Data Protection week presentations

Conference

Opening Conference
‘Exceptional data privacy – the cornerstone of a trust-based relationship as we celebrate International Data Privacy Day’
Half day opening conference at the Opera House sponsored by PwC in association with the Jersey Data Protection Association, the Office of the Information Commissioner (JOIC) and the States of Jersey.

Welcome & the Week’s Activities
David Carney, PwC Director – Risk Assurance & Chair of the Jersey Data Protection Association

Jersey Data Protection Authority and Jersey Office of the Information Commissioner
The relationship between the Jersey Data Protection Board and the Office of the Information Commissioner
Mr Jacob Kohnstam, Chair, Jersey Data Protection Authority
& Dr. Jay Fedorak, Information Commissioner, Office of the Information Commissioner

Brexit and Data flows
Stephanie Peat, Director of Digital & Telecoms & Dr. Jay Fedorak Information Commissioner

‘Surviving a Significant Data Breach’– lessons learnt and advice to others.
Advocate Davida Blackmore, Partner, Callington Chambers
Davida will give a brief overview of recent high profile data breaches and a (not too painful) dissection of how they were handled by the organisations in question. What did they do, and how could things have been dealt with differently.

‘Making it Personal’ Your Data Protection Responsibilities – Non-Executive Directors & Board members
Huw Thomas, Counsel, Carey Olsen

Data Protection compliance in the Jersey Hospitality Sector
Lean-Jsy
Paul Byrne
Owner Director
Data Protection compliance in the Hospitality sector, Jersey. Paul with take you through some of the key findings of the survey, conducted November 2018. The findings highlight the importance in having a dedicated data protection function within your organisation

Building Collaborative Data Bridges
Mr Jacob Kohnstam, Chair, Office of the Information Commissioner
To highlight the power of industry collaboration to see what can be achieved within the limits of the law.
Panel Discussion


Data Protection Basics for all Small Businesses

28th January 2019
Advocate Davida Blackmore
Partner
Callington Chambers

Adrian Hayes
Compliance & Enforcement Manager
Office of the Information Commissioner

Alexia McClure
Head of Operations
Jersey Business

Find out why Data Protection matters to you.
Keeping your small business compliant with the law to help you protect the trust between you and your customers.


Right of Access

28th January 2019
Trevor Beckford & Claire Brown
Senior Case Workers
Office of the Information Commissioner

Individuals have the right to find out if an organisation is using or storing their personal data. Individuals exercise this right by asking for a copy of their data, which is commonly known as making a ‘subject access request’


The Role & Responsibilities of a Data Protection Officer

29th January 2019
Paul Vane
Deputy Information Commissioner
Office of the Information Commissioner


Breach Reporting Extravaganza & Life Cycle of a Breach

30th January 2019

Advocate Davida Blackmore
Partner
Callington Chambers

Samantha Gardner
Case Worker
Office of the Information Commissioner

David Cartwright, Senior Consultant, Information Security
Grant Thornton Limited

Join the information security consultant, the regulator and the lawyer for an interactive journey through the life cycle of a data breach, including how to effectively submit a breach report to the Office of the Information Commissioner


Data Protection compliance within the Retail Sector

30th January 2019

Paul Byrne
Owner Director
Lean-Jsy

If you are not sure whether you’re doing enough or too much to be compliant with Data Protection (Jersey) Law 2018 & GDPR, this workshop is for you. We’ll cover all the basics and give you an opportunity to get your questions answered – all in one session.

  • Understand the impact of the Data Protection (Jersey) Law 2018 & GDPR on your business
  • Requirements for CCTV security systems
  • What compliance looks like
  • Requirements for your website
  • Apply the regulation to your business with a step-by-step guide
  • Gain confidence in your approach to compliance

We will show you how we can help you on your journey


Data Protection compliance within the Retail Sector

30th January 2019

Paul Byrne
Owner Director
Lean-Jsy

If you are not sure whether you’re doing enough or too much to be compliant with Data Protection (Jersey) Law 2018 & GDPR, this workshop is for you. We’ll cover all the basics and give you an opportunity to get your questions answered – all in one session.

Understand the impact of the Data Protection (Jersey) Law 2018 & GDPR on your business and how the regulation impacts data processing
explain the responsibilities of a Data Controller and Data Processor
Prepare for and cope with the rights of individuals (like the right to Access)
Examine the key definitions and scope of the law, such as ‘Processing’
Requirements for your website
Apply the regulation to your business with a step-by-step guide
Gain confidence in your approach to compliance

We will show you how we can help you on your journey.
If you are not sure whether you’re doing enough or too much to be compliant with Data Protection (Jersey) Law 2018 & GDPR, this workshop is for you. We’ll cover all the basics and give you an opportunity to get your questions answered – all in one session.

Understand the impact of the Data Protection (Jersey) Law 2018 & GDPR on your business and how the regulation impacts data processing
explain the responsibilities of a Data Controller and Data Processor
Prepare for and cope with the rights of individuals (like the right to Access)
Examine the key definitions and scope of the law, such as ‘Processing’
Requirements for your website
Apply the regulation to your business with a step-by-step guide
Gain confidence in your approach to compliance

We will show you how we can help you on your journey.


Cyber Security for All

31st January 2019

Chris Beechy Detective Chief Inspector
Crime Operations

Andy Carpenter High Tech Crime Unit
Crime Operations
States of Jersey Police

An essentials talk for all covering practical aspects of cyber security at home and at work.


Cyber Security for Charities & Not- for-Profit Organisations

30th January 2019

Cloud security and data protection – Arthur Mainja Chairman of the Channel Islands Information Security Forum “CIISF” (https://www.ciisf.org/) & Senior Manager, Cyber and Digital Advisory, KPMG in the Channel Islands. He is a Certified Chief Information Security Officer (C|CISO), Certified Information Systems Security Professional (CISSP), and Certified Information Systems Auditor (CISA), a Fellow of the Association of Chartered Certified Accountants (FCCA) and a member of various industry professional bodies.

CEO Fraud – Phil Hancock Barclays Fraud Team – Phil is the Manager of a team which investigates Fraud for both local customers and international clients holding Jersey based accounts.

Cyber Essentials and Cyber Score – Marc Allenet – CyberScore™ is an automated security testing service that provides full reports of cybersecurity posture, including get well plans and full technical reports to show exactly where the key vulnerabilities lie, and exactly what you need to do in order to remedy them.

Cyber Security – The Insurance Solution – Seldom purchased, but considered as a potential life-saver for businesses, Cyber Insurance can ensure a company survives a cyber-attack or data breach. It is said that there are two types of business – those that have been hacked, and those who will be hacked. Sandra will explain the benefits of Cyber Insurance and how it can keep your business on stable financial footing should a significant security event occur. Sandra Fernandes is the Director of Vantage Insurance Brokers Limited.

Cyber security and data protection in the Not-for-Profit sector – David Cartwright – A talk looking at the particular – and often unique – challenges faced by charities with regard to cyber security and data protection, with practical guidance on how to deal with those problems and run the organisation as securely as possible. David Cartwright spent many years in mainstream IT and network management, Dave now specialises in the fields of cyber security and data protection: he joined Grant Thornton in 2018 to run their cyber security consultancy business in the Channel Islands. Dave is Deputy Chairman of the Channel Islands Information Security Forum.

12:30-12:40 Launch of Jersey Charitable Skills Pool (“JCSP”) David Cartwright on behalf of the JCSP.


Why Personal Information Matters to YOU

1st February 2019

Adrian Hayes ,Compliance and Enforcement
Anne King , Communications and Operations
Office of the Information Commissioner

Empowering you to take control of your personal information. Understanding the rights that the Data Protection (Jersey) Law gives you.

Data Security is everyone’s business.

Your personal data is an invaluable asset that can easily fall into the wrong hands, particularly when it is in electronic form. It is important to realise that even when you just click on a Google search result, a Facebook status, or order an item on Amazon you are generating data about yourself. There are two basic risks. The first is that hackers may attempt to steal your information from a database held by a business or public authority. The second is that it may be on a device that is inadvertently lost. Fortunately, we have new legal rights and protections under the Data Protection (Jersey) Law 2018 that specifically address the risks to our privacy lurking in our current highly digitised world. The new law gives us more control over our personal information that government and business hold.

If you are unsure of what information a business has about you, you have a right to ask to see it. If you do not like how a business is treating you or your information, you can take all of your information from them and give it to another business. You also have a right to have your personal information deleted. This has helped some people to get their information removed from the internet. For those of you who do not like computers making decisions about you, the law gives you the right to object to automated-processing of your personal information. You can also object to the use of your personal data for direct marketing or historic or scientific purposes. In addition, to keep your health information out of the hands of businesses, the law nullifies any contracts that require you to supply your health care record.

If you need help exercising these legal rights, contact us at the Jersey Office of the Information Commissioner. Our role is to ensure that government and businesses follow the law. We have the power to investigate and resolve complaints from individuals regarding the processing of their information.

In today’s Cyber Security JEP supplement

These legal remedies and protections are one method of protecting your information. As individuals, we can also take simple yet effective steps to keeping our personal information safe. We recommend that everyone take the following advice to avoid identity theft, financial loss and emotional trauma.  My team and I at the Office of the Information Commissioner recommend that you:

  • Always ask why an organisation needs your personal information and how they will use it. Check privacy policies on websites. For example, if a shop assistant asks for your email address ask them why they want it – then you can decide whether to share the information.
  • Check the privacy settings on all your social media accounts. It is alarming how much your account, posts and ‘shares’ reveal about you. Think twice before completing quizzes that include pet names and maiden names. This gives someone key pieces of information that mirror the typical security questions for your bank.
  • Reset the default password on your router (if in doubt about how to do this ask your provider). Routers often come installed with a common password. You must change this to stop others using your broadband or being even more devious.
  • Be cautious when using Public Wi-Fi. While they can be a great way of saving your data allowance, they are often unsecure and let others track your activity, including bank account details, payment details etc.
  • Encrypt any USB keys or removable drives you use. Encryption will prevent someone else from accessing the information on the device.
  • Ensure that you mobile phone and tablet require a password, PIN or biometric to access it. We would all be lost without our phones but don’t let criminals get access to them.
  • Have strong passwords on your accounts. Use upper case and lower case letters, as well as numbers and symbols. Nothing that anyone else could easily guess.
  • Install all updates as soon as they become available, as they plug security holes that hackers could otherwise use to access your information.
  • Carefully think about where and how you share and store images of children. You can help protect young people by keeping images away from the internet and not storing them in unsecure places.

It is also important to destroy securely any paper documents that contain your personal information.  Even something as apparently innocuous as an airline-boarding pass contains a personal identifier that is linked to other personal information on an information system, including passengers’ names, the contact data of a person who booked the flight, date of birth, passport data and payment information (like a credit card number).

In conclusion, if you want to keep your personal information safe, you need to be your own information commissioner. That is to say that you should be aware of how government and businesses are processing your personal data. You should question them when you think they are collecting more data than you think they need, or when they using or disclosing your data for purposes to which you did not consent. The new law gives you rights to hold them to account. Make sure you understand those rights and exercise them when necessary.

By Dr. Jay Fedorak

Information Commissioner

#TopTenTips for Data Controllers #KeepMyDataSafe

Data Protection is a positive concept, which holds to account those entrusted with our personal information to look after it correctly. Here are our top ten tips for data controllers.

  1. Only process what you really need; information minimisation reduces risk.
  2. Train, train, train. Data protection training and awareness for all staff, volunteers and executives is fundamental.
  3. Consider turning off the ‘auto-complete’ function for email addresses. How many times have you mistakenly sent an email to the wrong person?
  4. Use the BCC field when sending emails to more than one recipient. Stay safe and avoid the risk of sharing personal information that you shouldn’t.
  5. Treat all personal data with the same respect and security as you would wish for your own
  6. Revisit your privacy policy to make sure that you are transparent about how you are processing individuals’ information.
  7. Check your breach logs; is there a pattern of breaches which should not be happening?
  8. Think ‘data protection’ from the moment you collect your customers’ data. It’s easier to protect than correct!
  9. Schedule regular data protection policy reviews. When was the last one done?
  10. Don’t panic!Our team at the Office of the Information Commissioner is on hand to answer your questions. If you’re not sure about something or need some advice on how the law applies to you, please do not hesitate to contact us on 716530 or email enquiries@jerseyoic.org.

#TopTenTips Data Protection Week #KeepMyDataSafe

The data protection law is frequently used as a barrier by organisations to hide behind. This is often as a result of a lack of understanding of the law, or a fear of getting it wrong and facing the wrath of the regulator. This inadvertently leads to organisations telling you they can’t do something when actually they can.

Data Protection is a positive concept which holds to account, those entrusted with our personal information to look after it correctly. Here are our top 10 tips for individuals.

