States of Guernsey approves ODPA self-funding model

The States of Guernsey is supporting a self-funding model for the Office of the Data Protection Authority (ODPA), to reinforce its role as a fully independent regulatory body.

The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. Its new self-funding model means that, from January 2021, most of its operational costs will be met by annual fees paid by the regulated community (i.e. local businesses and other organisations who handle personal data), with the States of Guernsey contributing around £300,000 per year.

The way the ODPA is funded has changed because it is legally and politically obliged to operate independently of the States of Guernsey. Reinforcing this independence is an important part of the ODPA’s effective regulatory oversight, and being able to demonstrate this independence is critical to the Bailiwick retaining its ‘adequacy’ status with the European Commission. This status allows the free-flow of data between the islands and the EU which is crucial to the Bailiwick’s current and future economic success.

Deputy Mary Lowe, President of the Committee for Home Affairs said,

Data is an essential part of the modern economy. It is a precious commodity in both our business and personal lives and needs to be properly safeguarded. The Committee has been working closely with the Authority and we are in agreement that moving the ODPA to become self-funding will prove important in demonstrating that while the States creates the Data Protection legislation, the Authority is able to act without fear or favour in its investigations.’

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the work that has led to this point,

‘The States of Guernsey civil servants, politicians, as well as ODPA staff and board members have worked hard since 2018 to reach agreement on how best to fund the ODPA. Our focus was always on ensuring that we agreed on a low-cost, low-admin model that is as fair as possible to local businesses. Especially at this challenging time for everyone, we want people to focus their efforts on running their businesses well, rather than filling in bureaucratic forms. We are pleased to finally be in a position to start work preparing for the changes ahead and we will publish further details over the coming months.’

FREQUENTLY ASKED QUESTIONS

Q: What is personal data? 
It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.

Q: What is ‘processing’ personal data? 
‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
*An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.

Q. What is changing?
From 2021, a new registration regime (approved by the States of Guernsey) will be in place for the Office of the Data Protection Authority (ODPA). This regime means that all controllers and processors established in the Bailiwick that process personal data will be legally required to register with the ODPA and pay a fee each year.

Q. Why is the registration regime changing?
The new data protection legislation that came into force for the Bailiwick in 2018 (The Data Protection (Bailiwick of Guernsey) Law, 2017) provided for the creation of an independent regulator. The funding mechanism that was in place prior to that time was maintained until the end of 2020 to allow for political agreement on a sustainable and efficient funding model for the future.

Q. Who decided to make these changes?
The States of Guernsey agreed that the ODPA should be self-funding to ensure full independence.

Since legislation came into force in 2018, the ODPA has been working with the States of Guernsey to agree a new registration regime to enable this. All parties have focused on providing a regime that is as low cost and administratively straightforward as possible for organisations.

The Committee for Home Affairs agreed the new model in February 2020 and the Policy and Resources Committee agreed it in March 2020. The ODPA was then tasked with implementing the model ready for January 2021.

Q. I am registered with the ODPA now, what does it mean for me?
If you are currently registered with the ODPA, you will need to provide the ODPA with new information confirming your registration, between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you can simply register directly via the ODPA’s website.

Q. I am not currently registered with the ODPA, what will I have to do?
If you are not currently required to register with the ODPA because you benefit from the limited exemptions (see odpa.gg/exemptions for details), those exemptions will end at the end of 2020 (the only exception is for domestic/household purposes). You will therefore need to register and pay between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you will be able to register directly via the ODPA website. You will need to do this between January-March 2021.

Q. I am a charity/not-for-profit, what does this mean for me?
You will need to complete the registration process as above between January-March 2021, but you do not need to pay.

Q. How much will it cost?
It is recognised that no one wants to pay large administrative costs for running a business, however big or small. The ODPA has always been absolutely clear that its funding model should be as cost effective as possible. The 2020 economic climate has redoubled efforts to ensure that all expenditure is proportionate, necessary and has the highest standards of financial and operational governance built in. The ODPA has worked hard, together with the States of Guernsey, to keep the cost organisations are required to pay as low as possible.

With all of that in mind, there is a simple two-tier cost structure:

  • For small organisations with fewer than 50 full-time equivalent (FTE*) employees, the annual levy will remain £50/year.
  • For large organisations with 50+ FTEs the annual levy will be £2,000/year.

