News

  • The gift of personal information

    Throughout the year we gift organisations, clubs, businesses and charities our personal information in return for a product or service. We often take time to carefully select the best gift for a loved one or friend, however we sometimes give the gift of our personal information to others without such consideration.

    Jersey’s Data Protection Law is in place to help ensure that when it comes to our personal information, all of us are provided with appropriate legal protections and remedies in today’s highly digitised world. Every time you click on a Google search result, like a Facebook status or order an item on Amazon, you are generating data; such data is arguably one of the most important assets in our modern age.

    The team from the Jersey Office of the Information Commissioner (JOIC) sends seasonal wishes and a small gift: The 12 Information Crackers

     

    1. Data Protection is a positive concept which holds to account, those entrusted with our personal information to look after it correctly.
    2. ‘Oh we can’t tell you that…it’s against data protection! …’ The data protection law is frequently used as a barrier by organisations to hide behind. This is often as a result of a lack of understanding of the law, or a fear of getting it wrong and facing the wrath of the regulator. This inadvertently leads to organisations telling you they can’t do something when actually they can.
    3. ‘I didn’t give you consent to share my information…’ There are a number of ‘conditions for processing’ that can be relied upon by organisations depending upon the type of information and the circumstances in which it is to be used. For example, another law might require an organisation to share your information with another authority, meaning there is a legal obligation compelling the organisation to disclose it. In those circumstances, they wouldn’t need to obtain your consent first.
    4. Tip; check out the small print / privacy policy. Is your information being shared? If so, with whom? And for what purpose? All too often we are only partially aware of how our information is collected, used, and shared. Ask questions
    5. The JOIC team recommend that you turn off ‘auto-complete’ for email addresses. How many times have you sent the ‘innocent’ email to the wrong person?
    6. Use the BCC (Blind Carbon Copy) for emails to more than one recipient. Stay safe and avoid the risk of sharing personal information that you shouldn’t.
    7. Treat all personal data with the same respect and security as you would wish your own information cared for.
    8. Don’t throw your paperwork in the bin –
    9. When processing children’s personal information you must take extra care.
    10. Only process what you really need – information minimisation reduces risk
    11. Train, train, train. Data protection training and awareness for all staff, volunteers and executives is fundamental.
    12. Don’t panic! Our jolly team at the Office of the Information Commissioner are on hand to answer your questions. See our contact details below.

    If you’re not sure about something, or need some advice on how the law applies to you, please do not hesitate to contact us.

    The Data Protection Law should be seen as an enabling piece of legislation, not a dis-abler. Successful businesses are those that can harness the power of the digital footprint AND ensure that they respect customer data.

    Read more >
  • Festive Fun & Children’s Personal Information

    Excitement always builds this time of year for a host of reasons; the final rehearsals are underway in many nativity plays and groups of school carol singers are practising just a little more. But could the Data Protection (Jersey) Law take a little of the festive sparkle away?

    To keep your Christmas sparkly* we are sharing some advice to help protect children’s personal information, for example when sharing photographs/videos of school nativity plays or other festive events. This advice is applicable if you are an individual or an organisation including a not-for profit body.

    Images such as photographs are considered personal information under the law and should be treated with respect. To start with, here are a few basic essentials;

    • Common courtesy prevails – consider how you would wish your children or grandchildren to be treated and apply this level of respect to all children.
    • Think twice before sharing – make sure that all parties are happy for you to record or share visual content of children publicly.
    • Start at the beginning and check the rules for recording visual content (photos/videos) at your own school or club.

    Posting the prized pictures on Social Media. The law does not prevent you from doing this, as long as you are sharing this content privately with family members/friends.

    Taking pictures or video footage at the school play. The Data Protection Law is unlikely to prevent you from photographing/filming your own children in their school. Remember, if photos are taken for your own personal use they are not covered by the Law. The school may have its own rules around the taking of photographs/video which may reflect safeguarding policies that have been adopted. Also, some schools make a decision to have an official photographer/videographer at events. If in doubt, check directly with the school.

