Skip to main content Skip to accessibility
This website is not compatible with your web browser. You should install a newer browser. If you live in Jersey and need help upgrading call the States of Jersey web team on 440099.
Government of Jerseygov.je

Information and public services for the Island of Jersey

L'înformâtion et les sèrvices publyis pouor I'Île dé Jèrri

  • Choose the service you want to log in to:

  • gov.je

    Update your notification preferences

  • one.gov.je

    Access government services

  • CAESAR

    Clear goods through customs or claim relief

  • Talentlink

    View or update your States of Jersey job application

Data Protection (Jersey) Law 201-: Lodging

A formal published “Ministerial Decision” is required as a record of the decision of a Minister (or an Assistant Minister where they have delegated authority) as they exercise their responsibilities and powers.

Ministers are elected by the States Assembly and have legal responsibilities and powers as “corporation sole” under the States of Jersey Law 2005 by virtue of their office and in their areas of responsibility, including entering into agreements, and under any legislation conferring on them powers.

An accurate record of “Ministerial Decisions” is vital to effective governance, including:

  • demonstrating that good governance, and clear lines of accountability and authority, are in place around decisions-making – including the reasons and basis on which a decision is made, and the action required to implement a decision

  • providing a record of decisions and actions that will be available for examination by States Members, and Panels and Committees of the States Assembly; the public, organisations, and the media; and as a historical record and point of reference for the conduct of public affairs

Ministers are individually accountable to the States Assembly, including for the actions of the departments and agencies which discharge their responsibilities.

The Freedom of Information Law (Jersey) Law 2011 is used as a guide when determining what information is be published. While there is a presumption toward publication to support of transparency and accountability, detailed information may not be published if, for example, it would constitute a breach of data protection, or disclosure would prejudice commercial interest.

A decision made on 30 November 2017:

Decision Reference: MD-C-2017-0146

Decision Summary Title: :

Data Protection (Jersey) Law 201-

Date of Decision Summary:

30th November 2017

Decision Summary Author:

Director of Digital and Telecoms Policy

Decision Summary:

Public or Exempt?

Public

Type of Report:

Oral or Written?

Written

Person Giving

Oral Report:

N/A

Written Report

Title: :

Data Protection (Jersey) Law 201-

Date of Written Report:

 30th November 2017

Written Report Author:

Director of Digital and Telecoms Policy

Written Report :

Public or Exempt?

Public

Subject:  Data Protection (Jersey) Law 201-

Decision(s):  The Assistant Chief Minister, acting in accordance with indications of the Council of Ministers, and as the responsible Minister, approved the draft Data Protection (Jersey) Law 201- and accompanying Report and asked that the projet be lodged au Greffe for debate by the States Assembly on 16th January 2018. The Assistant Chief Minister also signed the Statement of Compatibility confirming that the provisions of the Law were compatible with the European Convention on Human Rights.

Reason(s) for Decision:  The current data protection regime in Jersey received an ‘adequacy’ decision from the EU Commission in 2008, meaning that the Data Protection (Jersey) Law 2005 is judged to provide an essentially equivalent level of protection as the European Union’s (‘EU’), and that data may therefore flow freely to and from the Island and EU member states.

 

The Government of Jersey has committed to renewing the ‘adequacy’ decision under a new European data protection regime. It has undertaken to meet the requirements of the EU General Data Protection Regulation (‘the GDPR’) and EU Law Enforcement Directive on the protection of personal information processed for the purposes of policing and public protection (the ‘Directive’).

 

Following extensive consultation, the draft Data Protection (Jersey) Law 201- is proposed to ensure continued adequacy. The draft Data Protection (Jersey) Law 201- bolsters the rights of the individual in relation to their personal data in the same areas as the GDPR and the Directive. (In parallel, the Data Protection Authority (Jersey) Law 201- has been lodged. It creates a new data protection authority that will be fit for purpose to regulate the new data protection regime).

 

This Ministerial Decision and accompanying Report relates to the draft Data Protection (Jersey) Law 201-.