* The Regulation will include details on how to calculate your total FTE.

All charities/not-for profits will pay zero fee, but must still register and review this each year.

Q.Where will the money go?
The new fees regime will allow the ODPA to move towards self-funding status, giving it full financial independence from the States of Guernsey. This independent status is both a political and legal requirement. The ODPA’s statutory responsibilities are set out at odpa.gg/about-us (under ‘Functions of The Authority and ODPA’) and you can see its plan for performing these tasks via the ODPA Strategic Plan (2019-2022) at odpa.gg/strategic-plan.

The Bailiwick has had a data protection regulator for many years. Up to now, it has received funding from the States of Guernsey with some income also coming directly from registration fees paid by local organisations. The strengthened data protection regulatory framework has enhanced individuals’ rights to reflect the scale of personal data processing in this digital era. It has also strengthened the role of the regulator to provide for appropriate powers and ensuring independence.

Q. How often do I need to pay?
Following your initial registration fee, payable by all (except charities/not-for-profits) in January-March 2021 an annual levy (of either £50 or £2,000 depending on your organisation’s size) will be due during the first quarter of each following year.

Q. I am responsible for registering a number of entities. What are the changes for us?
The ODPA is aware that where an organisation is responsible for registering a number of controllers and/or processors a simpler bulk registration process would be helpful. Consideration is being given to this and more information will be released when available.

Q. I complete an annual validation via Guernsey Registry, how will this process work for me?
The ODPA want to make the registration process as easy as possible. This ensures that costs are kept to a minimum and it also does not divert you with administrative processes which do little to support overall data protection compliance.

To this end, the ODPA has worked with Guernsey Registry to make sure you are given a timely prompt to register with the ODPA once you have completed your annual validation with the Guernsey Registry. This allows the process to be as straightforward as possible for you.

If you prefer, you can of course disregard the prompt at the end of the Guernsey Registry process and simply register directly with the ODPA at a time convenient to you between January-March 2021.

Q. I do not complete an annual validation with Guernsey Registry, how will this process work for me?
You will be able to register directly via the ODPA website. The process is designed to be as straightforward as possible whilst recognising that the ODPA have a statutory requirement to collect certain information from you.

Q. What does the ODPA do with the data it collects for the registration process?
Following changes to legislation in May 2019, the ODPA is no longer required to maintain a public-facing register of controllers and processors. Therefore, all registration data will be processed internally for administrative purposes only.

Q. Why do we need to fund a data protection regulator?
Data increasingly powers the economy as well as affecting our own individual lives, both personally and professionally. The Bailiwick relies on the free flow of data to support and develop the current economy as well as to ensure it is well positioned to take advantage of the emerging digital economy.

Our government recognises how important data protection standards are for our jurisdiction and has therefore provided high quality legislation to ensure appropriate safeguards sit around the personal data that resides and flows through the Islands. As with any legislation, there needs to be effective oversight – both to ensure people and businesses are supported in complying with the requirements, as well as to ensure that complaints are investigated independently and robustly.

Whilst most funding has come from the States of Guernsey up until now, it raised challenges in relation to ensuring the ODPA’s independence (both actual and perceived). With government responsible for handling some of the highest volumes and most sensitive personal data in the Bailiwick, fully independent oversight is essential. Once government made the decision to move the ODPA to a self-funding model, a lot of effort went into devising a fair, low-cost, simple registration model that provides the ODPA with sufficient funding.

Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy.

Reprimand and warning issued to Isle of Sark Shipping Co. Ltd

The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)

