News

  • Challenging the scapegoating of ‘data protection’

    Our commissioner Emma Martins sent this letter to the Editor of The Guernsey Press on 18 February 2020:

    We clearly do not have knowledge of the detail behind the headlines regarding the ongoing Scrutiny and Education matter. Equally (as stated in our letter of 13 December 2019), we do not seek to interfere with political matters. But we remain extremely disappointed about how data protection, the legislation for which we have regulatory oversight, continues to be described as a block to good governance and due process, when the exact opposite is true.

    Data is interwoven into all aspects of our lives so it is inevitable that the legislation setting out how data should be treated can be complex and open to interpretation. But the aim of the legislation is to protect all of us. How organisations handle our information can have profound effects on us, which is why the legal framework that sits around how others treat our data gives us all rights and protections that we often take for granted, or may not even be aware of.

    It is too easy to blame ‘data protection’ for what often turns out to be poor planning, careless administration or lack of effort in understanding the realities of compliance. Data protection undoubtedly has an image problem, and my office and I recognise the need to encourage better understanding. We will, therefore, always seek to challenge the scapegoating of data protection and, instead, try to shift the conversation to better reflect reality.

    Read more >
  • Brexit: what does it mean for data transfers?  

    With the UK’s exit from the European Union now just hours away, it will be entering an 11-month transition period where EU data-sharing arrangements will remain in effect.

    We will shortly be publishing some updated guidance around what will happen at the end of the transition period.

    In the meantime, you may wish to read our deputy commissioner, Rachel Masterton’s, 2018 paper: ‘Leaving the EU: the data protection implications of a ‘Hard Brexit’ for UK businesses with EU data flows and clients‘. (Or you can read a summary of the main points here.)

    Rachel sums up what this means for the Bailiwick as follows:

    ‘Locally, The Data Protection (Bailiwick of Guernsey) Law, 2017 was drafted with Brexit in mind and so provides a gateway for transfers to UK-based organisations once the split happens. Businesses in the UK and the EU need to be aware that Brexit will have data protection implications and start looking at how they will handle these. If the UK receives adequacy, that will address those issues in the most part and put the UK in the same position as the Bailiwick. If, for any reason, adequacy is not forthcoming, UK organisations and the EU based organisations that they receive personal data from will need to make use of the various safeguarding mechanisms within the GDPR.’

    Read more >
  • Enlightened compliance: what it is, why it matters, and the challenges of achieving it.

    In this blog piece, our commissioner Emma Martins explains her position on ‘enlightened compliance’: 

    “‘Enlightened compliance’ is a term I have used a lot in the context of data protection. I want to explain what I mean by this and how best we can encourage it.

    From the moment we wake up each day we are surrounded by rules we are expected to follow. For example, how fast we can drive; how much tax we pay; where we can get medical advice.

    Social Contract
    The existence of these rules is referred to, in moral and political philosophy, as the ‘social contract’. It is a theory that originated during the Age of Enlightenment and mostly considers the legitimacy of the state over the individual, and the sense that we all agree to giving up some of our freedoms, submitting to the authority of the state, in return for protection of certain rights and the maintenance of social order.

    Those of us working in regulation and compliance, in whatever form (and there are many), rarely allow ourselves the time and space to reflect on what the social contract in our own world looks like, is seeking to achieve and – importantly – whether we are actively contributing to the meaningful and successful delivery of good outcomes. Too often we simply set our noses to the grindstone and press ahead with working through our ever-expanding to-do list. Invariably, that to-do list is based on what previous regimes and personnel have determined as the priority for your organisation or role.

    Maslow’s 4 stages of Learning  
    But it is more important than ever for us all to think about what compliance means to us and to our community more widely, as well as what we can do to encourage better engagement and outcomes. So, thinking about some of the rules we are surrounded by and our attitudes to them, I am drawn to the ‘conscious competence’ model of learning –

    This model assists in explaining the stages by which we learn across many areas, and can be summarised as follows –

    1. Unconscious incompetence – we are initially unaware of how little we know.
    2. Conscious incompetencewe start to recognise our lack of awareness/knowledge.
    3. Conscious competencewe understand or know how to do something, but it still requires effort or concentration.
    4. Unconscious competence – we know what to do and it has become ‘second nature’, requiring little effort or concentration.

    Whilst this model considers stage #4 (unconscious competence) as the objective of learning, in the context of the regulatory environment we can perhaps think a little differently.

