Today we meet Paul Vane, Jersey’s Information Commissioner, who has just celebrated 20 years in data protection.
Paul started his data protection career in August 2004 when it was the Data Protection Registrar’s office – a government department at the time. The office went through a number of name changes, to today’s Jersey Office of the Information Commissioner (JOIC).
What’s the difference between JOIC and the JDPA?
JOIC is essentially the operating arm of the JDPA (Jersey Data Protection Authority). The JDPA has fining powers and can make public statements.
The relationship between the Commission (JOIC) and the Chair is a really critical one. JOIC is operational, whilst the Authority is about oversight and governance. They hold us (JOIC) to account, making sure our processes and governance structures are robust and correct. We are able to draw from the Authority members’ experience in an advisory capacity.
Do you regulate companies that provide services to Jersey but are not based here, such as Amazon and Google?
Yes we do – our role is extra-territorial, which means that it’s effective against overseas controllers who deliberately monitor and target the behaviour of Jersey citizens. If they are actively targeting Jersey residents to take up their services or products, they are covered by the Jersey law.
Given that the Jersey law is based on GDPR (General Data Protection Regulation, the European Union regulation), we rely on Europe for interpretation of some of it, because it’s hugely complex. For example, what is targeting? What is monitoring? When they refer to ‘monitoring in bulk’, what does that actually mean in practice? The guidance that comes out of Europe is pretty generic, so we have to look at previous cases across Europe and elsewhere to see what the courts have decided. At the moment, we’re only six years into the new regime and there’s not very much case law to rely on.
But in answer to your question, in principle, yes, we do regulate against the big tech companies if they are doing wholesale monitoring and targeting of Jersey citizens.
How has technology advancement impacted the regulation of data protection?
When I started, the Internet was only in its infancy – it was probably not even 10 years old at that stage and now we see advanced analytics, artificial intelligence, facial recognition and automation. Particularly since Covid, we’ve seen a huge increase in not just technology advancement but the speed of development.
One of the things that data protection is very good at is that it’s a framework to work within. So, whilst the landscape might change, the principles remain the same. We’ve just got to adapt the framework for those new technologies.
For example, artificial intelligence. People get very animated about it. They say it’s going to be disruptive and take away people’s jobs, but I don’t see it that way. I see two sides of it:
- It’s an enabler because it’s going to make us more efficient in a lot of respects.
- It’s ‘just another’ type of processing.
AI is an umbrella term that covers all sorts of technologies and each one of those technologies will involve some form of data processing. It’s being able to adapt the principles to the different processing activities; it essentially doesn’t really matter what the mechanism is for, the same rules apply.
Elizabeth Denham’s appointment is good news for Jersey – what experience does she bring that will help the team and Jersey?
Elizabeth has been part of the data protection community across the globe for longer than I have and she brings a huge amount of experience and expertise, together with a terrific reputation.
She was the Information Commissioner in British Columbia and then again in the UK and Chair of the Global Privacy Assembly. It’s huge kudos to have her as Chair of the Jersey Authority and I’m delighted to be working with her.
The solid reputation she brings is for the betterment of the island. We are going to be able to draw from her knowledge and experience.
She’s a real forward thinker, so you’ll start to see us looking further into the future and adapting our regulatory regime so we are still effective 10, 15, 20 years down the line with new tools, new methods of working and new ways of regulating.
My reporting line is to the Government Minister, but in practical terms, it’s to the Chair (Elizabeth).
Why does Jersey need its own data protection law?
That’s a really good question. You need to look at Jersey’s business and where most of it is driven from and where we want to align ourselves with.
Europe’s GDPR is generally seen as the ‘gold standard’. The UK adopted the GDPR legislation model as did we. The UK has now started to diverge a little from that.
If we were to align ourselves with the UK or Europe’s GDPR then we might disrupt and not assist with the data flows to and from the island. It’s better for us to align ourselves with both, by having our own law.
There are some nuances for Jersey and Guernsey in the respective DP laws because of the local landscapes.
Do you think there is a greater awareness and understanding in Jersey of data protection now?
We are seeing a far greater awareness of data protection, largely driven by the wider GDPR in Europe. This, together with our Jersey legislation, which puts data protection firmly on the boardroom table for the first time.