  1. Check out the small print / privacy policy and don’t be afraid to question it. Is your information being shared? If so, with whom? And for what purpose? All too often we are only partially aware of how our information is collected, used, and shared.
  2. Don’t throw your paperwork in the bin; identity thieves can have a field day spending your money if your information is stolen.
  3. Check the privacy settings on all your social media accounts. It is alarming how much your account, posts and shares reveal about you. Think twice before completing online quizzes that include pet names and maiden names. This gives someone key pieces of information that mirror the typical security questions for your bank.
  4. Reset the default password on your router (if in doubt about how to do this ask your provider). Routers often come installed with a common password. You must change this to stop others using your broadband or being even more devious.
  5. Be cautious when using public Wi-Fi. While it can be a great way of saving your data allowance, it is often unsecure and lets others track your activity, including bank account details, payment details etc.
  6. Encrypt any USB keys or removable drives you use to prevent someone else from accessing the information on the device.
  7. Ensure that your mobile phone and tablet are password, PIN or fingerprint protected. We would all be lost without our phones but don’t let criminals get access to them.
  8. Use strong passwords on your online accounts, with a mix of upper case and lower case letters, as well as numbers and symbols that no-one else could easily guess.
  9. Install all updates as soon as they become available, as they plug security holes that hackers could otherwise use to access your information.
  10. Don’t panic!Our team at the Office of the Information Commissioner is on hand to answer your questions. If you’re not sure about something or need some advice on how the law applies to you, please do not hesitate to contact us on 716530 or email enquiries@jerseyoic.org

Data Protection Week 2019 – 28th January to 1st February

To mark international data protection week, we are collaborating with a wealth of speakers to host a series of events for;

  • members of the public to bring attention to their personal information rights.
  • businesses to raise awareness of their data protection obligations.

We hope these events will help to inform consumers, organisations, charities and businesses of all sizes, about personal information security, rights and responsibilities.

#DataProtectionWeek

The week commences with a half day conference offering an insight into the ‘value’ of personal data and the relationship with customers – we are exploring surviving a data breach, the importance of collaborative data bridges, board members’ data protection responsibilities and compliance in hospitality. The event culminates in a panel discussion.  Other events between 28th January and the 1st February include bespoke seminars for small businesses, tourism and retail sectors, cyber security events, data protection for consumers, a breach reporting extravaganza and more.

The week is kindly being supported by many local businesses. Special thanks to our primary sponsors; PWC and the Jersey Data Protection Association.  With support from Lean-Jsy, Barclays, Jersey Business, Grant Thornton, States of Jersey, Callington Chambers, Channel Islands Information Security Forum, Carey Olsen, Digital Jersey, Lloyds bank and the States of Jersey Police.

To view the full list of events please click here.

 

The gift of personal information

Throughout the year we gift organisations, clubs, businesses and charities our personal information in return for a product or service. We often take time to carefully select the best gift for a loved one or friend, however we sometimes give the gift of our personal information to others without such consideration.

Jersey’s Data Protection Law is in place to help ensure that when it comes to our personal information, all of us are provided with appropriate legal protections and remedies in today’s highly digitised world. Every time you click on a Google search result, like a Facebook status or order an item on Amazon, you are generating data; such data is arguably one of the most important assets in our modern age.

The team from the Jersey Office of the Information Commissioner (JOIC) sends seasonal wishes and a small gift: The 12 Information Crackers

 

  1. Data Protection is a positive concept which holds to account, those entrusted with our personal information to look after it correctly.
  2. ‘Oh we can’t tell you that…it’s against data protection! …’ The data protection law is frequently used as a barrier by organisations to hide behind. This is often as a result of a lack of understanding of the law, or a fear of getting it wrong and facing the wrath of the regulator. This inadvertently leads to organisations telling you they can’t do something when actually they can.
  3. ‘I didn’t give you consent to share my information…’ There are a number of ‘conditions for processing’ that can be relied upon by organisations depending upon the type of information and the circumstances in which it is to be used. For example, another law might require an organisation to share your information with another authority, meaning there is a legal obligation compelling the organisation to disclose it. In those circumstances, they wouldn’t need to obtain your consent first.
  4. Tip; check out the small print / privacy policy. Is your information being shared? If so, with whom? And for what purpose? All too often we are only partially aware of how our information is collected, used, and shared. Ask questions
  5. The JOIC team recommend that you turn off ‘auto-complete’ for email addresses. How many times have you sent the ‘innocent’ email to the wrong person?
  6. Use the BCC (Blind Carbon Copy) for emails to more than one recipient. Stay safe and avoid the risk of sharing personal information that you shouldn’t.
  7. Treat all personal data with the same respect and security as you would wish your own information cared for.
  8. Don’t throw your paperwork in the bin –
  9. When processing children’s personal information you must take extra care.
  10. Only process what you really need – information minimisation reduces risk
  11. Train, train, train. Data protection training and awareness for all staff, volunteers and executives is fundamental.
  12. Don’t panic! Our jolly team at the Office of the Information Commissioner are on hand to answer your questions. See our contact details below.

If you’re not sure about something, or need some advice on how the law applies to you, please do not hesitate to contact us.

The Data Protection Law should be seen as an enabling piece of legislation, not a dis-abler. Successful businesses are those that can harness the power of the digital footprint AND ensure that they respect customer data.

Know your Data

On the 26th November the Information Commissioner, speaking at a Jersey Data Protection Association event, highlighted that a data inventory is an essential part of any businesses ‘good’ data protection program. This simple message has been reinforced by both Professor Roberts from Oxford University, a specialist in Artificial Intelligence [AI], and Julian Box CEO of Calligo at their Transform AI conference on the 27th November.

Professor Roberts urged businesses to ‘think more carefully about the data they are collecting as well as how and why they are collecting it’, Julian Box says ‘local businesses are not giving enough thought to how they are using data’.

Powerful messages focusing on a very real practical business essential. How can you protect your clients, your business and your reputation if you don’t know exactly what data you are collecting, why you are collecting it and what you may be doing with it?

Our office is your ‘partner in data protection compliance’  –  please contact us if you need any data protection guidance.

Please know your data.

Our goal is to provide the people of Jersey with the highest standard of data protection, while also preserving their economic interests

 

 

 

‘Meet the Information Commissioner.  What’s been on his office’s agenda since May 2018?’

Dr. Jay Fedorak spoke to an oversubscribed Jersey Data Protection Association event on the 26th November. The Information Commissioner opened with a brief overview of recent changes in the Office of the Information Commissioner. He detailed the growth in the number of staff and organisational structure, as the team develop to meet new challenges. He drew attention to the impending transition to greater financial and governance independence from the States of Jersey.

 

Dr. Fedorak highlighted that most of the office’s workload since the change in law in May 2018 has been complaints regarding the improper ‘disclosure’ of data as opposed to concerns with data collection. The team’s work load has trebled between May to October 2018 as compared to the same period in 2017.

The Information Commissioner walked attendees through the top level elements of a good ‘Data Protection Programme’;

  • Data Protection Officer
  • Know your personal data – create an inventory
  • Appropriate Data Protection policies and protocols, to include Subject Access Requests and reporting breaches
  • Training & awareness
  • Periodic reviews and audits
  • Executive buy-in

Dr Fedorak spent a few moments reinforcing the importance and power of the periodic review, whether it is a spot audit or more in-depth, the review identifies any deficiencies in your organisation’s Data Protection programme.  An essential part of the policy is the executive buy-in and Dr. Fedorak offered to help anyone who believes that they are not getting executive support and commitment, he will happily speak to any organisation to detail how and why this is so critical.

Our goal is to provide the people of Jersey with the highest standard of  data protection, while also preserving their economic interests.

‘True transparency requires timely access to information, and the timelines in the Law are not optional, they are a requirement.’

Dr. Jay Fedorak, Information Commissioner talks to BBC Breakfast Radio Jersey, today.

Listen here as Dr. Fedorak explains public interest is more specific than ‘what the public finds to be interesting’. It does not refer to interest in the sense of being
entertaining. The term public interest concerns the public having a stake or right that is at issue rather than simply mere curiosity.

Listen in here from 2:06 for the full interview (available for 29 days).

https://www.bbc.co.uk/sounds/play/p06pprp8

The Freedom of Information Law requires disclosure of part of the employment contract of the Chief Executive of the States of Jersey

In a Decision Notice issued today, Information Commissioner Dr Jay Fedorak found that the Freedom of Information (Jersey) Law 2011 authorised the Chief Minister’s Department to withhold some information in response to a request for the employment contract of the Chief Executive, but was not authorised to withhold other information.  He also found that it failed to meet the maximum timelines for responding as article 13 of the FOI Law requires.

Commissioner Fedorak states true transparency requires timely access to information, and the timelines in the Law are not optional, they are a requirement.’  He also notes that public authorities must be able to justify in each case why it would be reasonable for them to take more than the standard 20 days to respond a request.

The Law recognises the tension between transparency and privacy in the FOI Law with respect to the personal information of public officials. It is necessary to weigh all of the relevant factors in each case when responding to requests for this information. These relevant factors include whether the information relates to professional responsibilities or private life and whether disclosure would be in the public interest. Some of the criteria for determining whether disclosure serves the public interest are:

  • The seniority and public profile of the employee;
  • If the information has been the subject of recent public debate; and
  • If the information relates to the expenditure of public funds.

Everyone has a right to privacy,’ states Commissioner Fedorak, ‘including public officials. However, the public must be able to hold public authorities accountable for their decisions and activities. This sometimes requires the disclosure of information about the professional responsibilities and terms and conditions of employment for identifiable public officials.’

As is customary with respect to formal decisions under administrative law, the Commissioner will not comment on this Decision Notice or the details of this case.

Notes

Freedom of Information (Jersey) 2011 promotes transparency and openness, which are fundamental to a health democracy and sound public policy making.  The Law gives individuals rights of access to official information held by Public Authorities in Jersey

Under Article 46 (2) of the Law, any person who is unhappy with the way in which a Public Authority has responded to their request must first request a review by the Public Authority. If they remain unsatisfied, they have the right to make an appeal to the Information Commissioner.

The Information Commissioner issues a final decision with respect to the matters at issue by way of a ‘Decision Notice’

https://oicjersey.org/freedom-of-information/

The Implementation of GDPR in Jersey – six months on

Information Commissioner Jay Fedorak looks at the state of play since the new rule on data protection came into force in May.

It has now been six months since the implementation of the new Data Protection (Jersey) Law 2018 came into force, incorporating the new European Data Protection Regulation (GDPR). This new initiative brings data protection into the twenty first century with provisions to address some of the challenges that rapidly advancing information technology. It replaces the previous generation of data protection regulation that emerged during the age of paper.

Now technological advancements, including the introduction of social media, have expanded our ability to collect, use, analyse and disclose personal data. This has improved services to individuals and reduced costs but has also created new risks to privacy. Breaches are becoming larger, more frequent and more harmful.

(Jersey Evening Post, 21st November 2018) 

GDPR places new responsibilities on business, including transparency around the management of personal data, and gives new rights to individuals. Businesses must document their data management practices and many must appoint a Data Protection Officer. Businesses must also report data breaches to the Jersey Office of the Information Commissioner (JOIC), whenever there is the potential for harm to the data subjects. They must respond to requests for correction and deletion of personal data, as well as requests to transfer their data to other businesses.

In the two years since the European Commission announced GDPR, there was a great level of awareness and preparation by businesses in Jersey. A new industry in data consultancy emerged to assist business in preparing to comply with the new rules. The JOIC provided advice and direction and fielded a large number of enquiries.

Since 25 May, however, there has been less public attention and fewer calls from businesses. This might be an indication that all businesses are confident about their level of compliance.  However, compliance with GDPR is not a one-time event. It is an ongoing process. After businesses establish policies and procedures train their employees, they should check and confirm that everyone is complying with those requirements, at least annually.

The workload of the JOIC has grown since 2017. Complaints have doubled and self-reported breach notifications have increased considerably. Some of the breaches reported do not meet the threshold for harm that requires reporting. Nevertheless, there is no harm in reporting minor breaches. It increases our knowledge and enables us to assist businesses in responding to them.

Our greatest challenge is building the capacity of the JOIC to meet its new responsibilities. In addition to dealing with a growing number of complaints, we must expand our public education programme and develop implementation tools to assist businesses. We must move into larger office space and develop a new funding model, along the lines of other independent regulators, like the Jersey Financial Services Commission and the Channel Islands Financial Ombudsman. For JOIC to be credible in the eyes of the public, it needs to be financially and administratively independent of the States of Jersey. The Law created a Jersey Data Protection Authority, with an independent board that provides a new model of governance, oversight and accountability separate from the States. Once we have the space to grow, we will be able to recruit the employees necessary to fulfil our mandate.

JOIC needs to be an independent and effective data protection regulator to ensure that businesses continue to enjoy unimpeded access to cross border flows of personal data from Europe. GDPR prevents cross border flows to non-member states that do not have an adequate level of data protection. The European Commission gave Jersey adequacy standing under the previous data protection regime, and that status will continue temporarily under the new regime. However, Jersey will be subject to a new adequacy assessment soon, and it is important for businesses that it is successful. Businesses can help by complying with the Law and providing the highest level of data protection.