    If my pictures or videos are showing other people’s children – what should I do? What does the law say? The law would apply if you considered sharing this in a public group or similar. You must respect the children’s rights under the Data Protection Law, and as a parent or guardian, ask yourself the question: ‘Would I be happy if someone else posted photos of my child on social media without asking me first?’

    A small group of pupils are photographed during the dress rehearsal and the photo is to be used in the school prospectus. This will be personal information but will not breach the Law as long as the children and/or their guardians are aware this is happening and the context in which the photo will be used. Schools should have comprehensive, readily-available, and up-to-date data protection policies that detail how you protect your pupils’ personal data (including imagery of them) and may well have asked you to consent to the use of this imagery as part of their data protection compliance process.

    The Data Protection Law makes sure everyone’s personal information is used properly and legally, including children’s. Therefore, it seeks to ensure that images of your children are cared for with respect and likewise it places responsibilities on us all to care for other’s personal information.

    The law is not designed to prevent legitimate activity, it is designed to protect the rights of all of us.

    Happy Christmas

    We are at the end of the telephone if you would like further information or guidance on 01534 716530 or email enquiries@oicjersey.org

     * This advice applies all year round, to all school events such as sports day, open days, fundraisers etc.

    Read more >
  • Know your Data

    On the 26th November the Information Commissioner, speaking at a Jersey Data Protection Association event, highlighted that a data inventory is an essential part of any businesses ‘good’ data protection program. This simple message has been reinforced by both Professor Roberts from Oxford University, a specialist in Artificial Intelligence [AI], and Julian Box CEO of Calligo at their Transform AI conference on the 27th November.

    Professor Roberts urged businesses to ‘think more carefully about the data they are collecting as well as how and why they are collecting it’, Julian Box says ‘local businesses are not giving enough thought to how they are using data’.

    Powerful messages focusing on a very real practical business essential. How can you protect your clients, your business and your reputation if you don’t know exactly what data you are collecting, why you are collecting it and what you may be doing with it?

    Our office is your ‘partner in data protection compliance’  –  please contact us if you need any data protection guidance.

    Please know your data.

    Our goal is to provide the people of Jersey with the highest standard of data protection, while also preserving their economic interests

     

     

     

    Read more >
  • ‘Meet the Information Commissioner.  What’s been on his office’s agenda since May 2018?’

    Dr. Jay Fedorak spoke to an oversubscribed Jersey Data Protection Association event on the 26th November. The Information Commissioner opened with a brief overview of recent changes in the Office of the Information Commissioner. He detailed the growth in the number of staff and organisational structure, as the team develop to meet new challenges. He drew attention to the impending transition to greater financial and governance independence from the States of Jersey.

     

    Dr. Fedorak highlighted that most of the office’s workload since the change in law in May 2018 has been complaints regarding the improper ‘disclosure’ of data as opposed to concerns with data collection. The team’s work load has trebled between May to October 2018 as compared to the same period in 2017.

    The Information Commissioner walked attendees through the top level elements of a good ‘Data Protection Programme’;

    • Data Protection Officer
    • Know your personal data – create an inventory
    • Appropriate Data Protection policies and protocols, to include Subject Access Requests and reporting breaches
    • Training & awareness
    • Periodic reviews and audits
    • Executive buy-in

    Dr Fedorak spent a few moments reinforcing the importance and power of the periodic review, whether it is a spot audit or more in-depth, the review identifies any deficiencies in your organisation’s Data Protection programme.  An essential part of the policy is the executive buy-in and Dr. Fedorak offered to help anyone who believes that they are not getting executive support and commitment, he will happily speak to any organisation to detail how and why this is so critical.

    Our goal is to provide the people of Jersey with the highest standard of  data protection, while also preserving their economic interests.

