As part of its Data Protection Compliance Audit Programme, the Jersey Office of the Information Commissioner completed a full data protection compliance audit.
The audit focussed on one local, Public Sector data controller which processes significant volumes of personal data – and the Jersey Office of the Information Commissioner (JOIC) has since published its findings and lessons learned.
The Data Protection Authority (Jersey) Law 2018 gives JOIC the power to either conduct data protection audits of any part of the operations of the data controller or data processor itself, or to require the data controller/data processor to appoint a person (approved by the JOIC) to conduct a data protection audit on any part of the operations of the data controller/data processor and report to the JOIC on those findings.
The aims of the JOIC’S audit process are to assess a data controller/processor’s policies and processes and the level of compliance with the Data Protection (Jersey) Law 2018, to highlight any areas of potential risk, and set a timeframe for any necessary remedial work.
The lessons learned will be instructive to all organisations in Jersey that are handling the personal data of individuals. The key findings are summarised on the JOIC’s website.
JOIC Operations Director Anne King (pictured) said: “Personal information, if mishandled, can lead to significant consequences for data subjects; for example, the processing and/or sharing of incorrect information can influence life changing decisions, whilst loss of information can lead to identity theft, financial fraud, or privacy breaches. With proper controls and policies in place however, organisations can manage access to sensitive data, prevent unauthorised use, and respond effectively to security breaches.
“Our audit programme is an integral part of our compliance and enforcement activity. Organisations must have in place robust controls, policies, procedures and technology and provide appropriate training to ensure the safety of individuals’ data and mitigate potential risks.
“We want every organisation in Jersey to feel confident in their understanding of their data protection obligations. We consider it important to highlight areas of good practice in industry, as well as areas for improvement and to explain what remedial action was required, and why, so lessons can be learned. We see auditing as a constructive process with real benefits for data controllers/processors and we aim to establish a participative approach whether the audit is conducted on a compulsory or consensual basis.”
A testimonial received following the end of this audit is as follows: “The audit has been transformative. The insights have significantly improved policies & processes around our processing of personal data, including its security. We are now better equipped to face future challenges and safeguard our clients’ data.”