We live in a data driven world with data presenting us diverse commercial and domestic opportunities. These opportunities often rely on various forms of personal data, and this raises moral questions about what data is collected and how it is used – and this is arguably just the beginning.
Organisations today place more value than ever on personal data, our personal data, especially as many depend on the high-volume collection and monetisation of personal records. Companies collect and profit from the use of data on the understanding that it is not exploited or put at risk.
In recent years, Europe and Jersey have significantly improved data privacy legislation, a key part of our law is that it details specific grounds for a company’s granted use of our personal data, including public interest, legal obligation and consent. The new laws, driven by GDPR were introduced to answer society’s increasing data privacy concerns, so these grounds can therefore be considered the sole ‘ethical uses of data’.
The benefits of effective data protection being:
- It helps redress imbalance between the individual and the state, but also between the individual and companies that collect, process and communicate their data to third parties.
- It preserves democracy, but also protects the individual in the face of massive technological change and generate trust in the digital economy.
In order to process non-sensitive personal information, organisations must have a lawful reason. This includes:
- consent
- to carry out a contract
- to protect the vital interests of a person
- for the performance of a public function and in order for an organisation to meet a legal obligation
- the legitimate interests of a company/organisation
Data ethics is both critical and fragile
Any one of the reasons given above can provide a legal basis for processing personal data. Provided a business can prove that its use of the data is sensible and does not violate the data subject’s natural rights to privacy, then it is permissible. This means that ‘legitimate interest’ relies on a perception of ethical conduct.
But the ethical framework against which this judgement will be made is changing, thus data ethics is both critical and fragile.
Transparency is everything; if companies are as open and transparent as they can be, stating at the earliest possible opportunity how and why they are using personal data, they validate their activities and earn the trust of their customers. Such ‘transparency’ from organisations requires absolute confidence in their legal and ethical standing, as well as in their processes and technologies.
Extract from the Law
15 Data protection by design and by default
- A controller must, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures that are designed to
- implement the data protection principles in an effective manner; and
integrate the necessary safeguards into the processing to meet the requirements of this Law and protect the rights of data subjects. - In determining whether or not a measure is appropriate for the purposes of this Article, regard must be had to the state of technological development, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
- implement the data protection principles in an effective manner; and
(3) The technical and organizational measures must ensure as far as practicable that, by default
- only personal data that are necessary for each specific purpose of the processing are processed; and
- personal data are not made accessible to an indefinite number of natural persons without the data subject’s consent or other lawful authority.
Note:
- Paragraph (3) applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
- Adherence to a code or evidence of certification may provide evidence that an individual controller has or has not contravened paragraph (1)
Click here for more information about the Data Protection (Jersey) Law 2018’.
This content is provided by the Jersey Office of the Information Commissioner.
Contacting the Jersey Office of the Information Commissioner (JOIC)
Explore the wealth of resources and guidance available on the JOIC’s website, or call the office on 01534 716530 to speak to a member of the team.
Do you have a question about Data Protection that you would like answered? Drop us an email to [email protected]