    Read more >
  • ‘True transparency requires timely access to information, and the timelines in the Law are not optional, they are a requirement.’

    Dr. Jay Fedorak, Information Commissioner talks to BBC Breakfast Radio Jersey, today.

    Listen here as Dr. Fedorak explains public interest is more specific than ‘what the public finds to be interesting’. It does not refer to interest in the sense of being
    entertaining. The term public interest concerns the public having a stake or right that is at issue rather than simply mere curiosity.

    Listen in here from 2:06 for the full interview (available for 29 days).

    https://www.bbc.co.uk/sounds/play/p06pprp8

    Read more >
  • The Freedom of Information Law requires disclosure of part of the employment contract of the Chief Executive of the States of Jersey

    In a Decision Notice issued today, Information Commissioner Dr Jay Fedorak found that the Freedom of Information (Jersey) Law 2011 authorised the Chief Minister’s Department to withhold some information in response to a request for the employment contract of the Chief Executive, but was not authorised to withhold other information.  He also found that it failed to meet the maximum timelines for responding as article 13 of the FOI Law requires.

    Commissioner Fedorak states true transparency requires timely access to information, and the timelines in the Law are not optional, they are a requirement.’  He also notes that public authorities must be able to justify in each case why it would be reasonable for them to take more than the standard 20 days to respond a request.

    The Law recognises the tension between transparency and privacy in the FOI Law with respect to the personal information of public officials. It is necessary to weigh all of the relevant factors in each case when responding to requests for this information. These relevant factors include whether the information relates to professional responsibilities or private life and whether disclosure would be in the public interest. Some of the criteria for determining whether disclosure serves the public interest are:

    • The seniority and public profile of the employee;
    • If the information has been the subject of recent public debate; and
    • If the information relates to the expenditure of public funds.

    Everyone has a right to privacy,’ states Commissioner Fedorak, ‘including public officials. However, the public must be able to hold public authorities accountable for their decisions and activities. This sometimes requires the disclosure of information about the professional responsibilities and terms and conditions of employment for identifiable public officials.’

    As is customary with respect to formal decisions under administrative law, the Commissioner will not comment on this Decision Notice or the details of this case.

    Notes

    Freedom of Information (Jersey) 2011 promotes transparency and openness, which are fundamental to a health democracy and sound public policy making.  The Law gives individuals rights of access to official information held by Public Authorities in Jersey

    Under Article 46 (2) of the Law, any person who is unhappy with the way in which a Public Authority has responded to their request must first request a review by the Public Authority. If they remain unsatisfied, they have the right to make an appeal to the Information Commissioner.

    The Information Commissioner issues a final decision with respect to the matters at issue by way of a ‘Decision Notice’

    https://oicjersey.org/freedom-of-information/

    Read more >
  • The Implementation of GDPR in Jersey – six months on

    Information Commissioner Jay Fedorak looks at the state of play since the new rule on data protection came into force in May.

    It has now been six months since the implementation of the new Data Protection (Jersey) Law 2018 came into force, incorporating the new European Data Protection Regulation (GDPR). This new initiative brings data protection into the twenty first century with provisions to address some of the challenges that rapidly advancing information technology. It replaces the previous generation of data protection regulation that emerged during the age of paper.

    Now technological advancements, including the introduction of social media, have expanded our ability to collect, use, analyse and disclose personal data. This has improved services to individuals and reduced costs but has also created new risks to privacy. Breaches are becoming larger, more frequent and more harmful.

    (Jersey Evening Post, 21st November 2018) 

    GDPR places new responsibilities on business, including transparency around the management of personal data, and gives new rights to individuals. Businesses must document their data management practices and many must appoint a Data Protection Officer. Businesses must also report data breaches to the Jersey Office of the Information Commissioner (JOIC), whenever there is the potential for harm to the data subjects. They must respond to requests for correction and deletion of personal data, as well as requests to transfer their data to other businesses.