Previously, it was a low priority for many companies; “It’s nothing to do with us. It’s all about computers. Let’s not mess about any kind of processing activity.”
With the new data protection law, the board of directors is responsible for ensuring that their organisation is compliant with the law. This, coupled with a greater cyber security awareness as well. I see cyber security as one measure of data security provision.
Data protection must be on the boardroom table and has to be high in a company’s risk profiling.
We have a Board support squad that visits organisations and joins their board meetings. We have a very frank, open and honest discussion with them about their pinch points, where they think their weaknesses are and how we can help increase knowledge of particular subjects.
We also see a greater awareness of data protection through the activities in this office, such as an increased number of complaints and enquiries together with better levels of compliance. We are now able to measure our effectiveness as a regulator.
We are increasing our support for non-financial services organisations and the SMEs because they are unlikely to have risk and compliance frameworks operated by larger companies.
The Global Privacy Assembly is coming to Jersey in October. What is it and how does this help the island?
The last Global Privacy Assembly (GPA) was in Bermuda, so for some attendees, Jersey will be easier to travel to.
Jersey has always been a member of the GPA and its predecessor, the International Conference of data protection and privacy commissioners.
Covid-19 changed our involvement with the international community. We needed a coordinated response globally to deal with it, so a working group was set up to focus on the huge data protection implications. We had an extremely busy Covid period, drafting guidance to help the local community navigate their way through that whole period. Our work was recognised at international level to the extent that a lot of the DPAs (Data Protection Authorities) were asking us if they could use our guidance in their jurisdiction. I said “If it works for you, then use it. There’s no point reinventing the wheel and we’re all under pressure.”
When the Covid-19 crisis came to an end, that particular working group morphed into a group called ‘Data sharing for the public good’. When the Chair retired, I was asked to step in and chair the group. It’s a huge amount of work, but again, it’s increased the international profile of the office.
Part of the DPA’s remit is to help the Jersey economy, which includes helping attract business to Jersey. Anything that’s going to help our local economy is good, so that means being present and active on the international playing field. To do that, you need to have a profile that the international community recognises. We’ve gradually built-up to a point where we are recognised and have a voice that is listened to. This is important because we’re representing our local community and may have different thoughts to some of the other jurisdictions – even the UK and those closest to us.
When the opportunity came up host the GPA conference, we put Jersey forward. It’s going to have a huge impact for us as an organisation, but it will really put Jersey on the map. There will be 400-500 people here, including other regulators from all over the world, coming to visit Jersey in the ‘shoulder months’. It’s going to be a welcome boost to our tourism – that alone is good news.
This is more than a data protection conference – it’s showing-off Jersey at its best, possibly challenging with the weather, but Jersey is still beautiful and brilliant in October!
Digital Jersey, Jersey Business, the Jersey Financial Services Commission, the Jersey Cyber Security Centre, Jersey Finance and many other local stakeholders are providing great support. We’re trying to involve as many of the local business communities as we can, whilst also getting the high-profile tech companies over. It’s going to be phenomenal.
Click here for more information about this event.
MONEYVAL is like a seal of approval for the island’s finance industry. Is there an equivalent for data protection?
Not strictly like MONEYVAL, but our adequacy assessment as a third country is the closest to a ‘seal of approval’.
What are the risks to data privacy posed by the increasing use of biometric and facial recognition technologies?
It’s another part of data processing activity, but the impact it can have is much greater, that’s why it’s classed as special category data, being sensitive personal data.
In any scenario, the more data that is collected, whether it’s personal or special category data and biometric data, there’s a higher risk. That risk needs to be mitigated by the organisation that’s collecting it, with more robust controls in place to protect it.
Some of the challenges are that not everybody realises it’s a different category of information. It’s got to have a much higher standard of protection over it than just a name and address.
This kind of data is attractive to bad actors who can use it to gain access to more services and products. The value of this type of data is higher, making it more attractive to those bad actors when selling it on the dark web.
This is where the whole concept of necessity and proportionality kicks in. It isn’t always necessary to use a technology that collects biometric data.