Resource Implications:  

 

There are no resource implications for the Data Protection (Jersey) Law 201-.

Action required: To ask the Greffier of the States to lodge the Law and Report ‘au Greffe’ for debate by the States Assembly on 16th January 2018.

Signature: Senator P.F. Routier M.B.E.

 

 

 

Position: Assistant Chief Minister

Date Signed:

 

Date of Decision:

Hide report
Data Protection (Jersey) Law 201-: Lodging

 

 DATA PROTECTION (JERSEY) LAW 201-

 

 

 

REPORT

 

 

Introduction

 

We live and work in a digitally connected society, where the Internet has become a feature of everyday life and where businesses and consumers rely on the ability to share and access personal data online, with confidence and clarity.

 

The protection of this personal data is essential for the protection of our human rights, particularly those accorded by Article 8 of the European Convention on Human Rights (i.e. the rights to private and family life, home and correspondence).

 

Personal data is the lifeblood of the financial services industry in particular, and as the digital economy develops and the use of online technology becomes ubiquitous, it is important that Jersey continues to provide a safe environment for processing data, with clear and robust data protection legislation that is monitored and enforced by an effective regulator. 

 

 

 

 

 

 

 

 

 

Background and Policy

The Current Data Protection Regime in Jersey

 

Jersey currently has a well-established data protection regime. The Island enacted its first data protection legislation in 1987 and has therefore long considered the need to provide robust assurances for personal data.

 

The Office of the Information Commissioner implements, and ensures compliance with, the current legislation, the Data Protection (Jersey) Law 2005 (the “2005 Law”). This piece of legislation was aligned with the relevant UK and EU laws, and the EU Commission issued a decision that the Island provides ‘adequate’ protection for personal data.  This means that personal information can be shared freely between the EU and Jersey. This is important for all business sectors in Jersey. 

 

The European context

 

The outgoing EU data protection regime (based on Directive 95/46/EC – the “Directive”) was introduced at a time when the Internet was in its infancy, and prior to the widespread adoption of email and social media, or the rise of cloud computing or big data analytics. Further, in implementing the Directive, different EU member states have applied differing approaches, resulting in disparity between the various compliance regimes across Europe.

 

Given this disparity, the extent to which technologies have developed, and the ways in which people and businesses communicate and share information have changed, the EU has enacted two new pieces of legislation to modernise, standardise and increase the level of protection for personal data across the EU.  The GDPR replaces the Directive for most purposes. In addition, the EU has enacted the ‘LED, which is concerned with the protection of personal information processed for the purposes of policing and public protection.

 

To retain adequacy with the GDPR and assure adequacy with the LED Jersey now has to introduce new data protection legislation that will provide ‘essentially equivalent’ protection to the GDPR and LED.

 

Jersey will also have to provide for an effective independent data protection supervisory body and cooperation mechanisms with European data protection authorities, as well as provide data subjects with effective and enforceable rights and administrative redress for breaches of those rights. This is provided for by the draft Data Protection Authority (Jersey) Law 201- which has been lodged in parallel with this draft Law.

 

Engagement with the European Commission indicates that Jersey’s adequacy decision will be ‘grandfathered’ (i.e. it will continue in effect) until the jurisdiction is reassessed (probably in 2020). However, putting new legislation in place for May 2018 remains a matter of urgency as it reduces the risk of challenges to Jersey’s existing status.  Failure to secure continued adequacy with the EU would likely have detrimental economic consequences, particularly to the financial services sector, which relies heavily on the unrestricted flow of personal data to and from EU member states (and elsewhere relating to EU citizens).  Failure to update our data protection regime would also result in people in Jersey being afforded a lower standard of individual rights in respect of data than their European counterparts.

 

A summary of the most important changes introduced by the GDPR and LED

 

A brief summary of the most important requirements introduced by the GDPR is set out below.