    In the two years since the European Commission announced GDPR, there was a great level of awareness and preparation by businesses in Jersey. A new industry in data consultancy emerged to assist business in preparing to comply with the new rules. The JOIC provided advice and direction and fielded a large number of enquiries.

    Since 25 May, however, there has been less public attention and fewer calls from businesses. This might be an indication that all businesses are confident about their level of compliance.  However, compliance with GDPR is not a one-time event. It is an ongoing process. After businesses establish policies and procedures train their employees, they should check and confirm that everyone is complying with those requirements, at least annually.

    The workload of the JOIC has grown since 2017. Complaints have doubled and self-reported breach notifications have increased considerably. Some of the breaches reported do not meet the threshold for harm that requires reporting. Nevertheless, there is no harm in reporting minor breaches. It increases our knowledge and enables us to assist businesses in responding to them.

    Our greatest challenge is building the capacity of the JOIC to meet its new responsibilities. In addition to dealing with a growing number of complaints, we must expand our public education programme and develop implementation tools to assist businesses. We must move into larger office space and develop a new funding model, along the lines of other independent regulators, like the Jersey Financial Services Commission and the Channel Islands Financial Ombudsman. For JOIC to be credible in the eyes of the public, it needs to be financially and administratively independent of the States of Jersey. The Law created a Jersey Data Protection Authority, with an independent board that provides a new model of governance, oversight and accountability separate from the States. Once we have the space to grow, we will be able to recruit the employees necessary to fulfil our mandate.

    JOIC needs to be an independent and effective data protection regulator to ensure that businesses continue to enjoy unimpeded access to cross border flows of personal data from Europe. GDPR prevents cross border flows to non-member states that do not have an adequate level of data protection. The European Commission gave Jersey adequacy standing under the previous data protection regime, and that status will continue temporarily under the new regime. However, Jersey will be subject to a new adequacy assessment soon, and it is important for businesses that it is successful. Businesses can help by complying with the Law and providing the highest level of data protection.

    The prospect of a No Deal Brexit also poses a serious challenge to Jersey businesses. Without a deal, the United Kingdom would become upon leaving the EU a third country without an adequacy designation. This means the free flow of personal data from Europe would end, requiring the development of new administrative mechanisms to permit some of the data to flow. It would also mean that, under the Jersey Law, businesses would no longer be able to transfer data freely to the United Kingdom, without new contractual provisions, binding corporate rules or obtaining the consent of data subjects. Having to deal with this type of red tape would be bad for business.

    Going forward, JOIC will strive to be a partner in compliance with Jersey businesses in a way that respects our independence. Our goal will be to provide the highest level of data protection for the people of Jersey in a way that promotes their economic interests. I encourage any business that has questions about data protection to contact the JOIC.

    Read more >
  • Civil service chief’s contract: Commissioner will decide whether to publish details

    The decision on whether to make public details of the employment contract of the Island’s top civil servant, Charlie Parker, remains in the hands of the Jersey’s Information Commissioner; reported the JEP on Saturday the 3rd November.

    Commissioner Jay Fedorak said that the file was still ‘live’ in relation to an appeal by online newspaper Bailiwick Express, after the JEP exclusively revealed that Mr Parker had been given entitled, rather than ‘essential employee’, housing status as a perk of his contract.

    The appeal was lodged with the Commissioner’s office following a six-month battle with the Freedom of Information office for the contract details to be released.

    The FoI request was subjected to numerous delays before being denied in August, with unnamed senior States officials saying it contained personal information.

    ‘I can confirm that we have received it but I can’t get into any details of what is happening with a live file at this time,’ Mr Fedorak said of the appeal.

    The Office of the Information Commissioner is responsible for the compliance of local agencies with data protection laws and is the final arbiter for FoI requests.

    There have been a number of calls for Mr Parker’s contract to be made public since the JEP revealed that the States chief executive had been granted ‘entitled’ status.

