Emma Martins speaks at international data protection summit

The Bailiwick’s Data Protection Commissioner, Emma Martins, was an invited speaker at a recent international data protection conference.

PrivSec’ took place in Dublin on 23 and 24 September and the two day summit brought together over 700 worldwide delegates in privacy and data protection to hear an international line-up of expert speakers. Alongside Mrs Martins, representatives from Google, Hewlett Packard, Etihad Airways, Aviva and the Bank of Ireland explored a range of conference topics covering data protection, security and governance and how successful data protection and security programmes need to be interdependent.

Mrs Martins commented on how data protection has shifted from being merely tolerated to actively embraced.

‘It was thrilling to be part of PrivSec this year, there was genuine excitement in the room when privacy activists Max Schrems and David Carroll took the stage, and I’m so grateful to have witnessed that. It was humbling to represent our Bailiwick alongside global heavyweight organisations. We should be proud, as a jurisdiction, that the international community is aware of the approach we’re taking towards effective, independent regulation that encourages our regulated community towards excellence, and protects individuals’ rights.’

Mrs Martins spoke on four key areas of regulation: prediction, prevention, detection and enforcement. Central to her presentation was how regulators should aim for balance across these four areas by describing The Office of the Data Protection Authority’s (ODPA) approach, the implications for regulated entities and how it can secure better outcomes.

ODPA start investigation into Sure Directory issues

On 1 October 2019, the Office of the Data Protection Authority (ODPA) began an investigation in relation to how Sure handled personal data for the 2019 Sure Directory.

Sure have been notified of the start of this investigation. The ODPA welcomes Sure’s constructive engagement and their full co-operation is anticipated.

The ODPA will be investigating Sure under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017. The investigation will cover the processing of personal data for, and publication of, the 2019/2020 telephone directory. Concerns raised by several members of the public will also be taken into account to determine whether any aspects of the Law have been breached.

The outcome of the ODPA’s investigation should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time.

Whilst as previously advised individuals should speak to Sure in the first instance if they are concerned about their personal data, ongoing issues can be reported to the ODPA.

‘Data protection’ does not explain Sure directory changes

The Office of the Data Protection Authority (ODPA) is aware of several inaccuracies, omissions, and previously ex-directory entries in the 2019 Sure Directory with data protection being cited, it would appear, as a reason for some of these issues.

The legal requirement for personal data to be accurate and, where necessary, kept up to date has been a feature of data protection legislation since the Bailiwick’s first data protection law in 1986. The GDPR-equivalent local law that came into effect in 2018 does not require Sure to alter their previous practice of allowing customers to specify how their entry appears in the directory and it is not clear why the new law has been cited as a reason for the change in approach.

Sure, along with several of their concerned customers, have made the ODPA aware that previously ex-directory numbers have been included in the 2019 directory. This is contrary, it would seem, to customers’ previously advised instructions to Sure.

Emma Martins, the Bailiwick’s Data Protection Commissioner commented on the risk this potentially poses to people.

‘Data protection is entirely about protecting people. I am very concerned that it would appear a number of ex-directory phone numbers have been published in error. Some people rely on ex-directory status for their personal safety so exposing their personal data in this way can be very distressing, and potentially puts them at risk.’

Any Sure customers affected are asked to contact Sure in the first instance.


Data protection is often, wrongly, cited as a reason why something is or is not done. Read ‘Six data protection myths busted’ at: www.odpa.gg/myths

The ODPA was disappointed to see that its own listing, on page 42 of the Sure Directory is incorrect. However, the listing in the ‘A-Z of Public Services’ is correct.


Bailiwick takes part in global ‘Privacy Sweep’ for first time

The Bailiwick is, for the first time, participating in the Global Privacy Enforcement Network Privacy Sweep which takes place in September and October 2019.

The Global Privacy Enforcement Network (GPEN) was established to foster cross-border cooperation among privacy authorities. This, the seventh Sweep, will focus on how organisations in each jurisdiction are prepared for handling data breaches, their internal procedures and framework, how they respond and the processes in place for preventing future breaches.

