Information governance policies (FOI)

​​Request

Can you please provide me with copies of your Information Governance policies, specifically those policies that concern:

Data retention and archiving;
Confidentiality;
Data governance (structure, roles and responsibilities); data management; data protection confidentiality (including how sensitive data such as salary, bonus levels if applicable, health records, disciplinary data etc is handled and controlled).
I am also interested in understanding how personal identification data is defined for staff, ex-staff and the general public, and the access and change controls which exist around this data from the perspective of the systems and applications which store and display this information.
Are there any policies governing technical staff who may have access to sensitive data such as salary information when performing their roles - for example, do they sign non-disclosure agreements?

Response

Staff across the organisation who are handling confidential information are viewed as technical staff and so are subject to specific controls as detailed below for specific areas.

All public sector employees sign the Acceptable Use Policy and extract from the Official Secrets (Jersey) Law 1952 when joining the organisation. Some technical roles which include access to sensitive personal data or other restricted information also require a greater level of authorisation, including a non-disclosure agreement.

Anyone coming into contact with Tax Payer Data in order to perform their duties must be an employee of the States of Jersey (not a contractor, temp, return to work) and they must swear the Oath of Office in the Royal Court. Anyone who does not require access to that data to perform their job but might have access to it (e.g. IT Staff, SQL Administrators etc.) are required to sign the Official Secrets Law (for which they must be over 18 for it to be valid) and must under-go induction training on the Taxes Office Information Security Management System and be aware of their obligations under Data Protection and Computer Misuse laws. All staff with access to International Tax data (or systems) are additionally required to have a criminal background check.

Those that access Social Security Department systems also have to attend the Royal Court and swear not to divulge information they saw as part of this role.

Non-police disclosure checks are required for staff accessing Police data, for example the Official Analysts data.

Customs and Immigration carry out additional security checks at varying levels depending on the access a person would have.

We are in the process of establishing and implementing an integrated Data Governance and Data Management framework (structure, roles and responsibilities, processes, and procedures) for the eGovernment programme. Some of these practices and activities exist within the SoJ and its administrations but not yet as a formal comprehensive business function.

The relevant polices are available for download here.

Download Corporate Records Management Policy (79 KB)
Download Guidelines for the Transfer of Physical Material to the Jersey Archive (23KB)
Download Guidelines for the Transfer of Digital Material to the Jersey Archive (26 KB)
Download Public Records (Jersey) Law 2002 (389KB)
Download Jersey Archive Digital Preservation Policy (60KB)
Download Secure Storage Requirements (80 KB)
Download Draft Email Records Management Policy (79 KB)
Download Email Good Practice Guide (87 KB)
Download Acceptable Use Policy (152 KB)
Download Draft Information Classification Policy (164 KB)
Download ESG Approval Procedure for Online Security Form, Redacted Names (782 KB)
Download Data Protection and Caldicott Principles Policy (92 KB)
Download Official Secrets (Jersey) Law 1952 Declaration (1 MB)

Download Non-disclosure form (86 KB)
Download Data Protection (Jersey) law 2005 (664 KB)