 

In terms of new requirements, businesses and organisations processing personal data will be required to:

 

  1. provide better and more information about how they process personal data in a clearer and more accessible way;
  2. evidence that they design and build new services and products from the earliest stage of development in a way that protects ‘privacy by design’ and default;
  3. notify the local independent ‘supervisory authority’ of any data breach within 72 hours where that is feasible and notify the individuals concerned without undue further delay;
  4. appoint a Data Protection Officer who will be responsible for ensuring compliance with the requirements of the GDPR where they conduct ‘large scale’ processing operations or ‘systemic and regular monitoring’ as part of their ‘core activities’; and
  5. demonstrate that where individual consent is used as a basis for processing that consent was freely given, specific, informed and indicated by an affirmative action (e.g. the person must actively tick a box rather than untick one that has been pre-ticked).

 

The GDPR also confers additional rights on individuals including:

 

  1. an enhanced right of access to their personal data;
  2. the right to withdraw consent to the processing of their data in a particular way and the right to erasure (or right to be forgotten as it is often referred to in the press) providing there is no legitimate reason for it to be retained by the data controller; and
  3. a right to require the transfer of their personal data between service providers. This right to “portability”, will promotes competition and removes barriers to entry to markets, is consistent with the principles of Jersey’s Digital Policy Framework.

 

The GDPR provides for the following tougher enforcement mechanisms to protect individuals:

 

  1. the new European Data Protection Board will be responsible for ensuring consistency in enforcement of the GDPR across the EU;
  2. individual Member States will be required to continue to have their own Independent Supervisory Authority,  and will need to ensure that it has robust enforcement powers; and
  3. substantial fines; failure to comply with the requirements of the GDPR will leave businesses and organisations liable to much more significant fines. Serious breaches of the GDPR may result in a maximum penalty which is the greater of 20 million Euros or 4% of global annual turnover, or in less serious cases a maximum penalty which is the greater of 10 million Euros or 2% global annual turnover. (There is flexibility to go for lower fine schemes).

 

Why this legislation is essential
 

It is clear that new legislation is required if Jersey is to provide essentially equivalent protection for personal data to that set out in the GDPR and LED.

 

On the 20th February 2017, the Assistant Chief Minister made a Ministerial Decision approving instructions to the Law Draftsman to repeal the Data Protection (Jersey) Law 2005 and to prepare new legislation that will replace it and set out the new powers, functions and funding arrangements for the data protection regulator.

 

This Law places privacy obligations on data controllers and processors and rights on data subjects that are equivalent to those imposed by the GDPR and LED.

 

Lodged in parallel with this Law is the Data Protection Authority (Jersey) Law 201, (the “Authority Law”) which establishes and sets out the powers and functions of the new Data Protection Authority (the “Authority”), which will provide robust, effective and independent regulation of the requirements in this Law. The establishment of the Authority is essential to ensuring equivalent protection for personal data to that provided under EU law.  The Authority Law reforms the governance and funding arrangements for the regulator to ensure that the Authority has sufficient guarantees of structural independence.  It also provides the Authority with powers to investigate breaches of the law and impose effective and dissuasive sanctions for breaches of this draft Law.

 

The primary policy objectives of this Law and the Authority Law is to provide effective protection for personal data and maintain Jersey’s adequacy under the new European regime. Where there is doubt as to whether a particular approach to the drafting would provide equivalent protection to that provided in the EU, the draft legislation closely reflects the GDPR and the LED.  However, where there is scope to be flexible with the approach of our legislation in a way that might benefit Jersey the legislation seeks to do so.

 

Research and consultation

To inform policy development on data protection the Chief Ministers Department and Law Officer’s Department conducted considerable analysis.

 

There were two principal work-streams comprised in the research project: one considered what was required for Jersey’s data protection regime to continue to be deemed adequate by the EU Commission, the other assessed what the Island could do above and beyond to gain a competitive advantage. To inform this second work-stream, the Chief Minister’s Department commissioned specialist researchers to review what opportunities there might be in how the Island implemented new data protection legislation. The outcomes of this consultancy have informed the policy development and the law drafting instructions for both pieces of legislation.

 

In developing the policy and drafting the legislation, the government has engaged widely with stakeholders across Jersey and internationally.