Public Statement

Issued: 12:00 6 July  2020

Controller: The Isle of Sark Shipping Company Ltd

  1.  Following an inquiry under the Law the Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that The Isle of Sark Shipping Company Ltd (the controller) breached three operative provisions of the Law, namely section 6(2)(a) requiring personal data to be processed lawfully, fairly and transparently, section 6(2)(d) requiring personal data to be accurate and up to date, and section 6(2)(f) requiring personal data to be processed in a manner that ensures appropriate security. As a result of the Authority’s findings it has imposed sanctions on the controller under the provisions of the Law, as is set out in greater detail within this statement.
  2. The inquiry undertaken by the Authority leading to the breach determination and imposition of the sanctions commenced as a result of matters being drawn to its attention and certain responses provided by the controller following questions raised by the Authority. The Authority had concerns that the controller may have been unable to demonstrate sufficient awareness, understanding and compliance with their data protection obligations under the Law and as a result failed to maintain appropriate standards and controls in their processing of personal data.
  3. The area of concern to the Authority related to the processing of personal data concerning the financial status of a data subject. At the conclusion of the inquiry the Authority found that the controller did not process the subject’s personal data in a manner which ensured that the data was processed fairly, lawfully, accurately or securely, in breach of three of the data protection principles under the Law.
  4. Where organisations process personal data in a manner which breaches operative provisions of the Law the Authority will consider taking action to address those breaches and the imposition of appropriate sanction(s), which can include the issuance of a fine.
  5. Following the determination by the Authority that the controller had breached operative provisions of the Law it proceeded to consider whether or not to impose sanctions under the Law for the breaches and, if sanctions were to be imposed, what the most appropriate sanctions would be.
  6. In this case, the Authority identified the following mitigating factors –
  • The controller maintained open and candid correspondence with the Authority whilst enquiries took place and made early admissions.
  • The controller took action prior to the Breach Determination being made to no longer process personal data in the manner highlighted by the inquiry.
  • The controller has not been subject of previous investigation or inquiry.
  1. However, the Authority also took into account that the controller showed insufficient appreciation of the significance of some of the problems arising from the processing of personal data which were the subject of the inquiry.
  2. The Authority considered it was appropriate to impose sanctions for the breaches of the operative provisions of the Law by the controller. Considering all of the relevant factors arising from the inquiry the Authority considered that the breaches of the operative provisions of the Law were toward the lower end of the scale of seriousness.  Accordingly, the Authority imposed a formal Reprimand (under s73(1)(a) of the Law) in relation to the breaches which had been discovered and it also issued a formal Warning (under s73(1)(b) of the Law) to seek to prevent future breaches of a similar nature.

Legal Framework

  • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
  • Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
  • In this case, the controller is The Isle of Sark Shipping Company Ltd.
  • The Authority may investigate a complaint in accordance with section 68 of the Law or conduct an inquiry in accordance with section 69. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
  • In accordance with section 72, the Authority, having made the breach determination, will consider whether to impose a sanction(s) against the controller and, if so, which sanction(s) are the most appropriate to impose.
  • Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed a reprimand and a warning against the controller.
  • Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days.
  • If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –

(a) a reprimand,

(b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and

(c) an order under subsection (2) including an administrative fine.

ODPA staff returning to office: 22 June 2020

UPDATE (12 June 2020):
– ODPA staff will be returning to the office on Monday 22 June 2020.
– We hope to re-start our fortnightly drop-ins, and events in early July 2020.

 

PREVIOUS UPDATES

UPDATE (27 March 2020): 
ODPA takes ‘realistic’ approach to regulatory activity during Bailiwick ‘lockdown’

UPDATE (23 March 2020):
The ODPA premises is currently closed.

CONTACTING US: 
During our office closure our staff are working remotely and can be contacted via: enquiries@odpa.gg.

 

ODPA response to media enquiries regarding contact tracing

Local media have asked the ODPA to comment regarding the new data collection requirements for businesses and organisations in light of the move to Phase 4 of the exit and recovery strategy.

The States of Guernsey have a dedicated data protection team who are responsible for the operational implementation of the data protection law in all areas of government activity. Whilst the ODPA have not been involved in the implementation of this aspect of Phase 4, we are always keen to support the whole regulated community with their compliance duties.

As part of the Bailiwick community the ODPA welcome the very positive news that we have been able to move to the next phase so swiftly. The ODPA also recognise that a key element of the next phase is going to be efficient, effective and timely contact tracing.

From Saturday 30 May local businesses and organisations are required to keep records of the names and contact details of all those who visit their premises.

As with all processing of personal data, it is important that individuals are given information and details about that processing including what personal data is being collected, how it will be used and who else will have access to it. The principles contained within the data protection legislation are there simply to ensure that these elements are included in all processing activities, regardless of their context.

The reasons for data collection in this context are self-evident and ensuring all personal data is handled in compliant manner will ensure that individuals have trust and confidence in the process as well as in the people directing that process.

For more information about compliance with the local data protection law please see our Advice, Guidance, and Resources page

ODPA reflects two years on from game-changing law

‘A Child in Data’

On 25 May 2018 the data protection landscape shifted.