Guernsey’s Office of the Data Protection Authority (ODPA) is one of 18 privacy enforcement authorities from around the world taking part. The ODPA is focusing solely on healthcare providers and has already contacted a select number locally to respond to GPEN’s set questionnaire.

ODPA Case and Compliance Investigator, Edward Chapman, is coordinating the Sweep locally.

‘The theme for this year is data breach notifications so this presents a great opportunity for the Bailiwick organisations we have contacted to be a part of this important, international project. I would like to assure everyone that their responses to the GPEN questionnaire are for information purposes rather than enforcement.’

Guernsey is one of a growing number of jurisdictions around the world where data breach reporting is mandatory. Other jurisdictions, such as New Zealand, Hong Kong and Singapore, are in the process of considering the feasibility of adopting a mandatory regime, or are in the process of doing so.

The Sweep is an opportunity for jurisdictions with mandatory data breach reporting regimes, such as the Bailiwick, to reflect on how their local organisations are performing compared to other parts of the world and identify trends which could guide future education and outreach.

The overall results of this year’s Sweep will be compiled and made public towards the end of 2019.


The ODPA have already contacted a small number of local healthcare providers to take part. It is not mandatory for these selected organisations to respond, and no other organisations are required to take part.

The Global Privacy Enforcement Network (GPEN) is a network of privacy enforcement authorities, of which the ODPA is a member.

GPEN: https://www.privacyenforcement.net

More information: https://odpa.gg/gpen/














ODPA mentor programme success

The Office of the Data Protection Authority’s (ODPA) inaugural summer mentor programme saw a local student make a successful contribution to the regulator’s activities.

Brailen Carey, who is studying a BTEC Level 3 Extended Diploma in Business at Guernsey’s College of Further Education, spent eight weeks with the Office of the Data Protection Authority. Her role over the period included translating aspects of the Bailiwick’s Data Protection Law into a more visual and understandable format and participating in a behavioural assessment activity as part of staff training.

Emma Martins, the Bailiwick’s Data Protection Commissioner, highlighted the mutual benefit of the programme and how important it is for islanders to take an interest in protecting their data.

‘The opportunity to have a student working with us over the summer was hugely positive for both Brailen and the office. We are all generating more data than ever before and the younger generation is often portrayed as uninterested and disengaged with questions of data privacy. Brailen proved that to be very far from the truth; she was able to contribute meaningfully to discussions around what good regulation looks like and how we can work to improve awareness of rights and responsibilities across our whole community.’

‘We learnt as much from her as she did from us. Data protection is increasingly important for all sectors and generations and how we ensure our jurisdiction is well regulated is not just a matter for us as the regulator, it is a matter for us all.’

Brailen found her experience at the ODPA educational and full of opportunity.

‘I was given numerous tasks to complete over the summer and the behavioural assessment was particularly interesting; it explained the different aspects of your personality and behaviours and the best way of using your traits within the workplace. I feel that all the experience and training gained during my time with the ODPA will be beneficial to my studies and future career.’

The ODPA’s mentor programme allows the regulator to gain a better understanding of the younger generation’s views and habits regarding privacy and their data while also fulfilling an important role in providing training and employment. It is also committed to connecting with all the Bailiwick’s residents and is embarking on an outreach programme aimed at engaging young people, to listen to them and learn from their views and experiences.

Louise Misselke, Principal of Guernsey’s College of Further Education, emphasised the importance of schemes including the ODPA’s mentoring programme.

‘Work placement is vital for our full-time students as it enables them to gain specific skills related to their course which really support assessment and achievement in their qualifications. Placement is central to enabling students to gain confidence and can support progression on to their chosen career. I am so pleased that the ODPA was able to offer a placement opportunity, a really interesting experience which is relevant to every area of employment.’

Why do we need data ethics?

To continue our series of posts focused on data ethics, our commissioner Emma Martins, explains why data ethics is essential if we are to avoid a ‘race to the bottom’ by focusing solely on what is legal, not what is right.    