The prospect of a No Deal Brexit also poses a serious challenge to Jersey businesses. Without a deal, the United Kingdom would become upon leaving the EU a third country without an adequacy designation. This means the free flow of personal data from Europe would end, requiring the development of new administrative mechanisms to permit some of the data to flow. It would also mean that, under the Jersey Law, businesses would no longer be able to transfer data freely to the United Kingdom, without new contractual provisions, binding corporate rules or obtaining the consent of data subjects. Having to deal with this type of red tape would be bad for business.

Going forward, JOIC will strive to be a partner in compliance with Jersey businesses in a way that respects our independence. Our goal will be to provide the highest level of data protection for the people of Jersey in a way that promotes their economic interests. I encourage any business that has questions about data protection to contact the JOIC.

Civil service chief’s contract: Commissioner will decide whether to publish details

The decision on whether to make public details of the employment contract of the Island’s top civil servant, Charlie Parker, remains in the hands of the Jersey’s Information Commissioner; reported the JEP on Saturday the 3rd November.

Commissioner Jay Fedorak said that the file was still ‘live’ in relation to an appeal by online newspaper Bailiwick Express, after the JEP exclusively revealed that Mr Parker had been given entitled, rather than ‘essential employee’, housing status as a perk of his contract.

The appeal was lodged with the Commissioner’s office following a six-month battle with the Freedom of Information office for the contract details to be released.

The FoI request was subjected to numerous delays before being denied in August, with unnamed senior States officials saying it contained personal information.

‘I can confirm that we have received it but I can’t get into any details of what is happening with a live file at this time,’ Mr Fedorak said of the appeal.

The Office of the Information Commissioner is responsible for the compliance of local agencies with data protection laws and is the final arbiter for FoI requests.

There have been a number of calls for Mr Parker’s contract to be made public since the JEP revealed that the States chief executive had been granted ‘entitled’ status.

‘We are going to be dealing with it as soon as possible,’ Mr Fedorak said, but he was reluctant to commit to a timeline. ‘I have already had a look at the materials and I am actively involved in the deliberations. I will be trying to draft a report as soon as I can,’ he added.

Exploring the remit of the Office of the Information Commissioner

Commissioner Jay Fedorak chatted at length with Tania Targett, senior reporter from the JEP.

Ms Targett started by asking why the Commissioner role now and why Jersey? ‘Jersey is an opportunity to join a dynamic island and team at a time of change, with the implementation of new laws and the emergence of new challenges within a new Data Protection organisational structure’ explained Jay.

‘My office provides islanders with timely and expert advice, in relation to all data protection and freedom of information issues. In our role as regulator, we encourage businesses to promote good information management practices and to perceive that the data protection law enables the use of personal data for all legitimate business purposes.

It is essential that our office helps to raise the international profile for data protection in Jersey, in support of the islands reputation as a well-regulated jurisdiction’

The team at the Office of the Information Commissioner is growing to meet the needs of the new legislation which enhances our individual rights and requires organisations to report breaches of personal information.

Ms Targett enquired if the Commissioner felt that islanders are aware of their rights in relation to both data protection and freedom of information. The introduction of the much-publicised GDPR (General Data Protection Regulation) in Europe including the UK, in May of this year, heightened public attention. The increase in numbers of enquiries and complaints to the office since May indicates that awareness is growing.  However, we believe that the recognition of the enhanced individual rights of the new Data Protection (Jersey) Law needs to be more widespread in our community.

The enforcement team takes seriously all enquiries to the office and investigates all data protection complaints. In certain cases, the Commissioner may make a final decision, where circumstances warrant.

The office is also the oversight body for the FoI Law. We are the avenue of appeal whenever a requester is dissatisfied with the initial response to their request and has applied for and received a reconsideration of the decision of the States of Jersey. Our role is to undertake a review and make a final determination of the correct application of the law to the requested information. The FoI Law facilitates transparency of public authorities and promotes the public interest.

We actively encourage islanders and organisations to contact us if they have any questions about any aspect of the laws, including their rights and responsibilities.

 

 

Swapping personal information for wheelbarrows and brooms at Jersey Hospice

 

Our 8 strong team focussed on shrubs and plants for two days to help support the excellent work of Jersey Hospice. The Information Commissioner, Dr Jay Fedorak and Paul Vane, Deputy Commissioner were among the team who cleaned out planters, swept paths, pruned shrubs, cleaned the water feature and spruced up the green house.

Jay Fedorak said it was rewarding to contribute, even in a small way, to the total philosophy of care and patient well-being offered by the team at Jersey Hospice.  It quickly became evident that the staff at Hospice look after both inpatients as well as a huge numbers of day patients and visitors who offered us varying gardening tips and supportive comments.

Pictured above from left to right Paul Vane, David Lawson, Adrian Hayes & Claire Brown

Our day job helps to raise awareness amongst our community about their personal data – when to share it and how to protect it. Our regulatory function helps us to enforce good behaviour from Jersey organisations as to how they look after our information.  Personal data includes anything that could identify a living person, for example location data, date of birth or IP address.

Pictured above from left to right Trevor Beckford, Jay Fedorak, Anne King & Sammie Gardner

Certain types of personal data is called ‘Special Category Data’ such as genetic or physical or mental health data. This type of data has to be given additional care and security. Jersey Hospice reminded us during our gardening days that they have embedded good data policies and practices in everything that they do to ensure that they are trusted by patients and their families and to comply with their legal obligations.

If you need any guidance about your personal information rights or how to look after people’s personal information please call us on 01534 716530 or email enquiries@oicjersey.org

 

 

 

Four non-executive directors appointed to the Data Protection Authority Board

Jersey’s Data Protection Authority has announced the appointment of four outstanding non-executive directors to the board overseeing Jersey’s Office of the Information Commissioner (JOIC).

The appointments include Clarisse Girot, who brings significant expertise and experience working in the field of data protection and privacy regulation in Europe and Asia as well as cross-border data flows, Dr David Smith who formerly served as Deputy Information Commissioner to the UK Information Commissioner’s Office, Gailina Liew, who has expertise in ethical implications of new technologies, and John Harris, a local financial professional with exceptional experience of both public and private sector organisations.

Chair of Jersey’s Data Protection Authority, Jacob Kohnstamm, said: ‘I am grateful and proud that these highly-qualified individuals are keen to join our team to help guide the JOIC in facing the challenges of Brexit and achieving EU adequacy.’

The board has been formed as the JOIC transitions towards greater independence from the States of Jersey, in line with requirements of the European Data Protection Regulation – GDPR. The board will support the local office whilst holding it to account, having financial and strategic oversight. It will contribute to ensuring that the Island retains its EU adequacy status with a free flow of data.

The Chief Minister, Senator John Le Fondré, has signed a ministerial decision to appoint the new members of the board. There is a two-week notification period during which the States Assembly has the power to amend the decision.

The new appointments will be made official after the two-week period and will take up a three-year term of office on Monday, 29 October 2018.

Jersey’s Information Commissioner, Jay Fedorak, said: ‘These individuals are highly-qualified and well-respected by their peers on the Island and internationally. They bring complementary skills and expertise in data protection internationally, as well as knowledge of Jersey, its culture and its economic sector. I am confident that together we will promote effective and efficient data protection for the people of Jersey.’

Information Commissioner urges business owners and employees to uphold the data privacy rights of data subjects

In light of the recent incident involving the former police officer who breached data protection laws by misusing police computer systems, Jersey’s Information Commissioner urges business owners, public authorities and their employees to ensure that they respect the data privacy rights of individuals.

Commissioner Jay Fedorak said: ‘When employees inappropriately access personal data on electronic systems intended only for legitimate purposes, such as law enforcement, health care, drivers licencing and other public services, the threat to personal privacy, dignity and well-being can be significant. It is a betrayal of public trust and can undermine public confidence in our institutions.’

‘It is crucial that citizens can entrust companies, organisations and public agencies across the island to keep their personal information secure. Data protection laws help ensure that there are appropriate legal protections and remedies against the mishandling of our personal data, which poses substantial risks  in today’s highly-digitised world.’

‘Since the law changed on 25 May, local businesses and organisations must comply with higher data protection standards. I would encourage all businesses to develop and implement an effective plan to ensure compliance.’

Additional information

To maintain trust and to comply with the Data Protection Jersey Law there is no escaping the following fundamentals;

  • staff training
  • policies and procedures to ensure data security and confidentiality
    • subject access policy and procedures
    • policies on the use of CCTV equipment
    • privacy policies and fair processing statements
    • retention and destruction policies
  • appropriate safeguards for the rights of data subjects
  • register with the Office of the Information Commissioner
  • establish a breach reporting mechanism

 

 

 

 

OIC celebrates International Right to Know week

As part of international Right to Know week, the Office of the Information Commissioner (OIC) is calling on islanders to understand the role they play in promoting a healthy democratic government by being able to hold public authorities more accountable to the public.

Right to Know week celebrates access to information under the Freedom of Information Law. It aims to make public authorities more accountable by providing the public with a fundamental legal right to obtain copies of records that public authorities hold, or other agencies hold on behalf of public authorities, and that the right information in those records is disclosed.

‘We all have a right to obtain information we need to make sound and informed decisions and political choices. Globally, we live in an era of ‘fake news’, communications spin and social media manipulation, and the public’s trust of public authorities in many jurisdictions is low. An active and engaged citizenry with an effective regime of access to information promotes better public policy-making and improves public trust. It is vital that everyone is aware of our right to access important information that affects our daily lives,’ said Information Commissioner Jay Fedorak.

Jersey’s Freedom of Information law is safeguarded by the Office of the Information Commissioner, which has legal powers to enforce public authorities to comply with the law.

‘Public officials are more thoughtful and careful when they are aware that their words and deeds may be subject to public scrutiny. Therefore, to ensure real accountability that will preserve and improve the democratic system of government we all cherish, it is essential that we have a well-regulated system of public access to records of significance. The Office of the Information Commission has an important role to play in helping public agencies to apply the correct interpretation and to confirm to applicants whether they have done so, either in whole or in part,’ added the Commissioner.

In Jersey, public agencies must make every reasonable effort to respond openly, accurately, completely and without delay. The Freedom of Information law stipulates that public agencies must respond to requests within 20 working days, barring specified exceptional circumstances. Any delay beyond that limit is prejudicial to the interest of the applicant and constitutes a contravention of the law. They must also make an accurate and complete response. However, the law recognises that it is in the public interest that certain information remain confidential or secret.

 

OIC to move offices

The Office of the Information Commissioner (OIC) will move to temporary serviced offices on Wednesday 1st August.

The OIC’s new address will be:

Office of the Information Commissioner
One Liberty Place,
Liberty Wharf,
La Route De La Liberation,
St Helier,
Jersey JE2 3NY

There will be some disruption to Internet, email and telephone services, which will be kept to an absolute minimum, during the office move. As such, the office will be closed for one day (Wednesday 1st August) during the move. Full service will resume on Thursday 2nd August.

The OIC’s email address, website and telephone number will remain the same: enquiries@oicjersey.org / www.oicjersey.org / 01534 716530.

The OIC has grown out of its premises at Brunel House, where the Commissioner’s office has been based for four years.

‘The OIC’s new structure came into effect in May, reflecting the change in data protection laws and the increased remit of the OIC. Liberty Place is an interim measure while we secure long-term office space to accommodate our growing team. We hope to move into permanent office space towards the end of 2018 or early 2019, by which time we will already have increased from seven to nine staff.

‘The move to new premises is vital as it will enable the OIC to fulfil its role as an efficient and effective regulator, with the capacity to grow as we recruit more specialist employees to meet the extra workload that the General Data Protection Regulation (GDPR) has created.

‘We are looking forward to working with the public and businesses to ensure they are aware of their data protection rights and responsibilities,’ Information Commissioner Jay Fedorak affirmed.

 

 

 

 

 

 

 

New Information Commissioner for Jersey announced

Information Commissioner appointed

The Office of the Information Commissioner has announced the appointment of Dr Jay Fedorak as Information Commissioner. He will take up the post on 2 July 2018.

Dr Fedorak will be responsible for regulating compliance with Jersey’s data protection and freedom of information laws. He will also represent the Island internationally on these matters.

Dr Fedorak has 25 years’ experience in administering freedom of information and data protection legislation in the public and private sectors. He brings a wealth of international experience to the post, having served as Deputy Commissioner of the Office of the Information and Privacy Commissioner in British Columbia, Canada, since 2012.

His appointment strengthens the OIC’s existing leadership team. He will work closely with the Chair, Jacob Kohnstamm, as well as with the Deputy Information Commissioner, Paul Vane, who has served as Acting Information Commissioner since February 2018.

Mr. Kohnstamm said: “I am very happy with the new team of Commissioner and Deputy Commissioner. We have the best of both worlds in Jay and Paul leading the OIC and we will be able to fulfil our tasks with confidence.”

The Chief Executive of the States, Charlie Parker, said: “Dr Fedorak brings significant expertise to this important role. I look forward to working with him, as well as with the broader leadership team, to ensure that Jersey remains at the forefront of data protection.