    ‘We are going to be dealing with it as soon as possible,’ Mr Fedorak said, but he was reluctant to commit to a timeline. ‘I have already had a look at the materials and I am actively involved in the deliberations. I will be trying to draft a report as soon as I can,’ he added.

    Read more >
  • Exploring the remit of the Office of the Information Commissioner

    Commissioner Jay Fedorak chatted at length with Tania Targett, senior reporter from the JEP.

    Ms Targett started by asking why the Commissioner role now and why Jersey? ‘Jersey is an opportunity to join a dynamic island and team at a time of change, with the implementation of new laws and the emergence of new challenges within a new Data Protection organisational structure’ explained Jay.

    ‘My office provides islanders with timely and expert advice, in relation to all data protection and freedom of information issues. In our role as regulator, we encourage businesses to promote good information management practices and to perceive that the data protection law enables the use of personal data for all legitimate business purposes.

    It is essential that our office helps to raise the international profile for data protection in Jersey, in support of the islands reputation as a well-regulated jurisdiction’

    The team at the Office of the Information Commissioner is growing to meet the needs of the new legislation which enhances our individual rights and requires organisations to report breaches of personal information.

    Ms Targett enquired if the Commissioner felt that islanders are aware of their rights in relation to both data protection and freedom of information. The introduction of the much-publicised GDPR (General Data Protection Regulation) in Europe including the UK, in May of this year, heightened public attention. The increase in numbers of enquiries and complaints to the office since May indicates that awareness is growing.  However, we believe that the recognition of the enhanced individual rights of the new Data Protection (Jersey) Law needs to be more widespread in our community.

    The enforcement team takes seriously all enquiries to the office and investigates all data protection complaints. In certain cases, the Commissioner may make a final decision, where circumstances warrant.

    The office is also the oversight body for the FoI Law. We are the avenue of appeal whenever a requester is dissatisfied with the initial response to their request and has applied for and received a reconsideration of the decision of the States of Jersey. Our role is to undertake a review and make a final determination of the correct application of the law to the requested information. The FoI Law facilitates transparency of public authorities and promotes the public interest.

    We actively encourage islanders and organisations to contact us if they have any questions about any aspect of the laws, including their rights and responsibilities.

     

     

    Read more >
  • Swapping personal information for wheelbarrows and brooms at Jersey Hospice

     

    Our 8 strong team focussed on shrubs and plants for two days to help support the excellent work of Jersey Hospice. The Information Commissioner, Dr Jay Fedorak and Paul Vane, Deputy Commissioner were among the team who cleaned out planters, swept paths, pruned shrubs, cleaned the water feature and spruced up the green house.

    Jay Fedorak said it was rewarding to contribute, even in a small way, to the total philosophy of care and patient well-being offered by the team at Jersey Hospice.  It quickly became evident that the staff at Hospice look after both inpatients as well as a huge numbers of day patients and visitors who offered us varying gardening tips and supportive comments.

    Pictured above from left to right Paul Vane, David Lawson, Adrian Hayes & Claire Brown

    Our day job helps to raise awareness amongst our community about their personal data – when to share it and how to protect it. Our regulatory function helps us to enforce good behaviour from Jersey organisations as to how they look after our information.  Personal data includes anything that could identify a living person, for example location data, date of birth or IP address.

    Pictured above from left to right Trevor Beckford, Jay Fedorak, Anne King & Sammie Gardner

    Certain types of personal data is called ‘Special Category Data’ such as genetic or physical or mental health data. This type of data has to be given additional care and security. Jersey Hospice reminded us during our gardening days that they have embedded good data policies and practices in everything that they do to ensure that they are trusted by patients and their families and to comply with their legal obligations.

    If you need any guidance about your personal information rights or how to look after people’s personal information please call us on 01534 716530 or email enquiries@oicjersey.org

     

     

     

    Read more >