistent with how that term is defined in the Calligo Agreement), even if it is not formally named the "Data Protection Board", and any minutes of that board or group produced in response to the Request.
The Internal Review panel is requested to investigate, as part of its overall review of the Response, whether appropriate searches have been carried out to identify whether a Data Protection Board does in fact exist. Further, the Internal Review Panel is requested to consider whether the scheduled public authority has taken an overly narrow and formalistic approach to considering what constitutes the "Data Protection Board", and whether the scheduled public authority has placed too much emphasis or focus on the "label" (i.e. the name) rather than substance of what a board or group is. In considering this, the Internal Review panel is invited to consider, amongst other things, the scheduled public authority's duty to supply advice and assistance (as required by Article 112 of the Freedom of Information (Jersey) Law 2011).
If the scheduled public authority is correct to state that the Data Protection Board does not exist, then that is clearly a matter of public interest (and concern), given that this is one of the services that the States of Jersey is paying Calligo to provide pursuant to the terms of the Calligo Agreement. If contractually agreed services are not being provided in accordance with the terms of a legally binding agreement, this potentially gives rise to concerns about whether that agreement is appropriate and/or the Government of Jersey is receiving the best value for money. It is therefore of importance that the Response is indeed verified as correct.
The independent Internal Review Panel may consider that it is appropriate to ask Calligo to confirm whether they agree that "There is no Data Protection Board" (as stated in the Request) and, if not, for Calligo to identify the Data Protection Board and provide access to the relevant minutes (which, for the avoidance of doubt, should include both formal minutes and informal meeting notes). It is noted that Clause 37 of the Calligo Agreement imposes a number of obligations on Calligo in respect of Freedom of Information, including generally to "assist and cooperate with the Authority (at the Contractor’s expense) to enable the Authority to comply with information disclosure requirements (if necessary)" (see Clause 37.1) and specific obligations to provide the Authority with requested information (see Clause 37.2).
Should the Internal Review Panel believe that any of the above requires clarification, or if there is any other information that the Internal Review Panel believes that it would be helpful for me to provide to assist with its review, please do let me know.
Internal Review Response
This review has been completed by two senior staff members of the Government of Jersey, independent of the original decision-making process.
In accordance with Article 84(1) Data Protection (Jersey) Law 2018 the States have the power to constitute an Information Board to deal with matters relating to Data Protection. To date no Regulations have been brought into force and as such no statutory Information Board under the Data Protection Law has been constituted. The original response reflects this position.
Those involved in preparing the agreement with Calligo would have had the possibility of an Information Board being implemented in mind at the time the agreement was entered into.
However, the clarification given above whereby a body may meet to discuss matters of data protection in practice but which might operate under a different name, has meant this matter has been reconsidered and a search was carried out on this basis.
Two documents have been located, one that more accurately describes the group that met – a ‘Data Protection Forum’ as it consists of the Data Governance Officers. The other document is actually headed as a ‘Data Protection Board’ meeting, despite there being no ‘Board’ as such. On closer inspection it is in fact another meeting of the Forum. These are the only documents that have been identified as a result of the new search.
Data Protection Forum Actions 16.6.22_Redacted.pdf
14.07.2022 Data Protection Board meeting notes_Redacted.pdf
The Panel concluded that the documents attached should have been included in the original response and are therefore content that they should now be released.
These documents have been redacted in accordance with the following articles of the Freedom of Information (Jersey) Law 2011:
Article 25 – Data Protection
Article 35 – Formulation and Development of Policies
Article 42(a) - Law enforcement
Article 25 - Personal information
(1) Information is absolutely exempt information if it constitutes personal data of which the applicant is the data subject as defined in the Data Protection (Jersey) Law 2005.
(2) Information is absolutely exempt information if –
(a) it constitutes personal data of which the applicant is not the data subject as defined in the Data Protection (Jersey) Law 2005; and
(b) its supply to a member of the public would contravene any of the data protection principles, as defined in that Law.
3) In determining for the purposes of this Article whether the lawfulness principle in Article 8(1)(a) of the Data Protection (Jersey) Law 2018 would be contravened by the disclosure of information, paragraph 5(1) of Schedule 2 to that Law (legitimate interests) is to be read as if sub-paragraph (b) (which disapplies the provision where the controller is a public authority) were omitted.
Article 35 - Formulation and development of policies
Information is qualified exempt information if it relates to the formulation or development of any proposed policy by a public authority.
Public Interest Test
The Scheduled Public Authority is withholding the release of certain parts of the information requested as it relates to the formulation and development of Government policy and procedure – in this instance it relates to the development of Data Protection related Policies.
Article 35 is a qualified exemption, which means that a public interest test is required.
The following considerations were taken into account:
Public interest considerations favouring disclosure
- Disclosure of the information would support transparency and promote accountability to the general public, providing confirmation that the necessary discussions have taken place.
- Disclosure to the public fulfils an educative role about the early stages in policy development and illustrates how the department engages with parties for this purpose.
Public interest considerations favouring withholding the information
- In order to best develop policy and provide advice, officials need a safe space in which free and frank discussion can take place – discussion of how documentation is presented and provided is considered as integral to policy development as iterations of documents are demonstrative of the policy development process.
- The need for this safe space is considered at its greatest during the live stages of a policy.
- Release of the information at this stage might generate misinformed debate. This would affect the ability of officials to consider and develop policy away from external pressures.
- Premature disclosure of this information may limit the willingness of parties to provide their honest views and feedback. This would hamper and harm the policy–making process not only in relation to this subject area but in respect of future policy development across wider Departmental business.
Following assessment, the Scheduled Public Authority has concluded that, on balance, the public interest in maintaining the exemption outweighs the public interest in disclosing the information exempted in the attached minutes.
It should also be noted that once a policy is formulated and published, the public interest in withholding information relating to its formulation is diminished, however, the use of the exemption can be supported if it preserves sufficient freedom during the policy formulation phase to explore options without that process being hampered by some expectation of future publication.
Article 42 -Law enforcement
Information is qualified exempt information if its disclosure would, or would be likely to, prejudice –
(a) the prevention, detection or investigation of crime, whether in Jersey or elsewhere;
(b) the apprehension or prosecution of offenders, whether in respect of offences committed in Jersey or elsewhere;
(c) the administration of justice, whether in Jersey or elsewhere;
(d) the assessment or collection of a tax or duty or of an imposition of a similar nature;
(e) the operation of immigration controls, whether in Jersey or elsewhere;
(f) the maintenance of security and good order in prisons or in other institutions where persons are lawfully detained;
(g) the proper supervision or regulation of financial services; or
(h) the exercise, by the Jersey Financial Services Commission, of any function imposed on it by any enactment.
Public Interest Test
It is recognised that there is a public interest in providing information in a transparent manner, however this public interest is not considered to outweigh the interests of the government in preventing cyber-crime. It is considered that the release of this information may increase risks, particularly in view of major cyber-attacks that have occurred in other jurisdictions in recent years.