“I would also like to thank Mr Vane, who has ably led the Office of the Information Commissioner for the last six months and has been instrumental in ensuring that the Office of the Information Commissioner, and the Island in general, has been well prepared for our new data protection regime.”

Dr Fedorak added: “I am honoured to undertake this extraordinary opportunity at an important juncture for Jersey. I look forward to assisting all organisations in implementing the highest standards of data protection for the people of Jersey in ways that sustain the Island’s economic interests. I also thank Chair Kohnstamm and Mr Vane for their continuing exemplary leadership.”

 

Joint statement from the Jersey Financial Services Commission and the Office of the Information Commissioner

The Jersey Financial Services Commission and the Office of the Information Commissioner have released a joint statement regarding the implications for financial services businesses in Jersey following the introduction of the new Data Protection (Jersey) Law 2018, which comes into effect today.

The purpose of the statement is to reassure financial services businesses that the new rules are compatible with the JFSC’s regulatory requirements, particularly in relation to the security of personal data. The statement also reaffirms the intention of the JFSC and the OIC to work together in supporting organisations moving forward.

To read the statement in full, please click here.

Acting Information Commissioner calls on business owners to face up to their data responsibilities as GDPR and the Jersey laws come into effect

The Office of the Information Commissioner’s (OIC) new structure, the new Jersey Data Protection Laws and the General Data Protection Regulation (GDPR) all come into effect today, 25th May 2018.

Acting Information Commissioner, Paul Vane, has called on all business owners in Jersey to ensure they are aware of their data responsibilities and to lean on the OIC for support. GDPR is the first update to the EU’s data laws since 1995 and it reflects the way that our data is used in today’s world. The local Laws reflect the GDPR principles in requiring greater accountability and transparency of data controllers and providing enhanced rights for individuals in respect of how their personal information is handled.

‘GDPR is a transformative piece of legislation and businesses must ensure they comply from today. Monumental changes have happened in the worlds of digital and data over the last 20 years or so and we live in a very different world. This is a turning point for data protection laws. With so many digital channels and technological advances, we provide and create more data than ever before and it’s vital this data is treated with respect.

‘The protection of our data and ensuring businesses are using our information in a responsible manner is a huge issue that affects businesses large and small. In particular, we need to ensure that individuals understand that their data is a valuable asset and should not be abused by the organisations they entrust that information with. We also need to ensure that all businesses understand that the information they hold belongs to their customers and they have responsibilities to uphold.

‘We acknowledge that many local companies will not be fully prepared for the changes that come into effect today. But what is crucial is that these companies have a robust road map and action plan to meet compliance. This is the start of a new beginning and an opportunity to foster a ‘right first time’ approach with the customer as the focus,’’ said Mr Vane.

The structure of the OIC has changed to reflect the new data protection laws, forging greater independence for the Commissioner and affording greater powers. As part of the new set up, the Data Protection Authority has also now come into effect. Chaired by Jacob Kohnstamm, the Authority will serve as the interface between the Office of the Information Commissioner and government. This structure creates a clear distinction between the Office and government, and underscores the importance of the independence of the OIC.

Mr Vane said, ‘The new structure enables the Office of the Information Commissioner to operate with uncompromised independence. This will allow for greater accountability and transparency, and ensure the Commissioner is an effective and efficient regulator. This is vital in being able to successfully conduct our role.

‘As part of its significant structural transformation and increased remit, the Office of the Information Commissioner has the power to investigate and, where appropriate, fine businesses for abuse of data. Any fines collected will be reinvested back into the public accounts and we hope, where possible, will be used to improve education and awareness in data protection and the island’s digital development.’

The new data regulation means that the Office of the Information Commissioner will be busier than ever.

‘To ensure we can meet the demands of the new legislation and the extra enforcement and educational aspects of our work, the Office of the Information Commissioner will be increasing in size. This will enable us to take a more proactive stance and increase our capabilities both in terms of education and enforcement,’ added Mr Vane.

To find out more visit the office website at www.oicjersey.org or call 01534 716530.

Breach reporting facility added

Friday 25th May is fast approaching, and in advance of the implementation of the Data Protection (Jersey) Law 2018, the OIC has added a new section on the website home page specifically for breach reporting.

The online form can be used to submit a breach report, and any follow up information can be sent to us using the breach@oicjersey.org email address.

To view the form and relevant guidance on breach reporting, please click here.

 

UPDATE: Guidance and resources added to OIC website

As part of its programme of transition to the new GDPR era, the Office of the Information Commissioner has today added the first tranche of guidance, resources, and useful links to its website, together with all the new legislation applicable from 25th May this year.

We will of course be adding to this page over the coming months, so please keep an eye on any changes. in the meantime you can find the new materials here.

Notice of change of website and email addresses

NOTICE OF CHANGE OF WEBSITE AND EMAIL ADDRESSES:

Please be advised that with effect from Monday 9th April 2018, the website address for the Office of the Information Commissioner will change to www.OICJersey.org

In addition, the contact email addresses will be changing. These are detailed as follows:

General enquiries:          

enquiries@OICJersey.org

Breach reporting:            

breach@OICJersey.org

Careers:                        

careers@OICJersey.org

Staff emails (Example): 

a.nother@OICJersey.org

Please be advised that any emails received at the dataci.org addresses will not be automatically forwarded. Instead you will be asked to re-send your email to the new address.

All telephone numbers for the OIC will remain unchanged.

We apologise for any inconvenience caused and respectfully request that you amend your contact list to reflect the above changes.

Thank you.

Chair appointed for new Data Protection Authority

Assistant Chief Minister, Senator Paul Routier MBE, has today announced his intention to appoint Mr. Jacob Kohnstamm as Chair of Jersey’s new Data Protection Authority.

Mr. Kohnstamm will advise the Authority as it prepares to regulate the Island’s updated data protection framework. He will also play an integral role in helping the Authority to develop new governance structures and in ensuring that Jersey continues to provide the highest level of protection for personal data.

Mr. Kohnstamm will act initially as Shadow Chair, and subsequently as Chair when Jersey’s new data protection laws come into effect on 25 May 2018. This is the same day that the General Data Protection Regulation comes into effect. Jersey’s new data protection laws will see the Office of the Information Commissioner replaced by the Data Protection Authority.

Mr. Kohnstamm has extensive experience in the area of data protection. He chaired the Dutch Data Protection Authority from 2004 to 2016; from 2010-2014 he chaired the Article 29 Working Party, an advisory body comprising the data protection regulators of all EU Member States; and he chaired the International Data Protection and Privacy Commissioners Conference from 2011 to 2014.

Senator Routier said: “We are delighted to have secured Mr. Kohnstamm to chair Jersey’s Authority. Mr. Kohnstamm has vast international experience at the highest levels of data protection regulation. His appointment reflects Jersey’s standing in this important field.”

Mr. Kohnstamm commented: “It is a great honour for me to serve both Jersey and the area of data protection in this new role. It is crucial that jurisdictions meet the required standards of data protection, as this provides the trust that individuals, civil society, government and private companies need to innovate and make full use of modern technology.”

The appointment of Mr. Kohnstamm is the latest step for Jersey’s data protection system, a key feature of which is the Island’s ‘adequacy’ with European Union standards. This status enables data to flow freely between Jersey and the European Union. At a recent meeting with the European Commission, officials re-confirmed that Jersey’s adequacy status would remain in force until 2020.

New data protection legislation registered

Following Privy Council approval, the Royal Court today registered new data protection legislation that will strengthen individuals’ rights and enable Island businesses to continue accessing international markets.

The Data Protection (Jersey) Law 2018 and Data Protection (Authority) Jersey Law 2018 will come into effect on 25 May 2018.

The new Laws will enable data to continue moving freely between Jersey and the European Union, benefitting trade and helping law enforcement agencies cooperate with their counterparts in other jurisdictions.

Earlier this year, the Laws were unanimously agreed by the States Assembly.

The Assistant Chief Minister, Senator Paul Routier M.B.E., said “this is an important milestone for Jersey. The new data protection regime will bolster the rights of Islanders, ensure equivalence with the EU and further our standing as a trusted place to do business”

It’s Data Protection day!

New consumer data protection law less than four months away

STRONGER protection for consumers when it comes to their personal data is now less than four months away from coming into force in Jersey.

With European Data Protection Day falling on Sunday 28th January, the Office of the Information Commissioner is urging people to become more familiar about their rights about how their data is handled when the new legislation comes into effect.

‘Jersey’s new Data Protection laws come into force on 25th May 2018, the same day as the new European General Data Protection Regulation (GDPR). They extend the rights of individuals, giving them more control over what happens to their personal information,’ said Deputy Information Commissioner Paul Vane.

Under the new rules, business will have to provide individuals with more information when it comes to personal data handling – including stronger rules around how businesses ensure individuals have consented to the use of such information.

‘With European Data Protection Day, it’s the perfect time to highlight these new laws that will benefit consumers. As well as long-standing rights of access to, and correction of personal information in specific cases, the new laws allow for the erasure of personal information in some circumstances, and the right to data portability,’ added Mr Vane.

GDPR, which also aims to harmonise compliance regulations for business, will be the biggest change to data protection across Europe in more than 20 years. More guidance for individuals and business will be added to the Commissioner’s website over the coming months. For more information, go to www.thinkgdpr.org

 

Career opportunities with the OIC

Following the approval of the new Data Protection Laws in the States Assembly last week, the Office of the Information Commissioner has today started work on growing its team by advertising two new positions.

For more details please take a look at our new Careers page.

States Assembly pass new Data Protection laws

The States Assembly yesterday unanimously approved the Draft Data Protection (Jersey) Law 201- and the Draft Data Protection Authority (Jersey) Law 201-

Chief Minister, Senator Ian Gorst said yesterday that he was “pleased that the States Assembly has approved new data protection laws that will help to strengthen individuals’ rights and ensure that Island businesses remain competitive“.

The new laws will now be referred to Privy Council for Royal Assent before being registered in the Royal Court. Both laws are due to be implemented on 25th May 2018. Links to both laws can be found below.

Draft Data Protection (Jersey) Law 201-

Draft Data Protection Authority (Jersey) Law 201-

Work continues to prepare the Channel Islands for new data protection legislation

WORK is continuing to prepare the Channel Islands for new data protection legislation which is due to come into force in 2018, says the islands’ independent data protection regulator.

Emma Martins said she and her pan-Island team were working hard to support both governments and businesses in the islands, recognising the potential economic benefits for those who engage with the opportunities created by the EU’s General Data Protection Regulation (GDPR).

Her comments come after it was announced by the States of Jersey and the States of Guernsey that the data protection commissioner will be leaving her post in March 2018. The governments also confirmed that the pan-Island role will end, with each island introducing their own dedicated data protection commissioner post at that time.

‘After the recent decision for the Islands to move away from a pan-island data protection regulator, we will continue to work hard to ensure the Islands are as prepared as possible for the new data protection legislation in May 2018,’ said Mrs Martins, who is the Data Protection Commissioner in Guernsey and the Information Commissioner in Jersey.

‘The decision is regrettable after the two islands have come such a long way together and in light of the significant work done in recent years to create a pan-island presence. To a certain degree, it reflects the fast evolving nature of the data economy.’

Important work to prepare the islands for GDPR will, however, continue to be carried out by Mrs Martins and her team.

‘These events should not and must not distract from the important work that lies ahead and on which industry and citizens are entitled to our complete focus and attention. There are very real economic opportunities for any jurisdiction that embraces those opportunities in an intelligent and enlightened way,’ added Mrs Martins.

Information Commissioner to leave her post

Below is replicated a press release made by the States of Jersey taken from www.gov.je.

 

——————————————————————–

 

The pan-Island Information Commissioner has announced that she will be leaving her post in March 2018 after 14 years working for Jersey.

Emma Martins took on responsibilities for data protection in Jersey in 2004, and has provided professional leadership since then as the importance of data in our private and professional lives has grown significantly.

Since 2011 she has supported both Jersey and Guernsey, including preparing to implement new EU Data Protection Regulations.

Assistant Chief Minister, Senator Paul Routier, said “Data protection is essential for Islanders and businesses – now more than ever. Mrs Martins has played an important role in Jersey and I thank her and wish her all the very best for the future.”

Following an extensive consultation process, the new legislation in Jersey has recently been approved by the Council of Ministers for presentation to the States Assembly in December, in line with the agreed timetable.

Dedicated Jersey Commission

The States of Guernsey have decided that they would like to avoid a pan-Channel Island Information Commissioner managing two different sets of legislation and are intending to establish their own Information Commission. Jersey’s government will bring forward plans for a dedicated Jersey Information Commission to maintain a GDPR-equivalent regime and a properly resourced regulatory body.

Senator Routier continued “Jersey places the highest importance on data protection matters, and our new legislation will serve the needs of Islanders and businesses for the future. We will continue to work constructively with Guernsey on a wide range of matters, but as the importance of data will continue to grow, so it is right that we appoint a dedicated Jersey regulator to oversee our compliance with the new legislation.”

A recruitment process is now beginning to find a replacement for Mrs Martins. The new legislation in Jersey is expected to be in place in May, 2018.