In the first of our articles on data ethics, we talked about why it is that the question of ethics now has a much higher profile in conversations around data protection.

Why is it even necessary to have to think beyond what the data protection law says? It is, after all, a very comprehensive piece of legislation that covers the processing of personal data in nearly all its forms.

I think that at least some of the answer lies in the nature of data in this modern era.

Put simply, we are immersed in it. Technology has become embedded into our everyday lives, shaping us and our society. Even our bodies are becoming increasingly connected so technology is no longer something apart from us, it is a part of us.

We produce and consume data as part of huge data ecosystems that span almost every aspect of our work and home lives. Whether we are aware of it or not, our lives are influenced by the processing that goes on, mostly behind the scenes.

And it is the fact that data is now integral to our lives and interwoven into them that the question of regulation rears its head. Few disagree that regulation providing protections and remedies is important when data harms are so real. But if we think of law as being the only arbiter, we essentially consider all conduct except the illegal to be allowed. Doing ethics means that we seek to live our best lives, not see how low we can sink, because If we look only to law, we risk a race to the bottom. We need to aspire to be better than that. How we treat each other and would wish others to treat us is more than law. And much of culture – our attitudes, values, aspirations, starts from a question of ethics. What sort of place do we want to live in and what do we want our lives and the lives of others to be like?

In the lead up to GDPR there is an argument that in the rush to the 25 May 2018 deadline, compliance became about checklists and tick boxes. Checklists have value but can be counterproductive if we do not engage with the underlying spirit.

Real respect for data rights can only be delivered in part by law. Regulators and legislation cannot on their own deliver outcomes that truly protect individuals and allow businesses to flourish by ensuring their most important asset – data – is properly looked after. Where you have a culture that understands, engages and respects data protection, organisations will operate that way because there is a cultural and social as well as legal pressure for them to do so.

Just recently on the radio I heard an item which highlighted how a UK company had hidden a tick box away during an online application process. Affected individuals were shocked and angry at the subsequent way in which their data was used. It was clear that the company concerned had done everything it could to obfuscate the message, trying to get consent from individuals without them even being aware of having given it. This is no accident. Every organisation will make decisions about the layout and wording of webpages and forms. Whilst the law may take a dim view of this sort of deceptive practice, perhaps as important is the fact that it became a news story. This serves to shine a light on organisations that do not engage with their responsibilities legally or ethically which in turn can be very effective in prompting positive change.

Ethics is not something that stops at the front door of your office. Organisations are made up of people – of us. How we approach all aspects of our lives has the potential to underpin a common foundation for our jurisdiction that we can all benefit from.

So, to be interested in ethics is to be interested in life. With our lives so completely wrapped up in the data choices we and others make, to be interested in life is also to be interested in data protection.

More than ever before, data protection requires personal engagement, not just a run through of a check list. In requiring personal engagement it necessarily means that you will bring your personal values to that engagement. Ethics must become a custom, a way of thinking, a set of values held by us all. It is the conversations and the outcomes that matter and we want to play our part in making sure conversations continue and outcomes improve.

Human behaviour remains key risk to protecting data

THIRTY-TWO personal data breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 26 August 2019.

Eighteen of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining fourteen were through criminal activity, hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, or personal data being lost.

Emma Martins commented on the human aspect of personal data breaches.

‘What is striking from this period’s statistics is that all the breaches reported to us were due to human action, whether deliberate or accidental. There was not a single incidence of system error.  We must all recognise that it is people’s awareness, attitudes, behaviour and choices that often pose the biggest risk to the protection of personal data, rather than our IT systems. Because of this, my office is laser-focused on raising everyone’s appreciation and awareness of data protection, in the hope that we can create positive cultural change around how people think, and feel, about taking care of personal data.’

Part of this awareness-raising is the ODPA’s decision to take part in this year’s Global Privacy Enforcement Network (GPEN) ‘Privacy Sweep’ for the first time. This international intelligence-gathering exercise examines a different theme each year and in 2019, the focus is on how data breach notifications are handled.