 

International Engagement

 

With the assistance of the Channel Islands Brussels Office, the government has engaged with officials from the European Commission to begin the process of renewing the adequacy decision. A pan-Island delegation met with representatives from the Directorate-General for Justice in February 2017. This was well-received by the Commission, which was positive about Jersey’s data protection regime and approach to the new legislation and was supportive of the Island’s commitment to continued adequacy.

 

The Government of Jersey has also engaged with other third countries that are currently considered adequate by the European Commission and are updating their legislation to ensure continued adequacy.  There has been positive dialogue with New Zealand and Canada where officers have sought to share best practice.

 

Throughout the process the Government of Jersey has engaged closely with the UK.  Whilst it is still a member of the EU, the UK will be implementing the GDPR as an EU Member State. The UK Government has introduced a draft Data Protection Bill to the House of Lords in September 2017, to address aspects of the GDPR where it has scope to derogate and to implement the LED.  The UK has indicated that it intends to maintain parity with EU data protection standards after Brexit and that it will be looking to ensure that data can continue to flow freely between the EU and UK after Brexit, which may be achieved through seeking an adequacy decision like Jersey’s.

Local Stakeholder Engagement

During the process there has been close engagement with stakeholders. Clear policy and drafting guidelines were set out in early conversations and have been adhered to. These guidelines were welcomed by industry.

The business community has been supportive of Jersey’s policy goals. It recognises the critical importance for businesses in Jersey of maintaining the ‘adequacy’ decision from the EU Commission as this enables the free flow of data to and from the Island from residents of EU member states.

A programme of industry engagement has been conducted, including a series of roundtables and workshops, news releases and industry updates. There have been regular updates to key stakeholder groups including the Jersey Financial Services Commission, Jersey Finance, Digital Jersey and Jersey Business.  

The draft Law and the Authority Law were reviewed by an expert stakeholder group with representatives from the financial services sector, legal services, the digital economy and public bodies in August and September 2017. There were eighteen written and two verbal submissions to this expert consultation. The information gained from these responses was complemented by feedback from around fifty participants at two stakeholder events in October 2017 and a submission from the Office of the Information Commissioner. The consultation feedback was constructive, often focussing on highly technical elements, and has helped improve the legislation.  A key theme of the feedback was to ensure data controllers and processors have clarity as to what is required. Another theme was that government should, where possible, avoid gold-plating the new EU regime by placing any additional burdens on business through our own legislation.

Also of critical importance was the protection of Jersey citizens and their personal and sensitive data. Through this legislation Jersey residents will be as well protected as EU citizens.

 

Data Protection (Jersey) Law 201-

The draft Law has been drafted to ensure Jersey legislation offers an equivalent level of protection to the GDPR and LED. In doing so, it confers new duties on data controllers and processers and bolsters the rights of individuals in relation to their personal data. Some of the key elements of the new legislation are:

 

Accountability

Going forward controllers and processors will be required to be more accountable for the ways in which they process personal data, including by preparing records of their processing activities and implementing appropriate technical and organisational measures to comply with the draft Law.  Controllers will in particular be required to consider data protection standards when developing new systems and carry out data protection impact assessments, ensuring they protect data subject’s rights.   Data controllers must also ensure that personal data is only processed to the extent necessary for the purposes for which it is processed.

 

Consent

The rules for obtaining consent to process data have been strengthened. Consent must be specific, auditable and the request must be in a clear and accessible form. Consent must also be as easy to withdraw as it is to give it. 

 

Children

 

The draft Law introduces the age of 13 as the digital age of consent at which children may give effective consent to the processing of their data by online services, such as social media sites including Twitter or Facebook.  Below that age valid consent to the processing of a child’s data may be given by a parent or guardian on the child’s behalf.

 

There is no universal standard on what age precisely constitutes the digital age of consent. The GDPR allows EU Member States to set their own digital age of consent within a window from 13 years of age to 16.

 

The United Kingdom, Ireland, the United States and many European countries have set their digital age of consent at 13.  The age of 13 is viewed as appropriately balancing the right and need to participate online with ensuring appropriate parental protection.