Irish Data Protection Regulator questions transfer of Facebook data to US

The Irish High Court has asked the Court of Justice of the European Union (CJEU) for a preliminary ruling on whether or not the transfer of Facebook user data to Facebook Inc in the US is lawful. Facebook operates its international business via a separate company in Ireland called Facebook Ireland Ltd, which handles the data of 85% of all Facebook users outside the US and Canada.

The court agreed that the absence of effective remedies in the US may violate European fundamental rights under the European Charter of Fundamental Rights, when data is sent to the US under Standard Contractual Clauses (SCCs). European data protection law requires that data can only be transferred outside the EU if the personal data is “adequately protected”. This is in conflict with US law (FISA 702) which requires US companies (including Facebook Inc.) that are “electronic communication service providers” to hand over data, as and when required, to the US national security authorities.

The court found that the Irish Data Protection Commissioner has “well-founded concerns” that the SCC Decision by the European Commission (2010/87/EU) may be invalid. The court further found that the DPC may be able to suspend data flows under the SCCs in line with Article 4 of the SCC decision and Article 28 of Directive 95/46/EC.

The case is ongoing and further clarification in a second decision from the CJEU  is awaited. The latest ruling can be found by clicking on the link below.

2017.10.04 – Irish DPA v Facebook Ireland.

 

International Conference of Data Protection and Privacy Commissioners

The 39th International Conference of Data Protection and Privacy Commissioners is currently underway in Hong Kong at which the Channel Island data protection authorities are represented.

The Conference which seeks to provide leadership at international level in data protection and privacy, links more than a hundred privacy and data protection authorities and serves as a reminder of the global nature of digital environment.

More information about the conference can be found here.

New UK Data Protection Bill introduced into the House of Lords

The UK Government has yesterday introduced the new UK Data Protection Bill to the House of Lords which, if passed, will overhaul the current UK data protection regime.

In most respects the bill, which will come into force next May, will transfer the European Union’s General Data Protection Regulation into UK law. The legislation will also be maintained after Brexit.

Whilst the proposals impose much heavier fines on those who do not protect personal data, the government said it had negotiated “vital” exemptions to create a more “proportionate” regime for Britain.

The government had already unveiled other key provisions of the Data Protection Bill in August, including:

  • Making it simpler for people to withdraw consent for their personal data to be used
  • Letting people ask for data to be deleted
  • And making re-identifying people from anonymised or pseudonymised data a criminal offence

In addition, UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover.

The current maximum fine firms can suffer for breaking data protection laws is £500,000.

To read the proposed UK Data Protection Bill in full, please click here.

Grand Chamber judgment Barbulescu v. Romania – monitoring of an employee’s electronic communications

The Grand Chamber of the European Court of Human Rights this week released its judgment that the monitoring of an employee’s electronic communications had amounted to a breach of his right to a private life.

The judgment (attached in full here) found that the individual had not been made aware that there would be monitoring of his electronic communications, prior to its commencement or the nature and extent of the monitoring which included the possibility of the employer seeing the full contents of such communication.

Government to strengthen UK data protection law

People to have more control over their personal data and be better protected in the digital age under new measures announced by Digital Minister Matt Hancock.

In a statement of intent the Government has committed to updating and strengthening data protection laws through a new Data Protection Bill. It will provide everyone with the confidence that their data will be managed securely and safely. Research shows that more than 80 per cent of people feel that they do not have complete control over their data online.

The full article from the UK Government website can viewed here.

Shadow Chair for Data Protection Authority

The States of Jersey and Guernsey are recruiting a Shadow Chair for the Data Protection Supervisory Authorities of the Channel Islands. The Shadow Chair will help shape the way data protection is regulated in the Channel Islands, and will provide independent advice to the respective States, as well as to the Supervisory Authorities, on exercising their responsibilities under new data protection legislation. The Shadow Chair will be recruited from outside Jersey and Guernsey.

The full article can be found by following the link below:

http://www.gov.je/News/2017/Pages/DataProtectionAuthority.aspx

Statement regarding data breach by the Parish of St Helier

Jersey’s Information Commissioner Emma Martins said: ‘The Parish of St Helier informed my office of a data breach during the afternoon of Friday 14th July 2017. The breach related to an email sent to St Helier ratepayers in which the email addresses of all recipients was included, and therefore disclosed. It appears the recipients’ emails were erroneously entered into the ‘cc’ box rather than the ‘bcc’ box.

‘It is not mandatory for data controllers to report data breaches to my office under the current legal regime (Data Protection (Jersey) Law 2005). However, it will be mandatory from 2018 when new data protection legislation is due for implementation. As such, we welcome the proactive position taken in respect of this matter by the Parish of St Helier.’

She added: ‘The Office of the Information Commissioner has received a number of complaints and enquiries relating to this incident. We will now seek further, detailed information from the Parish of St Helier to better understand how the incident happened and the steps they now propose to take. While this investigation remains ongoing, it would be inappropriate to comment further at this stage.’

GDPR: One year to go

WITH one year to go until the General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25th May 2018, the Office of the Information Commissioner and Data Protection Commissioner is today launching a website, which will contain advice and guidance to help island businesses get to grips with the new legislation.

‘With one year to go I’m delighted that industry is talking about GDPR. I’ve spoken at dozens and dozens of briefings, seminars and other events over the past few months and am pleased to say that GDPR is certainly on the radar of the businesses I have spoken with – awareness is far greater than it was even six months ago,’ said Emma Martins, Data Protection Commissioner / Information Commissioner.

‘With 365 days to go we have launched a microsite which will become a useful portal for businesses looking for guidance. I urge islanders to keep an eye on this as we will be uploading information as it becomes available. I also want to give reassurance to businesses that GDPR is not a revolution, it’s an evolution of current data legislation, so if you’re compliant currently, you have a great base from which to work.

‘Local legislation is currently being drafted and both Jersey and Guernsey’s governments have committed to a harmonised approach to this,’ added Mrs Martins. ‘When this legislation is finalised we can then start to develop more detailed guidance. To date every island business has been sent general guidance on GDPR but we know we’ve got work to do to make sure businesses have access to specific guidance. We are working very hard behind the scenes to make sure that our office is ready for the changes.’

In order to be prepared, business can begin by ensuring they have a detailed understanding of the data they hold and how they process this. This underpins the accountability aspect of GDPR. Any effective data governance strategy has to begin with a comprehensive data audit, which can be obtained by answering the following key questions:

  • What personal data do you hold? Do you hold any special category data?
  • Where is it from and where is it sent?
  • Why is it processed? For what purpose?
  • How is the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

When it comes into force, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses. GDPR is set to be the largest change to the protection of personal data across Europe since the implementation, in 1995, of the EU Data Protection Directive, which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the islands.

The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission, as well as key stakeholders, to ensure the islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

For more information, business can go to www.thinkgdpr.org

States systems unharmed by ransomware attack

The States of Jersey have released an official statement following last weekend’s large-scale ransomware attack. The statement talks about what local government has done to protect its own systems, as well as providing advice to Jersey residents on what they can do to protect themselves.

The full statement can be read by clicking here.

Channel Island’s represented at Spring conference of European Data Protection Authorities

Representatives of European Data Protection Authorities are meeting in Cyprus this week for the annual European Spring Conference.

The Channel Islands are attending the event which features valuable GDPR preparation discussions together with sessions dedicated to cloud computing, law enforcement and genetics.

With only one year to go until GDPR implementation, opportunities such as these are vital for developing knowledge and for sharing thoughts, concerns and practice about the future of Data Protection regulation, all of which are of significant benefit not only to the attending regulatory authorities, but also to businesses across the Channel Islands.

For more details about this year’s conference programme and discussions, please click on the link below:

http://www.coe.int/en/web/human-rights-rule-of-law/-/spring-conference-of-european-data-protection-authorities-annual-occasion-to-enhance-cooperation

 

 

 

Jersey can benefit economically by becoming a ‘centre of excellence’ but more resources will be needed

JERSEY can reap major economic benefits by becoming a ‘centre of excellence’, says the island’s Information Commissioner.

Emma Martins says new data protection laws offer positive opportunities, but that the private and public sectors need to ensure appropriate allocation of resources to ensure they are prepared for the legislation.

The General Data Protection Regulation (GDPR) is due to come into force in May 2018 in Jersey and Guernsey. It will update data protection rights for the internet and digital age, controlling how governments and businesses process individuals’ information. It will also mean that businesses don’t face significantly different compliance rules if they are conducting business locally and across the European Union (EU).

Mrs Martins, who recently spoke at a Jersey Chamber of Commerce event on GDPR, said: ‘Data is ever more valuable economically and socially. Businesses are using data in innovative ways, while individuals use it for communications as well as to buy goods and services.

‘How that data are handled and protected is more important than ever. Being seen as a well-regulated, safe jurisdiction for data is crucial – especially when you consider the important role of the financial services sector and the growing digital industry.

‘There is no reason why Jersey, and the Channel Islands, cannot become a centre of excellence for data and benefit from all the economic advantages that come from that. The GDPR is an opportunity to develop a high professional standard in data protection compliance.’

Mrs Martins, who holds the role of Information Commissioner in Jersey (with responsibility for regulating Data Protection and Freedom of Information legislation) and Data Protection Commissioner in Guernsey, stressed the need for action from the private and public sector in relation to GDPR.

‘Businesses need to be ready for the new legislation and devote more resources to meet the requirements and the opportunities. The public sector also needs to be similarly prepared. The Office of the Information Commissioner is supporting both the private sector and the authorities, and a government review is underway looking at how this office can resource this work going forward,’ said Mrs Martins.

Data Protection qualifications for six States of Jersey staff members

Five States of Jersey employees, along with a member of staff from Ports of Jersey, have recently passed the Practitioner Certificate in Data Protection qualification, which means they are now fully up-to-date with the requirements of the European Data Protection Directive and the Data Protection (Jersey) Law 2005.

Julie Hinault (Taxes Office), Karen Wellman (Social Security), Andy Cousins (States of Jersey Police), Tracey Fullerton (Health and Social Services), Susie Gomes (Economic Development, Tourism, Sport and Culture) and Claire Brown (Ports of Jersey) had to complete five days of training and pass an exam to qualify.

The Practitioner Certificate (PC.dp) is the practical qualification for those who work in the fields of data protection and privacy. Those holding the qualification will be instrumental in the practical implementation of the new General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.

Governance Officer for Social Security, Karen Wellman, said, “It has been a good experience to spend time with colleagues from different departments working in this area, so as well as now being formally qualified, I have also gained a good network of likeminded people with whom I can liaise. I would recommend the course, and with the introduction of GDPR, think that this is important to ensure confidence with compliance in this very important area for all businesses.

The Commissioner extends her congratulations to all of them, who join Colin Renouf from States of Jersey Police and Mel Pardoe from Education, who already hold this qualification.

Personal data vulnerable to cyber attack

The annual assessment of the biggest cyber threats to UK businesses has been published today, after being produced jointly for the first time by the National Crime Agency (NCA), National Cyber Security Centre (NCSC) and industry partners from multiple sectors.

The report emphasises the need for increased collaboration between industry, government and law enforcement in the face of a growing and fast-changing threat, and discusses the trend of criminals imitating the way suspected nation state actors attack organisations such as financial institutions, and the risk posed by the ever-increasing number of connected devices, many of which are not always made secure by manufacturers or users.

The report notes the cyber security challenges faced by businesses, and urges them to report all cyber crime to ensure the UK has an accurate intelligence picture and highlights the resources available to companies of all sizes, particularly the large firms which often present the most attractive targets for attackers.

The report will be presented at the NCSC’s Cyber UK Conference in Liverpool, today (14 March). For further details and to see the full report, click here.

Channel Island delegation updates European Commission on its commitment to new data protection regime

THE European Commission has pledged to further strengthen relations with Jersey and Guernsey on data privacy and protection.

The islands are among the small group of non-EU countries that are the subject of an ‘adequacy decision’ by the Commission, which is an official certification that the islands meet essentially equivalent data protection standards to those applying in the EU.

At a recent meeting in Brussels, a pan-Channel Island delegation updated the Commission on legislative, regulatory and policy developments since our original adequacy decisions were adopted and explained the efforts being made in both Bailiwicks to implement the GDPR and the new directive.

‘Much work has been done in recent months across the Channel Islands to ensure we are strongly positioned to respond to the impending reform of data protection regulation. The visit by representatives of the islands and this office was a significant step for us all,’ said Emma Martins, Jersey’s Information Commissioner.

‘Maintaining the islands’ reputation as a well-regulated jurisdiction, in respect of data protection, is more important than ever. Ensuring the Channel Islands provide a robust framework of protection for personal data is vital not only for established businesses, as when done well it is also fundamental for economic growth and innovation in this digital era.

‘I am delighted that both the States of Jersey and the States of Guernsey have committed to high quality legislative reform for the islands and my team and I are equally committed to delivering a meaningful and effective regulatory regime.’

