Starting today, a regular feature with the Jersey Office of the Information Commissioner (JOIC). Data protection can be a complex subject, so we have partnered with JOIC to help make it more understandable plus we answer your questions.
Today, we are joined by Anne King, Communications and Operations Manager.
The viability of a society and the success of its economy relies, in the end, on trust. Individuals must be able to trust industry to treat them fairly and in accordance with a law which is all about people protection – the Data Protection (Jersey) Law 2018 (the Law).
Trust becomes even more essential in an era of rapidly advancing technology that poses increasingly higher risks to the rights and freedoms of individuals. New technologies are improving the quality of life in many ways, including facilitating advances in medical treatments. Large volumes of personal data of varying levels of sensitivity being stored electronically, however, are increasing the risk of financial loss or personal humiliation through the loss or theft of that data.
All businesses, charities, public bodies, clubs and associations must ensure that they respect the personal information they use within their activities and allow individuals to exercise greater control over their personal data as a basic human right.
Data protection has been in place in Jersey since 1987. The most recent law in 2018 has been significantly enhanced to ensure that it offers ‘up to date’ protection for personal information, that is your information and mine, in the face of vast advances in technology. Historically, personal information has been used without regard to the detriment or distress caused to the individual in its use and abuse.
Question 1: I’m a window cleaner and keep my round details in a book, not on a computer. Do I need to register with JOIC?
To answer the window cleaner, yes you are required to be registered with our office as you are established in Jersey and are using personal information about individuals.
You are keeping the information on paper and in an organised manner to be able to operate your rounds, collect payment, book in new clients and make notes of any specific instructions.
Question 2: What do I get in return for the registration fee?
For the sole trader and small business community, the JOIC office (and website) offers unlimited resources of guidance and checklists to help organisations meet compliance needs and we are at the end of a telephone to help with any query. Data protection is about keeping personal information safe – not only your personal information but also that of friends and family.
JOIC’s work is funded by the fees you pay when registering your data processing activities with our office. That work involves ensuring that every organisation in Jersey complies with the Data Protection laws. It also includes an extensive education programme raising awareness of information rights, public awareness campaigns and enforcing non-compliance where appropriate.
Compliance in safeguarding personal information is critical for the industry and the island’s reputation as a safe place to live and do business. Without a data protection regulator, Jersey would be unable to ensure data flows in and out of the Island are protected, and we would not be able to flourish on the international finance stage.
JOIC is independent from the Government of Jersey and is the regulatory authority that promotes respect for the privacy and information rights of islanders and is responsible for overseeing the Data Protection (Jersey) Law 2018 and the Data Protection Authority (Jersey) Law 2018. The registration fee is a legal requirement in Law passed by the States Assembly.
Question 3: Why do I need to register with the JOIC? Once I have registered, what are my obligations?
The Law sets out the registration requirements. Registration is part of a suite of data protection obligations which any organisation, regardless of size, needs to embrace. The Law provides that proportionality is key.
Our window cleaner has an obligation to keep his customer information safe and secure, as does a larger retailer or finance business. That said, the levels of security, systems and sophistication will be proportionate to the volume and type of personal information held.
As regard to other obligations – The Law is based on principles. These principles identify the obligations imposed on all organisations using personal information and are as follows:
- Fair and transparent processing – This means personal information must be processed lawfully, fairly and transparently.
- Purpose limitation – This refers to the fact personal information must be collected for specified and legitimate purposes.
- Excessive data collection – Personal information collected must be relevant and limited to what is necessary for the purposes for which it was collected.
- Accuracy of data – Personal information must be accurate and, where necessary, kept up to date.
- Storage limitation – Personal information must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it was being processed.
- Data security, integrity and confidentiality – Personal information must be processed in a way that ensures it is secure and protected against unlawful processing, accidental loss, destruction or damage.
Personal Information covers many types of information from which an individual can be identified, for example images, voice, blood type, DNA, health, political beliefs.
All organisations using one or more types of personal information must comply with the principles of the Data Protection Law.
Tip – know exactly the different types of personal information you use in your operational activities. Know how you receive them, what happens to them, what you need the information for and when you no longer need them. We recognise this sounds rather daunting, however, we all want our personal information to be respected and used fairly. As an example:
- Sit and note down all the different pieces of personal information you rely upon to fulfil your activities. This will include customer, staff, volunteer and supplier information.
- Note down how you get the information.
- Then add in if you share it with anyone outside of your business and why.
- Next, consider how long you are keeping the personal information and why it is being kept for this period.
- Consider how you are keeping it safe.
Once you have this, look at the principles above to see if you need any guidance about how you are using personal information.
Contacting the Jersey Office of the Information Commissioner (JOIC)
Explore the resources and guidance available on the JOIC’s website.
Or call the office on 01534 716530 to speak to a member of the team.
Do you have a question about Data Protection that you would like answered? Drop us an email to [email protected]