 

For these reasons, the legislation establishes a digital age of consent of 13 years of age.

 

Processors

A difference between the 1995 Directive and the GDPR is that the former placed direct compliance obligations only on data controllers whereas the latter applies to the processing of personal data by a controller or a processer that falls within the scope of the GDPR.  Data processors therefore have to abide by new compliance obligations providing equivalent protection to the GDPR and LED.

 

Breach notification

In the event of a data breach the Authority must be informed within 72 hours and any relevant affected individuals informed as soon as possible. Data processors must inform their customers, the data controllers, of any data breach they become aware of without undue delay.

 

Right of Access

Data subjects can obtain from data controllers confirmation as to whether or not personal data is being processed, where and for what purpose. The controller must provide a copy of the personal data, free of charge, in an electronic format.

 

Right to be forgotten

A data subject is entitled to have the data controller erase his or her personal data and cease further dissemination.

 

Data portability

A data subject has the right to receive personal data concerning them and transmit this to another controller.

 

The effect of each Part of the Data Protection (Jersey) Law 201- is briefly summarised below:

 

Part 1- Introductory

 

Key definitions are found in Part 1. Definitions form the building blocks of the GDPR, the LED and the previous Jersey legislation. Where appropriate, definitions have remained unchanged from the 2005 Law to allow businesses and public bodies to build upon existing compliance structure and staff training. However, for Jersey to retain its adequacy decision it is essential that the Jersey legislation adheres closely to the GDPR and LED including in reflecting changes that have been made to these definitions compared to the 1995 Directive.  Given this, where necessary, the definitions in the draft Law have an equivalent effect to the definitions used in the GDPR (and where relevant the LED). 

 

As well as harmonising rules inside the EU, the GDPR also claims extraterritorial effect over the processing of personal data taking place outside of the EU. In terms of application, the draft law claims a wide territorial jurisdiction similar to that claimed by the GDPR. This is in order to provide equivalent protection to Jersey residents who would not be data subjects in the EU.

 

Part 2- Fundamental Duties of Controllers

 

Part 2 of the draft Law sets out the fundamental obligations for data controllers. They include their obligation to comply with the Data Protection Principles, the obligation to ensure appropriate safeguards for the rights of data subjects are put in place by design and default, record keeping obligations, the obligation to report a data breach in the manner by the Law, the obligation to appoint a data protection officer, the obligation to pay the appropriate charges to the Authority,  the obligation to co-operate with any requests of the Authority under this Law or the Authority Law and to comply with any order of the Authority under the Law  or the Authority Law.

 

Article 8 in Part 2 sets out the data protection principles, as it is the responsibility of the controller to ensure that the processing of personal data complies with the data protection principles, namely that data are:

 

  1. processed lawfully, fairly and in a transparent manner in relation to the data (“lawfulness, fairness and transparency”);
  2. collected for specified, explicit and legitimate purposes and, once collected, not further processed in a manner incompatible with those purposes (“purpose limitation”);
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
  4. accurate and, where necessary, kept up to date. Reasonable steps are taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  5. kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (“storage limitation”); and
  6. processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures “integrity and confidentiality”).

 

The position of joint data controllers changes under the draft Law as joint data controllers are all liable to the data subject unless they prove they had no responsibility for damage.

 

Part 3- Other Duties of Controllers

 

This Part sets out the other duties of controllers. Some of the key changes to the previous legislation are:

 

  • The introduction of the concept of data protection by design and default.

 

This reflects the requirement under the GDPR that data protection principles and appropriate safeguards should be taken into account in both the planning phase of any processing activities and the implementation phase of any new product or service. For example, the controller must implement appropriate security measures for any data processed and give effect to the rights of data subjects. In reality, this means that controllers should consider the entire life-cycle of the relevant processing activities and plan for foreseeable uses of the new technology, product or service that may affect the data protection rights of data subjects.

 

  • The requirement for Data Protection Impact Assessments for high risk processing.