In May 2018 a new data protection regime will come into force in the EU – the General Data Protection Regulation (GDPR) together with the Law Enforcement Directive, which applies a similar regime to exchanges of personal data between law enforcement authorities. Jersey and Guernsey have committed to implementing into domestic law, by May 2018, essentially equivalent provisions to the GDPR and the new Law Enforcement Directive.

Senator Paul Routier, assistant minister, Chief Ministers Department, Jersey, added: ‘Ensuring that we are ready for the EU’s new data protection regime next year is important for Jersey’s continued access to European markets. I was therefore pleased that officials were able to update the Commission on the good progress that is being made in Jersey and Guernsey to implement this new regime, and I was particularly encouraged to learn that the Commission is committed to ensuring the continuity of the Islands’ adequacy findings in respect of data protection.

‘This project is an excellent example of pan-Island cooperation and I will be supporting efforts to further strengthen our relations in the area of data privacy and data protection.’

Sir Tim Berners-Lee: “We’ve lost control of our personal data”.

As the world wide web celebrates it’s 28th birthday, founder and web inventor Sir Tim Berners-Lee explains how the internet has developed, and voices his concerns about recent trends that he believes need to be tackled immediately for the internet to fulfil its true potential.

One of those concerns is the loss of control of our personal data, and how many consumers seem happy to give away their personal information in exchange for services without realising that their information will be shared with other companies. In his open letter on his Web Foundation website, Mr Berners-Lee makes some suggestions as to how we can regain some of that control.

Click here to see the full letter.

 

Governments urged to be more proactive about making information public

TRANSPARENCY and open government is more important than ever in what has been called a ‘post truth’ age of information rights.

At a recent meeting for national and regional Freedom of Information Commissioners and Ombudsmen held in Berlin, delegates – including Emma Martins, head of the Channel Island Data Protection regulator – were told about the importance of government being more proactive about making information public.

Much of the discussion during the meeting centred on government taking the initiative and being more proactive about making information public. Graham Smith from the EU Ombudsman talked about the work of his office in encouraging wider access and the easier exercising of rights together with the promotion of good administrative practices, where decisions are taken as openly and as close to the citizen as possible.

Attending in her capacity as Jersey’s Information Commissioner charged with regulation of the Freedom of Information (Jersey) Law 2011, Mrs Martins said: ‘Openness contributes to the strengthening of principles of democracy and respect for fundamental rights, and the right of access to documents is only one small part of accountability and showing transparency.

‘Many jurisdictions across Europe have adopted Freedom of Information legislation, with Jersey implementing its own Law in 2015. The Bailiwick of Guernsey does not have legislation in place, however, does have a code of practice for access to government information, underpinned by the core principles of a presumption of disclosure; a corporate approach; a culture of openness; proactive publication; and effective records management.

‘The overarching message arising from the meeting was that a strong information access regime can only be fully effective if supported by mediators acting between the state and its citizens, and in a resolution agreed by the participants, governments have been called upon to enforce freedom of information and strengthen those charged with oversight of those laws.’

The Berlin meeting was the first of this group with the main purpose being to provide a forum for international cooperation between regulatory authorities and Ombudsmen across Europe and the Crown Dependencies.

The full resolution can be found by clicking on the link below. For further information, please contact the Office of the Information Commissioner at enquiries@dataci.org.

2017 Resolution

Law drafting instructions for new legislation and repeal of Data Protection (Jersey) Law 2005

The Assistant Chief Minister has approved instructions to the Law Draftsman to repeal the Data Protection (Jersey) Law 2005 and to prepare a new legislation that will replace it and set out the new powers, functions and funding arrangements for the regulator.

The full ministerial decision can be found by clicking the link below:

https://www.gov.je/Government/PlanningPerformance/Pages/MinisterialDecisions.aspx?docid=639669CD-AB2C-4489-AC30-8DDBFC153CFE

The Office of the Information Commissioner (OIC) welcomes Jersey’s new Cyber Security Strategy

With data at the heart of so much economic and social activity in the Island, the security of that data is vitally important in both a professional and personal capacity.

The major reform of data protection legislation due in early 2018 is, to a significant degree, prompted by the new risks posed to individuals in this digital era.  If Jersey is to respond to those risks, an effective and responsive cyber security strategy is an essential element of data protection and must form part of the broader Island data strategy.

‘Whilst it is important for all of us to be aware of the risks, government has a major role to play in ensuring there is a robust policy and a legal and technical framework underpinning digital activity,’ said information commissioner Emma Martins.

‘We have seen high profile security breaches in recent years and it is a problem that is only going to increase. Not only do breaches pose very real risks to individuals whose data have been compromised, it also affects the reputation of the organisation and the jurisdiction where the organisation is based. This is why it is so important for government and business to work together and the OIC welcomes the Cyber Security strategy report and consultation.

‘For a jurisdiction to benefit from the huge opportunities the digital era presents for government, business and individuals, we need to ensure we have the tools to respond. This is no longer the sole domain of just IT staff.  Digital security is the responsibility of us all, and needs engagement at every level of society so I would urge Islanders to respond, both in a personal and professional capacity. Data security must now be on every board agenda, risk register and education programme,’ added Mrs Martins.

The States of Jersey’s consultation paper can be found at https://www.gov.je/Government/Consultations/Pages/Cyber-Security-Strategy.aspx.

Data Protection Reform highlighted as key priority for States of Jersey in new Digital Policy Framework

The States of Jersey have published their Digital Policy Framework; a document that outlines the six core long-term objectives that will determine the approach to digital policy for the next decade.

Data Protection is one of those core objectives and the document outlines their aims underpinned by principles covering how policy will be developed to achieve these aims.

More detail can be found at the the Digital Policy Framework webpage.

Data Protection Day: Businesses urged to prepare for major overhaul of data protection law due in 2018

As part of International Data Protection Day on 28th January, the Office of the Information Commissioner and Data Protection Commissioner is calling on all businesses in the Channel Islands to ensure they make themselves aware of impending legislative changes that will have significant ramifications for the way that they handle all personal data.

When it comes into force across the European Union (EU) from May 2018, the General Data Protection Regulation (GDPR) aims to strengthen data protection rights for individuals and harmonise compliance requirements for businesses.

GDPR is set to be the largest change to the protection of personal data across Europe since implementation in 1995 of the EU Data Protection Directive which is currently in force. At that time, and in response to the transfer controls on data exported from the EU, the Channel Islands implemented the Data Protection (Bailiwick of Guernsey) Law, 2001 and the Data Protection (Jersey) Law 2005 which ensured the continued free flow of data to the Islands.

The Regulation will be overseen by the European Parliament, the European Council and the European Commission. The governments of Jersey and Guernsey, together with the Channel Islands Brussels Office, are working with the Commission as well as key stakeholders, to ensure the Islands are prepared for the changes and businesses are aware of their responsibilities and have time to prepare.

The Commissioner is using Data Protection Day, an international day designed to raise awareness and promote privacy and data protection best practices, to start the public conversation about GDPR and its implications.

Emma Martins, head of the Channel Island Data Protection regulator, said, ‘The introduction of GDPR will be transformative for how businesses handle personal data; we are on the verge of huge change in data regulation. To support businesses of all sizes, we will be preparing information and guidance as the law drafting progresses throughout 2017 and are committed to continuing this conversation with businesses.

‘I cannot over emphasise the importance of being prepared for this legislation. I particularly want to stress this to the Islands’ small to medium sized business communities who may not have access to the legal or compliance expertise and resources available to larger organisations. The new regulations are certainly going to up the game in terms of compliance obligations and there is much greater accountability for data controllers and processors. Wherever personal data is involved, whether that is staff, client or any other information relating to individuals, data protection compliance will have to be considered and built in at the beginning of the process and to a more significant and demonstrable degree.’

Mrs Martins is also clear that GDPR is extremely important for individuals: ‘Whilst this is important for the Channel Islands in that it will ensure we remain a trusted jurisdiction with no restriction on data flows, its importance for all of us in a personal context should not be underestimated. We live in an era where a vast amount of our personal information is being collected and used in ways unimaginable only a few years ago. What happens to that data is a deeply serious question and effective regulation plays a significant part in ensuring we all have the rights we are entitled to and have come to expect living in a democracy.’

Both governments have committed to GDPR being incorporated into local law with the intention of being ready for implementation for May 2018.

‘I have had extremely positive meetings with senior representatives from the States of Jersey and States of Guernsey, both of which are committed to ensuring the Islands are fully compliant with GDPR. In anticipation, we have begun a comprehensive review of the Commission’s structure and resources to ensure we are in in a strong position to support businesses at this time,’ added Mrs Martins.

Data Protection Day is aimed at individuals, families, consumers and business and encourages people to consider the important of protecting their personal information online.

For further information about GDPR, please visit the bespoke GDPR section of our website: http://oicjersey.org/gdpr/

 

UK Children’s Commissioner publishes report on children’s interaction with social media providers

The UK Children’s commissioner has called for greater representation after a recent study found half of eight- to 11-year-olds have agreed opaque T&Cs with social media firms.

Children are being left to fend for themselves in the digital world, regularly signing over rights to their private messages and pictures unknowingly and with scant advice from parents or schools, according to commissioner.

Almost half of eight- to 11-year-olds have agreed impenetrable terms and conditions to give social media giants such as Facebook and Instagram control over their data, without any accountability, according to the commissioner’s Growing Up Digital taskforce.

The year-long study found children regularly signed up to terms including waiving privacy rights and allowing the content they posted to be sold around the world, without reading or understanding their implications.

The full report can be found by clicking here.

CJEU issues important ruling on data retention

An important ruling was issued yesterday by the Court of Justice of the European Union (CJEU) on two joined cases, one from Sweden and one from the UK. In a 2014 ruling, the CJEU declared the 2006 EU Data Retention Directive invalid on the grounds that the general obligation to retain communications and location data imposed by that directive went beyond what was strictly necessary for its purposes and was in breach of citizens’ rights with respect to privacy and the protection of personal data. Following that judgment, two references were made to the CJEU in relation to the general obligation imposed in Sweden and in the UK on providers of electronic communications services to retain similar data to that which had been required to be retained in the EU Directive. The case in the UK concerned the UK Data Retention and Investigative Powers Act (DRIPA). The case was referred to the CJEU by the UK Court of Appeal for clarification on whether an EU ruling which prohibits indiscriminate data retention has to be respected in domestic law. Yesterday’s ruling says that indeed it should be. The matter will now revert back to the UK Court of Appeal.

The ruling and CJEU’s press release can be accessed by clicking on the below link.

http://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf

Freedom of Information Law Appeal – Decision Notice issued

The Information Commissioner (‘the Commissioner’) has ruled that the Chief Minister’s Department will have to make further disclosure connected to a request under the Freedom of Information (Jersey) Law 2011 (‘the Law’) made by the applicant for all emails between members of the then Council of Ministers in the month of October, 2014.

In its initial response to the applicant’s request, the Chief Minister’s Department, as the ‘scheduled public authority’ under the Law (‘the SPA’), provided the applicant with a number of emails, some of which were fully or partly redacted (the SPA relying on a number of exemptions under the Law). The applicant subsequently appealed to the Information Commissioner under Article 46 of the Law, seeking a review of the SPA’s decision to rely on certain of those exemptions, details of which are contained within the Commissioner’s Decision Notice.

Following enquiry it is the Commissioner’s decision that ‘whilst the SPA is entitled to rely on some of these exemptions to withhold certain of the emails (or parts thereof), some of the exemptions are not engaged and thus the SPA must disclose such information in order to comply with the legislation.’ The Commissioner therefore finds that ‘The complaint is therefore partly upheld.

The Decision Notice requires the SPA to make certain further disclosures within 35 calendar days of the date of the notice.

In making this finding the Commissioner also records, within the appendix to the Decision Notice, that a significant number of emails which were subject of the request were appropriately fully or partly redacted and in accordance with exemptions under the Law.

Anyone can apply for information held by a “scheduled public authority” (States departments, parishes, police and judicial bodies) under the law, which states that information held by a scheduled public authority must be disclosed on request unless it meets specific exemption criteria set out in the Law.
The legislation provides a two-stage appeal process, firstly to the authority that holds the information, and secondly to the independent Commissioner.

(To view the full Decision Notice – Select the ‘Freedom of Information’ tab on the above menu and then select ‘Decision Notices’ on the following page.)

In light of Article 47 of the Law, which allows for appeal to the Royal Court against a decision of the Information Commissioner, no further comment will be made at this time.

Notes
The Information Commissioner has responsibility for promoting and enforcing the Data Protection (Jersey) Law 2005 (DPL) and the Freedom of Information (Jersey) Law 2011 (FOIL). She is Jersey’s independent authority tasked with upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner does this by providing guidance to individuals and organisations, solving problems where she can and taking appropriate action where the law is broken.

UK halts Facebook’s WhatsApp data dip

Facebook has been told it must not use data gathered from UK members of its WhatsApp messaging app to target ads on its core social network.

The UK’s Information Commissioner said she did not believe the firm had obtained valid consent for the move and added that people must be given “ongoing control” over their data.

Elizabeth Denham said that Facebook had agreed to “pause” its rollout but had not met all her demands.