For example, in the UK, biometric data was collected from children to enable them access to the school canteen for their school lunches and to the school library. However, is that necessary and proportionate for what they’re trying to achieve? I understand it in perhaps an airport or security environment where there are public safety elements. But when you’re going for a school lunch, do you really need to have biometric information collected?
What would happen if there’s an incident at the school. How is that biometric data secured? If there was an incident and the police wanted the data, then the person collecting it at the school to provide access to school lunches, has lost control of it.
We would always advise, is there another way of doing it? Have you done a risk assessment? Have you done a privacy impact assessment to establish whether or not that is the best way of collecting that data to provide that service.
Sometimes it’s just not proportionate to use that type of data.
What are the most common compliance issues you encounter during audits or investigations?
This may surprise you, but it’s the basics, the real low-level basics that people fall down on.
Sending mass emails
A great example is emails. When sending an email to multiple people, make sure people can’t see other people’s email addresses by using the BCC box, not the CC box. You can easily set-up rules on your PC to prevent such a mishap. Our toolkits give checklists to follow that are nice and easy to read.
If you want to keep it on, there’s nothing in the law to say you’ve got to switch it off, but look at how you will mitigate against the risks.
Subject access requests (SARs)
Another frequent example is subject access requests; organisations just not recognising them, poor handling of them or not being dealt with in the correct timeframe.
Often, the request comes in and it goes into a black hole somewhere – because there is no process or no training or often, it’s directed to a junior member of staff.
Some organisations are more sophisticated and have software built in that picks-up on keywords and flags SARs to the Data Protection Officer (DPO).
Poor data security
Get the basics right and the rest will follow
Poor data security often comes down to the human being. We’re seeing more cases in the private sector space, particularly in health and wellbeing. Because of its special category data, you need a much higher level of control over that information.
In terms of advice that we give to SMEs, it’s get the basics right and the rest will follow.
The rules are there for a reason – to protect people. If you’re not compliant, then you’re going to fall foul of it and pay the consequences ultimately.
We see companies that infringe the law ‘escape’ a fine. What are the implications of being ‘monitored’ by JOIC and why can this be worse for a company than a fine?
I’m not a strict advocate of fining. It’s an important part of our armoury, but the approach of this office is about outcome-based regulation. That’s because you want the best outcome for the individual who suffered as a result of the breach. The organisation needs to learn from the breach and the last thing we want to do is put them out of business.
I would much rather be involved and engaged when an issue is first identified or advice is sought, than picking up the pieces at the end when it’s too late and the damage has been done.
Prevention is always better and this is backed-up by my experience as a policeman, a financial services regulator and as the data protection regulator.
The only way you can regulate, particularly on an island like this, a jurisdiction of this size and nature is by having the trust of the public. That is something we work really hard to achieve.
The reputational damage an organisation could suffer over here is far worse and nobody wants to be ‘under the hood’ of the regulator for any longer than necessary. Whether you trust that regulator or not, no matter how supportive and helpful they might be, nobody wants to be in that position.
It’s really important we distinguish that fines are one tool we have in a very extensive enforcement armoury. We have discretion, the power of persuasion, there’s the gentle touch, but then we’ve got orders and reprimands and powers to stop processing.
There’s a whole host of things that we can do. We’ve got power to enter and search. We can use all of these mechanisms; we have used them in the past and regularly use them.
What do you do out of work, when you’re not regulating?
I’m not your average commissioner! I’m a drummer in a rock band, Inside Job. We have played for royalty – Princess Anne and the former Chair of EMI Records. We play at the Jersey Boat Show every year and we played at the Round Table ball.
I’m a rocker if I’m honest. My taste of music is very eclectic – I enjoyed the closing ceremony of the Olympics with an incredible orchestra and pianist playing an old ancient Greek hymn from the original Olympics.
I’ll equally listen to the Foo Fighters or AC/DC – both of which I’ll see this year. I am an avid gig-goer, having seen over 370 bands now. I love music and listen to it all the time, even in my office.
If I’m on the Harley, then generally I’ve got some form of sort of horror music going on.
I’m on the Board of Holidays for Heroes. Also, I’ve just become a gardening man as I’ve inherited a vegetable patch which is a really nice outlet from my day job!