The GDPR introduces the need for controllers to prepare Data Protection Impact Assessments for high risk processing. The main objectives of these are to assess the privacy risks to individuals related to a proposed data processing activity and to identify measures to assess these risks and demonstrate compliance with the Law. If a Data Protection Impact Assessment indicates that the processing is too high risk and that this risk cannot be mitigated then the controller will be required to consult the Supervising Authority. In practice, Data Protection Impact Assessments  provide a tangible tool to which a controller can point to to demonstrate that it takes the privacy concerns of data subjects seriously and that it has taken steps to appropriately address these concerns. The draft Law gives some more guidance to controllers as to the circumstances that they will be required to undertake a Data Protection Impact Assessment and also requires the Authority to publish Codes of Practice.
 

  • The need for prior consultation for high risk processing.                                    

    
The draft Law requires that where a data protection impact assessment indicates that any processing would pose a substantial risk to the significant interests of data subjects (which hasn’t been mitigated by the controller) the controller must consult the Authority before commencing the processing. The draft Law sets out the manner that the controller must do this and also the process the Authority must follow (and the timescale it needs to keep to) if it is of the opinion that the proposed processing would be in breach of provisions of the new Law.
 

  • The requirement for prior consultation for high risk legislation.


The GDPR requires Member States to consult their supervisory authority during the preparation of a proposal for new legislation to be adopted by the national parliament, or on a regulatory measure based on such a legislative measure, which is related to processing. This is very wide and while fulfilling the need to give equivalent protection to the GDPR, the draft Law adopts a practical approach to this provision. Article 18 provides that consultation is required only where a law or secondary legislation proposed; or Act that would be extended, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedom of natural persons. The approach taken is designed to reinforce the approach to Data Protection Impact Assessments and ensure that the Authority is not needlessly consulted on a wide range of low risk processing arrangements
  

  • Breach reporting.

 

One of the high-profile obligations introduced by the GDPR is the need for controllers to report a breach to the Authority and, in certain cases, affected data subjects. This assists the Authority in performing its supervising functions and enables affected data subjects to take measures to mitigate any risks associated with the breach (e.g. cancel credit cards). In practice, they are likely to motivate controllers to implement robust security measures to minimise the risk of data breaches and the associated reputational harm.

 

These requirements reflect the requirements of the GDPR and are necessary for continued adequacy.

 

Parts 4 – Joint Security Duty and Duties of Processors

 

The draft Law, like the GDPR and LED, places obligations on controllers and processors to take proportionate organisational and technical measures to ensure that personal data is kept securely. Such measures may include the adoption of appropriate polices for staff and the deployment of appropriate software to protect against ‘malware’.

 

Importantly, the draft Law also introduces new obligations on data processers.  A data processor is any entity that processes personal data under the controller’s instructions. (For example, many cloud service providers are processors). This is a key difference from the 2005 Law.

 

The change stems from the change in the European approach. Unlike the 1995 Directive which generally placed direct compliance objectives on controllers and asked them to flow these to processors through contractual obligations, the GDPR imposes direct compliance obligations on processors as well as controllers. It also enables enforcement action to be taken against them by the supervisory authorities and for fines, penalties and compensation claims to be imposed or made for failure to satisfy those requirements.  The GDPR also explicitly states that a processor will be considered a joint controller in the event that it processes personal data other than in accordance with the instructions of the controller. This has also been reflected in the draft Law. 

 

Parts 5 – Data Protections Officers

 

To offer equivalent protection to the GDPR, Article 24 of the draft Law sets out the circumstances under which a controller or processor must appoint a Data Protection Officer (a “DPO”). A DPO must be appointed when:

 

  • processing is carried out by a public authority (except for the courts acting in their judicial capacity);
  • the core activities involve systemic monitoring on a large scale;
  • its core activities involve large scale processing of sensitive data; or
  • it is required by the relevant law

 

To offer greater clarity and to avoid placing an insupportable burden on businesses, the draft Law also sets out the circumstances where a single DPO might be appointed for a group of undertakings or several public authorities. It also makes it clear that the DPO must operate independently and report to the highest management of the business. Articles 25 and 26 give clear detail on the position and duties of the DPO.