Facebook has yet to publicly comment.

For the full report, please click on the link below:

http://www.bbc.co.uk/news/technology-37896935

How the UK ICO will be supporting the implementation of the GDPR

The UK government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). The Secretary of State Karen Bradley MP used her appearance before the Culture, Media and Sports Select Committee to say:

“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

For more information, please click on the link below:

https://iconewsblog.wordpress.com/2016/10/31/how-the-ico-will-be-supporting-the-implementation-of-the-gdpr/

Bermuda adopts Informational Privacy Legislation

The Personal Information Protection Act 2016 (PIPA) which received Royal Assent on July 27, 2016, will provide Bermuda’s residents with a general right to privacy for personal information, which is based on a common set of international privacy principles. The PIPA applies to all organisations, including businesses and the Government, that use personal information in Bermuda.

The Data Protection regulators of the Channel Islands and the Isle of Man worked closely with the Bermuda authorities during the implementation process, providing advice and support throughout.

For further details, please follow the link below.

https://www.gov.bm/articles/bermuda-adopts-informational-privacy-legislation

Positive ruling in Microsoft’s European-Based Data Case

A US Court of Appeal has overturned the ruling of a lower US court by stating that the US Government cannot force Microsoft to provide access to data held on servers outside America.  The case related to personal data held on Microsoft’s servers in Ireland that the US Department of Justice had sought access to.

Further information regarding this verdict can be found here.

European Commission Formally Adopts EU-US Privacy Shield

The European Commission has now formally adopted the EU-US Privacy Shield that replaces the former ‘Safe Harbour’ data transfer arrangements that were declared invalid by the European Court of Justice in late 2015. Further information about the adoption of this new regime can be found here.

EU Member States Approve Privacy Shield

The scheme designed to replace the EU-US Safe Harbour transfer arrangements has been approved by the EU Member States, paving the way for formal adoption by the European Commission – expected later this week.

For more information click here

BIDPA Meeting Focuses on GDPR

IMG_4304

The annual meeting of the British, Irish and Islands Data Protection Authorities is being held in Malta today with the Channel Islands in attendance. As can be expected following the recent granting of approval by the EU, the main topic of discussion will be the GDPR and how data protection authorities can embrace the inevitable changes to their existing regulatory regimes whilst promoting the enhanced rights for individuals.

This is also the final BIDPA for the outgoing UK Information Commissioner, Christopher Graham, and the Channel Islands DPAs send their best wishes to him for whatever may lie ahead.

European Spring Conference – 2016

Spring_Conf_2016

Last week the Channel Islands were represented at the Data Protection Authorities’ European Spring Conference, held in Budapest.

The Conference covered topics such as practical implications for regulators and others in light of the GDPR and the modernisation of data protection around the world and welcomed new members to its midst, including the Gibraltar Regulatory Authority and The Commissioner of the Canton Basel-Stadt.

The Conference also said goodbye to two long-serving members.  Jacob Kohnstamm from the Dutch DPA and Christopher Graham, the UK Information Commissioner, will be heading to pastures new and provided the gathering with their memories of the evolution of data protection and their hopes for its future.

More information on the resolutions and reports of the Conference can be found at http://www.naih.hu/budapest-springconf/index.html

 

 

 

Decision Notice 202-03-62556 Request for disclosure of report on Esplanade Quarter Development

First Freedom of Information Appeal Decision issued

The Information Commissioner has ruled that the States do not have to disclose a 2009 report into the financial implications of the Jersey International Finance Centre development under the Island’s Freedom of Information legislation.

In the first determination of an appeal to the Commissioner under the Freedom of Information (Jersey) Law 2011, she has ruled that the Treasury and Resources department was justified in four of five exemptions that it cited in refusing to disclose the King Sturge/Currie and Brown/Trowers & Hamlin report.

The application under the FoI Law was the first to reach the final appeal stage since the Law was brought into force at the start of 2015.

Anyone can apply for information held by a “scheduled public authority” (States departments, parishes, police and judicial bodies) under the law, which states that information held by a scheduled public authority must be disclosed on request unless it meets specific exemption criteria set out in the Law.

The legislation provides a two-stage appeal process, firstly to the authority that holds the information, and secondly to the independent Commissioner.

The Commissioner, Emma Martins, has today ruled that in the case of the application for the King Sturge Report, the department was justified in citing exemptions covering “information supplied in confidence”, “prejudice to commercial interests”, “prejudice to the economy” and “prejudice to the formulation and development of government policy”.

She also ruled that the Treasury department incorrectly applied an exemption covering “vexatious requests”, which was not justified.

(To view the full Decision Notice – Select the ‘Freedom of Information’ tab on the above menu and then select ‘Decision Notices’ on the following page.)

Publication of the General Data Protection Regulation

The General Data Protection Regulation (GDPR) has now been published in the Official Journal. The publication was on 4th May 2016, meaning the GDPR will enter into force on 24th May 2016, and provisions will be directly applicable from 25th May 2018. Organisations across Europe now have two years to prepare for the changes. Third countries like the Channel Islands who currently have adequacy status will need to wait a little longer for full details of that process to emerge. Early indications are that implementation of new legislation across the Islands will coincide with the 25th May 2018 date and work continues to secure the necessary political direction. All organisations, especially those with EU clients, would be well advised to start considering the impact of GDPR and how their compliance models may need to adapt. You can find our 10 steps to GDPR compliance here and a link to the full text here.

WP29 requests improvements to EU-US Privacy Shield

Following the publication by the European Commission of the draft adequacy decision on the EU-U.S. Privacy Shield and related documents, the Article 29 Working Party has conducted its assessment in light of the applicable EU data protection legal framework as set out in Directive 95/46/EC, as well as the fundamental rights to private life and data protection as enshrined in Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the Charter of Fundamental rights of the European Union.

The full statement from WP29 is attached below:

2016.04.19 – Statement of WP29 on EU US Privacy Shield

Data protection reform – Parliament approves new rules fit for the digital era

New EU data protection rules which aim to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era was given their final approval by MEPs on Thursday. The reform also sets minimum standards on use of data for policing and judicial purposes.

For the full article, please click on the link below:

http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era

Data protection reform: Council adopts position at first reading

On 8 April 2016, the Council adopted its position at first reading on data protection reform, which paves the way for the final adoption of the legislative package by the European Parliament at its plenary session in April.

This formal adoption comes after the compromise agreed with the European Parliament in December 2015.

Following this adoption, the Dutch minister for Justice, Ard Van der Steur said: “I have the commitment from the European Parliament that this will allow a vote on both the data protection package and the PNR Directive in April. The Brussels attacks of 22 March have once again underlined the urgency of the adoption of the PNR Directive.”

For more information, please click on the link below:

http://www.consilium.europa.eu/en/press/press-releases/2016/04/08-data-protection-reform-first-reading/

Jersey and Guernsey face significant impact from EU Data Protection reforms

Sweeping changes to European privacy and Data Protection legislation will have a significant impact on the Channel Islands, says the head of the CI Data Protection regulator.

Emma Martins has warned that the authorities will need to prioritise reform of existing laws and practices, and that businesses must be ready for the impact of the changes which are expected to take effect from 2018.

And she has warned that delays or failure to adequately prioritise and resource the work could have a seriously detrimental effect on the financial and digital sectors, which rely on seamless flows of information across jurisdictions.

The new legislation, in the form of the General Data Protection Regulation (GDPR), focuses on giving members of the public stronger rights in terms of the way that governments and businesses process their information, including:

  • New limits on how your personal information can be used (or “processed”) or shared with others by government departments or companies.
  • New protection for young people under 16, allowing for parental consent for their personal information to be processed.
  • New rights for people to demand the erasure of their personal information, restrict the use of personal information and to data portability.
  • A new requirement for “public bodies” and certain private sector organisations to have qualified Data Protection officers, with legal protection for those officers.
  • Fines of up to 20 million euro – almost £16 million – or 4% of global annual turnover for serious contraventions of the rules.

Mrs Martins holds the role of Information Commissioner in Jersey (with responsibility for regulating Data Protection and Freedom of Information legislation) and Data Protection Commissioner in Guernsey.

She says that with such a clear potential impact on the financial services and burgeoning digital sectors in both Islands, it is imperative that politicians and governments recognise the importance of the reforms, and that they sufficiently prioritise the work here in the Islands.

If no new resources are put into this area, she says that meaningful action will be “extremely challenging” and the Channel Islands will be left behind in an era of global changes in the way data now underpins innovation, economic growth and consumer rights.

She said: “If Jersey and Guernsey are to respond in a timely manner to these developments, ensuring the continued high standards of protection for data whilst remaining a competitive and attractive jurisdiction for processing activities, then we need to progress with the significant task of reviewing the requirements, drafting new legislation and supporting business in getting compliance right.”

“These matters sit against a backdrop of budgetary pressures for all areas of government and the Islands need to decide on a clear pathway based on proper assessment of the opportunities and risks associated with both action and inaction.”

“Even if the Channel Islands do not update their own legislation, the extra-territorial nature of the GDPR will mean that businesses which hold data relating to EU citizens are going to have to comply with the requirements so need to start preparing now. “Whilst it is clear that the GDPR will have a significant impact on all businesses, those who are taking their current legal obligations in respect of data protection seriously will be at a distinct advantage.”

 

Note – we have launched a new section on our website that will provide further information about the GDPR.

Jersey and Guernsey join international GPEN network

Jersey and Guernsey have joined an international network of enforcement agencies set up to share knowledge, practical experience and dialogue about issues relating to privacy and the flow of data between jurisdictions.

The islands have joined the Global Privacy Enforcement Network (GPEN) through the Office of the Information Commissioner in Jersey, and the Office of the Data Protection Commissioner in Guernsey.

The islands are by some way the smallest members of the network in geographic and population terms – other members include the US, the UK, the EU, Korea and Germany. But having successfully applied for membership to the existing members, Data Protection regulators in the islands will have access to a global network of expertise and practical experience.

With so much commercial activity within Jersey and Guernsey dependent on the seamless flow of personal information across borders, the relationship between regulators, legislation and enforcement agencies is increasingly important.

GPEN was created to strengthen personal privacy protections in this global context by assisting public authorities with responsibilities for enforcing domestic privacy laws strengthen their capacities for cross-border co-operation. The role of the network is to connect privacy enforcement authorities from around the world to promote and support co-operation in cross-border enforcement of laws protecting privacy.

It primarily seeks to promote cooperation by:

  • Exchanging information about relevant issues, trends and experiences.
  • Encouraging training opportunities and sharing of enforcement know-how, expertise and good practice.
  • Promoting dialogue with organizations having a role in privacy enforcement.
  • Creating, maintaining and supporting processes or mechanisms useful to bilateral or multilateral cooperation.
  • Undertaking or supporting specific activities.

GPEN seeks to be an inclusive cooperation network, open to any public privacy enforcement authority that: (1) is responsible for enforcing laws or regulations the enforcement of which has the effect of protecting personal data; and (2) has powers to conduct investigations or pursue enforcement proceedings.

Having successfully applied to the existing participants through the GPEN Committee, the Channel Islands are now participants of GPEN. Whilst this does not create any new legally binding obligations for the Islands, the co-operation serves to strengthen our approach on enforcement which is increasingly global in nature.

Emma Martins – who serves as Information Commissioner in Jersey and as Data Protection Commissioner in Guernsey – said that membership of the network was an important step for the islands.

“So much business that is done in the islands both in terms of financial services and the digital sector is dependent on the proper flow of information across borders,” she said.

“Changes in one jurisdiction can have implications for others on the other side of the world, and that’s why early engagement and understanding with other regulators is critical to us.

“Membership of GPEN will also enable us to benefit from practical experience and intelligence about developing trends and issues in terms of privacy and information.”

Restoring trust in transatlantic data flows

The European Commission yesterday issued a Communication summarising the actions taken to restore trust in transatlantic data flows since the 2013 surveillance revelations.

The European Commission has finalised the reform of EU Data protection rules, which apply to all companies providing services on the EU market. The Commission negotiated the EU-U.S. Umbrella Agreement ensuring high data protection standards for data transfers across the Atlantic for law enforcement purposes. The Commission achieved a renewed sound framework for commercial data exchange: the EU-U.S. Privacy Shield.

The Commission also published a draft “adequacy decision” as well as the texts that will constitute the EU-U.S. Privacy Shield. This includes the Privacy Shield Principles companies have to abide by. Moreover, the Commission makes public the U.S. Government’s written commitments on the enforcement of the arrangement.

The written commitments will be published in the U.S. Federal Register and include assurance on the safeguards and limitations concerning public authorities’ access to data.

Further information can be found by following the link below:

http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm

U.S. and Europe Fail to Meet Deadline for Data Transfer Deal

European and American officials have failed to reach an agreement as to how data could be transferred between the two regions.  Focus now turns to the European data protection regulators who will announce their judgement on Wednesday.

For more information, click here (link courtesy of the New York Times)

“Let’s help young people understand e-safety” – Data Protection Day Message

For Data Protection Day, on 28 January 2016, the Data Protection Authorities of the Channel Islands are encouraging people to think about their online footprint and how to use technology to the full while maintaining control of their personal data.