To mark the two year anniversary of the day the EU’s GDPR and the Bailiwick’s local data protection law came into force we have put together a selection of content (presented below) that explores the breadth and complexity of our relationship with personal data, and its protection. We hope you find something of interest, something to be inspired by, or something to share with others.

Data protection is far from the dry subject many believe it to be, and we hope the diversity and scope of this content helps demonstrate this, encouraging an engagement with the subject that goes beyond sections of a law that we recognise can often seem impenetrable.

We must all keep in mind, that data protection – at its heart – is simple. It’s about treating people with dignity. And from that simple principle, endless complexities emerge.

It feels like the world we inhabit today bears little resemblance to the world GDPR was born into in 2018. But as we look to emerge out of a global pandemic, where personal data is being used to protect public health, we would do well to keep in mind the relevance of Recital 4 of the GDPR that our use of personal data “should be designed to serve mankind”.

Commissioner ‘encouraged’ by consistent breach reporting trend

Figure: 30 personal data breaches reported to ODPA between 1 March 2020 – 30 April 2020 by category. (Click to enlarge)

Thirty personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 30 April 2020, with the majority occurring through people accidentally sending personal data to the wrong person either by post or email.

Personal data being sent to the incorrect recipient remains the most common incident. In the latest reporting period, 21 of the 30 breaches fell into this category with 12 due to email errors and 9 to postal errors. Cyber incidents led to four, inappropriate disclosure of data led to three whilst other self-reported breaches also included one of inappropriate access.

The 30 in total were from a range of sectors, including eight from public authorities, six from healthcare, four from investment, three from fiduciaries, three from retail/wholesale and the remaining six spread across five other sectors.

The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that this period’s statistics covers the period before Covid-19 had reached Guernsey, as well as the lockdown period.

‘I am encouraged to see that this period’s statistics are broadly consistent with the trends we have been reporting since 2018. This indicates that despite the unprecedented pressures local organisations have faced over past two months, it has not impacted their attention to their legal requirements to look after people’s data, and to report to us when things have gone wrong. I would like to thank our regulated community for not neglecting their statutory duties at this time.’

Mrs Martins also reiterated comments made back in March regarding the ODPA’s approach to its enforcement role during the Bailiwick’s lockdown period.

‘These are not normal times and I want to make it clear that we will not take enforcement action against any organisation who is trying to do the right thing. We know that everyone’s focus is understandably diverted to dealing with new ways of working and the associated challenges for us all, as employers, employees and citizens. We also understand and are realistic about the impact the current disruption will have on compliance and governance, especially in sectors which are now instrumental in the Bailiwick’s response to the unfolding public health situation. Members of the public will also, we hope, understand that organisations may not be able to respond as quickly as usual to requests relating to their personal data. We are part of a community that is pulling together at an extraordinary time and want to ensure we carry out our duties in a responsible and practical manner in the interests of that whole community.’

The ODPA has also published Q&As related to the pandemic.

NOTES:

  • Breach reporting

One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

  • Why does the ODPA publish breach statistics?

The ODPA has published statistics of the number of breach reports it receives, every 2 months since June 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

  • Number of personal data breaches reported to ODPA (June 2018 – present):
 

 2 months to 30 April 2020 – details above  30
Lowest number of breaches in more than a year (2 months to 29 February 2020) 28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
Increase in local data breaches (2 months to 18 Dec 2018) 28
ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

 

  • How are personal data breaches categorised?

The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.

1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate

  

  • What is a personal data breach?
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
  • What are a person’s ‘significant interests’?
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Data Protection and Law Enforcement sign MoU

The Office of the Data Protection Authority (ODPA) and Guernsey Police have signed a Memorandum of Understanding (MoU).

The MoU formalises how the two organisations can work together furthering relationships, developing cooperation on matters of mutual interest and ensure collaborative working where appropriate.

The agreement also means the ODPA and Police are able to provide each other with investigative support and operational assistance, increasing their overall effectiveness. This includes exchanging information where it is deemed justified, necessary, proportionate and legally permissible.

Emma Martins, the Data Protection Commissioner for Bailiwick of Guernsey, commented on this positive development which formalises the mutual respect and professional courtesy that already exists between the ODPA and the Police.