 

 

 

 

Part 6 - Rights of Data Subjects 

 

One of the main effects of the GDPR is to confer greater rights on data subjects. These rights are broad in the GDPR, Article 23 of the GDPR providing Member States with extensive latitude to place restrictions on these rights where that is necessary for a number of purposes. Many of these rights are already provided for in the Data Protection (Jersey) Law 2005 and the draft Law draws on these where possible to give continuity to data subjects and controllers and processers. In effect, the draft Law greatly strengthens the rights of data subjects (to reflect the scale of data currently being used and the potential impact of inappropriate processing) while balancing this with the need for businesses and organisations to be able to process data under appropriate circumstances.

 

Under the new Law, data subjects are entitled:

 

  • to receive certain minimum information from the controller about the processing of their data and a copy of the data itself (the ‘right of access’);
  • to have their personal data erased without undue delay under certain circumstances (known colloquially as (‘the right to be forgotten’);
  • the rectification of inaccurate personal data concerning him or her or to have incomplete personal data completed;
  • to have their personal data erased under certain circumstances including where the personal data are no longer necessary or when they have withdrawn consent and there is no other legal ground for processing. (Known colloquially as the ‘right to be forgotten’)
  • to obtain from the controller restriction of processing where specific circumstances apply;
  • to have the ‘right to data portability’, in other words to receive personal data concerning them in a structured, commonly-used and machine readable format.  (This is to assist with ‘switching’ controller);
  • to object to processing; and
  • not to be subject to a decision based solely on automated processing when it has a legal effect or other significant effect on the data subject.

 

Part 7 – Exemptions

 

Jersey has some flexibility to adopt exceptions in our legislation both from the rights of data subjects and from the obligations of data controllers and processors.  The approach taken seeks, where possible, to replicate the existing exemptions in the current domestic legislation, for example in maintaining broadly the same approach to academic, journalistic, literary and artistic material. The status quo is also broadly maintained for national security which continues to be generally exempt from the requirements of the new Law in most cases.

 

The draft Law includes an exemption from the transparency and subject rights provision to the extent required to avoid an infringement of the privileges of the States Assembly. The United Kingdom has a similar exemption in its draft data protection legislation to avoid infringement on the privileges of the Houses of Parliament.

 

A certificate signed by the Greffier of the States to that effect is evidence of the fact an exemption is required. The decision of the Royal Court is final in relation to any appeal submitted in relation to the Greffier’s decision. The Jersey exemption mirrors similar provisions in the Freedom of Information (Jersey) Law 2011. 

 

The draft Law also brings forward the existing Trusts exemption which is crucial for Jersey’s financial services sector.

 

Part 8 – Cross-Border Data Transfers

 

The draft Law puts in place equivalent restrictions to those in the EU with regard to the transfer of personal data to third countries outside the EU.

 

International cooperation is an important tenant of international data protection regulation. The GDPR obliges the European Commission and Supervisory Authorities to take appropriate steps to develop international co-operation mechanisms to facilitate effective enforcement of legislation for the protection of personal data, including by providing for mutual assistance with enforcement.

 

Given the uncertainty as to the types of international cooperation mechanisms that might be required in the future, the draft Law and the draft Authority Law provide Regulation making powers to enable appropriate provision to be made in the future. 

 

Part 9 – Remedies and Enforcement

 

The draft Law and the draft Authority Law give data subjects, controllers and processors rights to bring complaints and seek judicial remedies.  There is a right of appeal against the regulator’s decisions in respect of complaints and notices or determinations provided for in the Authority Law. This right to appeal does not extend to the exercise of the regulator’s advisory functions.

 

The offences the draft Law brings forward are:

 

  • the offence of unlawfully obtaining personal data in Article 71 of the draft Law (previously set out in Article 55 of the 2005 Law);
  • the offence of requiring a person to produce certain records in Article 72 of the draft Law (previously set out in Article 56 of the 2005 Law);
  • the offence of providing false information set out in Article 73 of the draft Law (previously set out in Article 60 of the 2005 Law); and
  • the offence of providing obstruction set out in Article 74 of the draft Law (previously set out in paragraph 13 of Schedule 9 to the 2005 Law,  but now expanded to capture failure to comply with an information notice).