With technology becoming a greater part of a young person’s life than ever before, the Commissioner is supporting the efforts across the Channel Islands to engage with children and young people on the subject of safe internet use, in the run-up to Safer Internet Day on 9 February 2016.

The Data Protection Offices are now members of the committees across the islands that together seek to keep up to date with e-safety issues and promote awareness through schools and the wider community, and are pleased to support the work being done by them.

In Guernsey, the Online Safety Committee is building on previous Safer Internet Day events by hosting the inaugural Digital ACE event at Beau Sejour on Saturday 6 February.  With ACE standing for Aspire, Create, Empower, this event is about providing young people with an environment that can feed and support their Aspirations, provide the inspiration and tools to Create new things and Empower people to learn, discover and be safe in our digital world.  As well as the chance to experience offerings from a number of exhibitors, experts will be delivering sessions around being safe and secure online, online gaming and what parents need to know about how children and young people interact with technology and the risks that that brings.  Further details can be found at http://lanyard.com/2016/digitalace/

In Jersey, the Education department is using Safer Internet Day as the opportunity to launch their new multi-agency E-Safety Committee, coordinating a number of events in schools and youth organisations during the week beginning 8 February 2016 to raise awareness of e-safety and how young people can protect themselves online.  Prison Me No Way and Adam Burroughs of Barnados will be delivering a range of interactive e-safety assemblies in schools as well as spending time at the Youth Service Move on Café and attending parent evenings.

The Islands Commissioner, Emma Martins, said that it was crucial that young people were fully informed about e-safety.

She said: “The message that our office want to give around taking care of your personal data and being careful about data security is inextricably linked with the work that both these Committees are doing in respect of e-safety. Much of the meaningful work that can be done in this respect is in the area of education and awareness.”

“With children of increasingly young age accessing and using the internet, the fact that such work is being so well supported by these Committees in conjunction with the Education Departments across the Islands is a really positive thing. Data Protection specialists working with education professionals is essential if we are going to ensure individuals are given good advice and protection with regards their personal data.”

“I am delighted that my Office is able to support the Committees and the fantastic work they are doing and would encourage parents and children alike to take a moment to find out more about this increasingly important area.”

Does the Data Protection Law stop me taking photos of my children at school?

Christmas is just around the corner and the season of Nativity plays, prize giving’s and school events is upon us. Each year we receive lots of enquiries from anxious parents wanting to know whether or not they are in breach of Data Protection Law by taking photographs of their children in their school productions. Hopefully this guidance will help anyone concerned.

Does the Data Protection Law stop me taking photos of my children at school?

The Data Protection Law is unlikely to apply in most cases where photographs or videos are taken in schools and other educational institutions. If photos are taken for personal use they are not covered by the Law.

Photos taken for official school use may be covered by the Law, so pupils and students should be advised why they are being taken.

Examples

Personal use:

1. A parent takes a photograph of their child and some friends taking part in the school Sports Day to be put in the family photo album. These images are for personal use and the Data Protection Law does not apply.

2. Grandparents are invited to the school Nativity play and wish to video it. These images are for personal use and the Data Protection Law does not apply.

Official use:

3. Photographs of pupils or students are taken for building passes. These images are likely to be stored electronically with other personal data and the terms of the Law will apply. The school is responsible for the use and storage of those images.

4. A small group of pupils are photographed during a science lesson and the photo is to be used in the school prospectus. This will be personal data but will not breach the Law as long as the children and/or their guardians are aware this is happening and the context in which the photo will be used. Again, the school is responsible for the use and security of those images.

Media use:

5. A photograph is taken by a local newspaper of a school awards ceremony. As long as the school has agreed to this, and the children and/or their guardians are aware that photographs of those attending the ceremony may appear in the newspaper, this will not breach the Law.

Should you have any questions in relation to the above guidance, please contact the office for further assistance.

Article 29 Working Party publish statement on US transfers

The Article 29 Working Party (WP29), the data protection and privacy advisory body set up under the 1995 European Data Protection Directive 95/46/EC, has issued a statement following the recent European Court of Justice ruling regarding the validity of the US ‘Safe Harbour’ framework.

The statement calls upon all EU Member States and institutions to open discussions with US authorities to urgently find a way forward to enable transfers to the United States that respect the fundamental rights of individuals with regards to their personal information.

WP29 go on to state that they will continue its analysis of the impact of the CJEU judgment on other methods of transferring personal data, and confirm that tools such as the Standard Contractual Clauses and Binding Corporate Rules can still be used.

The full statement can be read by clicking on the link below. The Office of the Information Commissioner will continue to monitor developments and will post any updates on this website as they arise.

WP29 Statement on US transfers

European Court of Justice ruling on personal data to US ‘Safe Harbour.’

OIC response to ECJ ruling on personal data to US – Safe harbour

13 October 2015

On 6th October 2015 the Court of Justice of the European Union (CJEU) declared the EU/US Safe Harbour scheme invalid. The Safe Harbour scheme was agreed in 2000 by the European Commission and the US Department of Commerce and allowed US companies to comply with the EU Directive 96/46/EC on the protection of personal data. It set out a number of principles regarding the protection of personal data to which US undertakings may voluntarily subscribe and was designed to allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. It has proved a central means by which data has been transferred to the US from EU and other jurisdictions that have enacted similar legislation, such as the Channel Islands, and is used by approximately 4500 US companies.

Following a case lodged by an Austrian citizen against the Irish data protection regulator concerning data processed by Facebook, the CJEU announced its ruling.
In a press release, the CJEU has set out a summary of the decision and the full judgment can be found here http://curia.europa.eu/juris/documents.jsf?num=C-362/14
It is important that regulators and legislators provide a considered response and this office will be working with our European colleagues in reviewing the ruling in detail. In the meantime, all local businesses that transfer data to the US will need to do the following –

• Review all data transfers to identity which data, if any, are transferred to the US;

• Where data are transferred to other service providers (processors) the relevant contracts should be reviewed for any reference to the Safe Harbour scheme;

• Where such transfers are carried out in reliance on the Safe Harbour scheme an alternative suitable mechanism should be explored.

Concerns about the Safe Harbour scheme have been raised before; the revelations made in 2013 by Snowdon concerning the activities of the US intelligence services prompted negotiations between the European Commission and the US authorities with a view to introducing a better protective arrangement. These negotiations are well advanced and this recent ruling will no doubt add some further impetus to this work. In addition, the EU is due to implement new legislation to replace the EU Directive which will set new, higher standards of protection for personal data as well as significantly change the territorial scope of the law. Our office will monitor all developments in this area and issue public statements and guidance where appropriate.

Privacy fears over websites sharing children’s data

Websites and apps aimed at children are gathering unacceptable amounts of personal data, the UK Information Commissioner’s Office has warned. An international investigation looked at almost 1,500 websites popular with young people and found that one in five asked for phone numbers or pictures.

“These are concerning results,” said Adam Stevens, head of the ICO’s intelligence hub.

The investigation looked at how websites were harvesting large amounts of personal information, with half sharing children’s data with third parties.

For the full BBC News article, please click on the below link:

http://www.bbc.co.uk/news/education-34133132

Do you trust your digital environment?…

The protection of personal data remains an important concern for citizens, according to a new Eurobarometer recently published by the European Commission on data protection. The central finding of the survey shows that trust in digital environments remains low. Two-thirds of the respondents (67%) say that they are worried about having no control over the information they provide online, while only 15% feel they have complete control.

For more information and the results of the survey, please visit the European Commission’s website at the below link:

http://ec.europa.eu/justice/newsroom/data-protection/news/240615_en.htm

European Conference of Data Protection Authorities takes place in Manchester today

2015 Spring Conference - Manchester

The annual European Conference of Data Protection Authorities takes place in Manchester today and tomorrow. Data Protection Commissioners across Europe will be attending the conference, which this year is hosted by the UK Information Commissioner’s Office.

UK Information Commissioner, Christopher Graham said:

‘Data Protection in Practice’ is the theme of this year’s European Spring Conference, with the title ‘Navigating the Digital Future – let’s get practical!’ This theme is all about delivering rights for individuals, with a clear practical call to action. While there has been plenty of discussion about the theory of data protection authorities’ powers throughout the long debate on European data protection reform, we should remain focused on ensuring individuals can easily exercise their rights. We need to make sure the current and incoming laws continue to be translated off the page and into real and practical tools that allow the public to remember why we exist in the first place, and what benefits we bring them. We will also be exploring where we as authorities stand when it comes to delivering individuals’ rights.’

Representatives from the Jersey Office of the Information Commissioner and the Guernsey Office of the Data Protection Commissioner are also in attendance at this years conference. Further details about the conference can be found on the official conference website at:

https://eurospringconference.wordpress.com/

 

New Data Protection notification process goes live

The Commissioner is pleased to announce the launch of a brand new online notification system for data controllers based in Jersey. The new interactive system replaces the previous notification process which had been in place since the Data Protection (Jersey) Law 2005 came into force nearly 10 years ago, and is designed to provide an easier, more streamlined method for data controllers.

Visit the Online Notification links from the home page of the Jersey website (accessible through www.dataci.org) to register a new notification, or amend or renew an existing notification. You may also search the public register of data controllers from the new system.

Should you have any questions regarding the new process, or have any difficulties using the new system, please contact the Jersey office on 01534 716530.

Welcome to our new website!

Welcome to our new website! All the staff at the Office of the Information Commissioner would like to wish you a very Merry Christmas and a prosperous New Year.

Dutch data watchdog threatens Google with £12m fine

Euro coin
If Google does not satisfy Dutch data regulators by February 2015, it could face a hefty fine
Google has been threatened with a fine of up to 15m euros (£12m) if it does not do a better job of protecting the privacy of Dutch citizens.

The threat was made by the Dutch data protection agency (DPA), which said Google had broken local laws governing what it could do with user data.

The search giant has been given until the end of February 2015 to change the way it handles personal data.

Google said it was “disappointed” by the Dutch data watchdog’s statement.

“This has been ongoing since 2012, and we hope our patience will no longer be tested,” Dutch DPA chairman Jacob Kohnstamm told Reuters.

Privacy change

The row has blown up over the way that Google combines data about what people do online in order to tailor adverts to their preferences.

Information about keywords in search queries, email messages, cookies, location data and video viewing habits are all used by Google to build up a profile on each of its millions of users.

Dutch laws said Google should tell people about this data-gathering activity and get permission from them before it was combined or analysed, said Mr Kohnstamm.

A Google representative said “We’re disappointed with the Dutch data protection authority’s order, especially as we have already made a number of changes to our privacy policy in response to their concerns.

“However, we’ve recently shared some proposals for further changes with the European privacy regulators group, and we look forward to discussing with them soon.”

The Dutch DPA was one of a group of six European data regulators that looked at Google following changes made in early 2012 to unify its privacy policies around the world.

(http://www.bbc.com/news/technology-30492833)

Google considers warning internet users about data risks

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system.

Many sites have adopted the secure version of the basic web protocol to help safeguard data.

The proposal was made by the Google developers working on the search firm’s Chrome browser.

Security experts broadly welcomed the proposal but said it could cause confusion initially.

Scrambled data

The proposal to mark HTTP connections as non-secure was made in a message posted to the Chrome development website by Google engineers working on the firm’s browser.

If implemented, the developers wrote, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”.

The team said it was odd that browsers currently did nothing to warn people when their data was unprotected.

“The only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security,” they wrote.

HTTPS uses well-established cryptographic systems to scramble data as it travels from a user’s computer to a website and back again.

The team said warnings were needed because it was known that cyber thieves and government agencies were abusing insecure connections to steal data or spy on people.

Rik Ferguson, a senior analyst at security firm Trend Micro, said warning people when they were using an insecure connection was “a good idea”.

“People seem to make the assumption that communications such as HTTP and email are private to a degree when exactly the opposite is the case,” he said.

Computer security books
Website operators might need help adopting the HTTPS system, say experts

Letting people know when their connection to a website is insecure could drive sites to adopt more secure protocols, he said.

Currently only about 33% of websites use HTTPS, according to statistics gathered by the Trustworthy Internet Movement which monitors the way sites use more secure browsing technologies.

‘Headache’

Paul Mutton, a security analyst at web monitoring firm Netcraft, also welcomed the proposal, saying it was “bizarre” that an unencrypted HTTP connection gave rise to no warnings at all.

“In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS,” he said. Many may resent the cost in time and money required to adopt the technology, he said, even though projects exist to make it easier and free for website administrators to use HTTPS.

“It will seem like a lot of hassle in the short term, but it will be a good thing for the whole web in the long run,” he said.

The Google proposal was also floated on discussion boards for other browsers and received guarded support from the Mozilla team behind the Firefox browser and those involved with Opera.

Many large websites and services, including Twitter, Yahoo, Facebook and GMail, already use HTTPS by default. In addition, since September Google has prioritised HTTPS sites in its search rankings.

(http://www.bbc.com/news/technology-30505970)