Mrs Martins said,

‘We will be contacting a sample of local organisations directly, asking them to respond to a short survey from GPEN later this month. Honest responses to the survey are encouraged, as it is only through honesty that an accurate snapshot of the challenges organisations face can be taken, from which we can all learn lessons. Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’


This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018 (previous releases are listed below). Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Number of personal data breaches reported to ODPA:

2 months to 26 August 2019 32
2 months to 25 June 2019 50
2 months to 22 April 2019 40
2 months to 22 February 2019 45
2 months to 18 December 2018 28
2 months to 18 October 2018 26

PREVIOUS RELEASES: bi-monthly breach report statistics

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Bailiwick to take part in global ‘Privacy Sweep’ for first time

During the week of 23 September we will be taking part in the Global Privacy Enforcement Network‘s annual ‘privacy sweep’. This is the first time our jurisdiction has contributed to this international intelligence-gathering exercise, organised by GPEN (a network of privacy enforcement authorities).

GPEN have performed five sweeps in recent years, where participating enforcement authorities (such as us) check in with their local regulated community to:
• build awareness of privacy rights
• identify opportunities for targeted education
• encourage compliance
• facilitate international collaboration of privacy enforcement authorities

You can read more about previous sweeps here.
The theme for this year’s sweep is ‘how data breach notifications are handled’.

What happens next?

We will be contacting sections of our local regulated community with a set questionnaire. You are not obliged to respond, but we encourage you to as the more responses received the more insight can be gained – for the benefit of everyone. GPEN will collate all responses, and will publish their results in due course.

Public statement: reprimand issued to Policy & Resources Committee

The Data Protection (Guernsey) Law, 2017 (the Law)
Public Statement
Issued: 11am 22/08/2019
Controller: Policy and Resources Committee

1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that the Policy and Resources Committee (the controller) has breached section 6(2)(a) of the Law.

2. The Authority finds that an employee of the Policy and Resources Committee, in the position of manager, made reference to the health status of a managed member of staff in an email sent to several recipients.

3. The disclosure of the complainant’s personal data in this context caused them considerable distress and they have ongoing concerns about the possibility of the disclosure negatively impacting future employment.

4. This led to the complainant lodging a formal complaint about the Policy and Resources Committee to the Authority under section 67 of the Law.

5. The Authority finds that the Policy and Resources Committee had no legal basis for disclosing this information.

6. The Authority is therefore satisfied that the Policy and Resources Committee failed to comply with the lawfulness, fairness and transparency principle [s.6(2)(a)].

7. Special category data (including health data) are afforded higher levels of protection in the Law, reflecting the harm and distress that can result from a breach. The Authority is clear that where organisations do not take their legal responsibilities to protect such data seriously, consideration will be given to the appropriate sanction including the issuing of a fine.

8. In this case, the Authority has identified the following mitigating factors –
– Early engagement and cooperation by the Policy and Resources Committee data protection officer
– Early admission of the breach by the Policy and Resources Committee
– Updated advice and support provided by the Policy and Resources Committee for employees handling personal data

9. Considering the above factors, the Authority has, by written notice to the Policy and Resources Committee, imposed a reprimand.

Legal Framework

• This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
• Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
• In this case, the controller is the Policy and Resources Committee and liability for their employee’s action rests with them.
• The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
• In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
• Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand against the controller.
• Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.

Commissioner responds to media queries about Sure data breach

The ODPA was asked by local media to comment on Sure’s recent data breach:

Emma Martins, the Bailiwick of Guernsey’s data protection commissioner said:

‘I can confirm that Sure, aware of their statutory responsibility to report a data breach, let us know about this incident earlier this month. Anyone who is affected by this should speak directly to Sure in the first instance. Incidents like this act as reminder to us all to be vigilant of risks such as identify theft that can arise after personal data is compromised. More information about how to protect yourself from identity theft, and what your rights are under our local data protection legislation can be found on our website.’

More information:
8 steps to protect yourself from identity theft and scams
Exercising your rights