“This MoU is an important move in further safeguarding the safety and security of people’s data and privacy in the Bailiwick. It is logical for both the Police and the ODPA to have a framework in place that allows us to collaborate and assist each other in our duties to protect people locally. Together we can try to prevent the harms caused by misuse of data and, where appropriate, bring to task those that wish to, or have, deliberately caused distress.”

Mrs Martins added, “We are very pleased to have worked closely with the Police to form the agreement and are extremely grateful to all those in the force that helped bring it to fruition.”

ODPA takes ‘realistic’ approach to regulatory activity during Bailiwick ‘lockdown’

The Office of the Data Protection Authority (ODPA) is reassuring local organisations that it is taking a realistic and pragmatic approach to its regulatory activities during the Bailiwick’s ‘lockdown’.

The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. This law places a number of legal obligations on local organisations who handle personal data, and gives 10 rights to Bailiwick citizens around how their data is used.

Whilst the ODPA cannot extend timescales that are defined in law, they would like to reassure local regulated organisations that it is taking a realistic approach to its regulatory activities during the Bailiwick’s lockdown period, which started on Wednesday 25 March.

Bailiwick Data Protection Commissioner, Emma Martins, emphasised this,

‘These are not normal times and I want to make it clear that we will not take enforcement action against any organisation who is trying to do the right thing. We know that everyone’s focus is understandably diverted to dealing with new ways of working and the associated challenges for us all, as employers, employees and citizens. We also understand and are realistic about the impact the current disruption will have on compliance and governance, especially in sectors which are now instrumental in the Bailiwick’s response to the unfolding public health situation. Members of the public will also, we hope, understand that organisations may not be able to respond as quickly as usual to requests relating to their personal data. We are part of a community that is pulling together at an extraordinary time and want to ensure we carry out our duties in a responsible and practical manner in the interests of that whole community.’

The ODPA’s premises on Le Bordage shut on Monday 23 March and its nine staff members are now working remotely. Staff are available during normal office hours to answer any queries about data resulting from the evolving public health situation, or otherwise, and can be contacted via enquiries@odpa.gg.

In common with other organisations, all ODPA public events and drop-ins are suspended until further notice. Efforts are underway to support local organisations via online platforms to ensure continued focus on improving compliance and preventing people being harmed by misuse of their data.

Protecting personal data in extraordinary circumstances

With an increased number of the Bailiwick’s workforce working remotely, it’s a good opportunity to explore how best to ensure that your organisation’s protection of personal data is maintained.

Remember: the object of data protection legislation is to protect people’s rights in relation to how their data is treated.

All organisations, from sole-traders to multinational companies, charities to governments handle personal data of their staff/clients/suppliers/citizens. Doing this well enables trust and good relationships to be maintained, and prevents people being harmed by misuse of their data.

With this in mind, all local organisations need to consider the fact that remote working may pose an increased risk to personal data. It is possible to take positive and effective steps to mitigate this risk by considering these common-sense steps:

  1. Make sure staff are aware of, and able to implement, your existing policies surrounding remote-working.
  2. Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.
  3. If you identify a potentially high-risk processing activity involving personal data you need your staff to perform remotely, seek advice from your Data Protection Officer (if you have one), or visit odpa.gg/advice-guidance.
  4. Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures.
  5. Take extra care when transporting any paperwork or devices that may contain personal data: where appropriate use additional security measures such as two-factor authentication for devices, or use physical locks for storing paperwork.
  6. Be extra vigilant to social engineering (e.g. criminals impersonating your staff/suppliers/clients) in all its forms, as criminals are actively trying to take advantage of the current disruption.
  7. Inevitably people’s attention-to-detail, focus and vigilance may suffer from not being in their usual workplace. This is especially true if their attention is being demanded by other household members, such as small children who are in their care. So be realistic with your staff about what level of productivity you are expecting from them and think about limiting them to performing only low-risk, business-critical tasks.
  8. Think about the accountability principle: is your organisation using personal data in a new (or different) way as a result of the current public health situation? If so, document the decision-making process that led to this and update any relevant policies.

Is the ODPA taking a more ‘relaxed’ approach to enforcement activities during the current public health situation?

We would like to reassure local organisations that we are taking a realistic and pragmatic approach to regulatory activities during the Bailiwick’s ‘lockdown’.