 

Under the draft Law most offences are punishable with a fine, except where expressly provided. 

 

Part 10 – Miscellaneous

 

This includes a number of regulation making powers to ensure the Law remains future-proofed.

 

Article 83 enables the States to prescribe by Regulations when information can be disclosed to improve public service delivery.

Data is a vital asset for enabling efficient government. The effective and secure use of data can enable the making of better policy and delivery of more responsive public services. For example, front-line staff can use data to ensure that people get the right support to meet their needs.

There are numerous examples where appropriate data sharing could improve outcomes for customers. These include, but are not limited to:

  • data analytics for performance monitoring;
  • data analytics for policy development;
  • data mining to determine eligibility for benefits and services;
  • data matching to identify benefit fraudsters and non-compliant tax cases;
  • data matching to identify potentially at-risk school aged children who are in the island but not attending school;
  • personal and business customer Tell Us Once services
  • sharing data with the Parishes and third parties (e.g. GPs); and
  • making anonymised publishable data available, enabling third parties to design solutions for Islanders.

 

Article 84 of the draft Law enables Regulations to constitute an Information Board to oversee, co-ordinate and develop a clear framework for the sharing of data across government.  

The Information Board will comprise senior figures from several departments. It will set the agenda for effective data sharing and ensure that the organisation meets legal requirements for privacy and security.

Initiatives that the Information Board could pursue may include the following:

  • encouraging public authorities to focus on data sharing and security;
  • promoting the ability of customers to see, amend and control data held by public authorities;
  • acting as the liaison between public authorities and the Information Commissioner; and
  • ensuring that departments, parishes and other public authorities use common/enterprise data assets.

 

The Information Board will also promote principles for using data across the organisation. These may include:

  • applying the citizen-first approach;
  • minimising bureaucracy and enabling efficiency across departments;
  • balancing operational efficiency with data privacy requirements;
  • following the principles of Tell Us Once;
  • protecting data, recognising that it is a vital asset;
  • using data proactively (e.g. eligibility for benefits or ability to detect and pursue fraud) rather than waiting for an application;
  • ensuring audit functionality and compliance; and
  • promoting Information Governance with a view to taking on more responsibility in the future.

 

Schedule 1

 

Schedule 1 modifies the application of the Law where the processing of personal data is carried out by a controller that is a competent authority for a law enforcement purpose.

The draft Law defines a competent authority as one which processes personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.

A list of competent authorities is included in Schedule 1.

 

Collective responsibility under Standing Order 21 (3A)

 

The Council of Ministers has a single policy position on this proposition, and as such, all Ministers, the Assistant Chief Minister acting as rapporteur and the Assistant Minister for eGov and Digital Jersey, are bound by the principle of collective responsibility to support the proposition, as outlined in the Code of Conduct and Practice for Ministers and Assistant Ministers (R.11/2015 refers).

 

Statement of financial implications

There are no financial implications for the Data Protection (Jersey) Law 201- .   

Departments and other administrations of the States that fall under the remit of the Data Protection (Jersey) Law 201- will be required to meet the enhanced levels of regulation in the same way that private sector businesses will. It is expected, however, that any additional resource requirements, over and above that needed under the existing Law, will be met from existing budgets.

Timetable for implementation

 

The government aims to enact the legislation at the same time as the new EU framework comes into force. This will provide certainty and consistency for citizens, businesses and public authorities. Given the relationship between the draft Law and the draft Authority Law- the government needs to enact both pieces of legislation to the same timetable. 

 

Proposed timetable:

  • December 2017 – Legislation lodged for debate by the States Assembly
  • January 2018 – Legislation debated by the States Assembly
  • February 2018 – Legislation sent for Royal Assent
  • 25 May 2018 – Legislation comes into force

Page 1 of 14

 

Our sites
Back to top
rating button