    The past: unconscious incompetence
    For much of its history there has been a significant amount of ‘unconscious incompetence’ around protection of personal data. The introduction of the General Data Protection Regulation (GDPR) served to move many into stage 2 (conscious incompetence). It is certainly the case, at the ODPA, we had a sense of people within our regulated community appreciating that there was much that needed to be done, but at the same time they were struggling for clarity about exactly what that needed to look like.

    The present: conscious competence
    Since that time, we have worked hard with the resources available to us to help improve both awareness and understanding of what the law is designed to achieve and how best we can work together to achieve it. So, I am optimistic that, although there is undoubtedly still much to do, we are moving into stage 3 (conscious competence). That is, we know what we need to do, and we have the information, time, support and resources to do it. Importantly too, we are working hard at this office to present data protection compliance as more than a tick box exercise, encouraging a better understanding of how fundamental it has become to us all living just and fulfilled lives in the digital era.

    The future? Unconscious competence
    The question of whether we need aspire to stage 4 (unconscious competence) is interesting. Whilst there are important elements of data protection compliance that need to be embedded into business-as-usual (the unconscious), the environment is changing too fast for us to be anything but constantly vigilant and being vigilant requires conscious effort.

    A way forward together
    Both the regulated community and the ODPA need to face this harsh reality: sustained, conscious effort in an ever-changing environment is hard. It’s not possible to always get it right, but that doesn’t mean we don’t try.

    For our part of this attempt to get things right: at the ODPA, on a daily basis, we are actively, deliberately, engaging with our regulated community so that we can face the challenges that exist, and find answers together. All the while keeping focused on protecting the rights of the human beings in our jurisdiction who are relying on us to get this right. How do we do this? We run our own events; we put out blog pieces like this one that you are reading; we engage with businesses large and small; our doors are open every fortnight for organisations to ask us (pretty much) anything; we produce our own podcasts; we seek to elevate the public conversation through speaking (and listening) at external events, in schools, and pushing out content via our newsletter and LinkedIn presence – all of this activity creates opportunities for the regulated community and the ODPA to communicate. To learn. To improve. To innovate. It often feels like there are no easy answers in this space, but together we have a chance of unearthing them.

    We have considered our role carefully. Whilst our processes are necessary and our timescales mandatory, how we organise ourselves and devise our responses is ours to determine. We want to do so in an enlightened way and the above learning model applies to us as much as it does to everyone else. We are aware of our responsibilities and we invest all we can into achieving them in ways that go beyond ticking a row of boxes.

    The challenge for us all is to think about the steps we can take to encourage interest and engagement, because even the smallest of steps can bring about big changes.”

    Read more >
  • 28 January: Data Protection Day 2020 marked with public event

    We are hosting a special sold-out event on 28 January to observe the 14th International Data Protection Day.

    Also known as Data Privacy Day, International Data Protection Day signifies an international effort to empower individuals and businesses to respect privacy, safeguard data and enable trust. We will be hosting a one-hour event on Tuesday 28 January that will focus on the data protection landscape in 2020 and the Authority’s strategic approach of predicting, preventing and detecting data harms along with enforcing the local data protection law.

    Emma Martins, the Bailiwick’s Data Protection Commissioner, said:

    ‘It is interesting that Data Protection Day was established by the Council of Europe, which is a human rights organisation. It recognised the importance of personal data and that a change in perspective is necessary so that our human rights are viewed both ethically and legally.’

    ‘Our aim is to ensure there is a cultural shift in society in terms of attitudes to people’s data and this comes from individuals, business and government. The law is a starting point and not an end point and the protection of personal data should be embedded and demanded in all areas of life,’ Mrs Martins added.

    Data Protection Day, which is held on 28 January each year, commemorates the signing of ‘Convention 108‘ (or to give it its other title: The Convention for the Protection of Individuals with regard to Automated Processing of Personal Data) by the Council of Europe in 1981 which was the first, legally binding international treaty dealing with privacy and data protection. 14 years ago, the Council, launched the day to help raise awareness of the issues and our rights regarding our data.

    The event takes place on Tuesday 28 January, at the ODPA’s office at St Martin’s House in Le Bordage, St Peter Port, between 17:30 and 18:30.

    READ: The Convention for the Protection of Individuals with regard to Automated Processing of Personal Data (Convention 108) 

    Read more >
  • Data Protection Commissioner calls for a culture of improvement

    Forty-eight personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 28 December 2019.

    Of the reported breaches, 39 were due to human error, highlighting again, how people’s action continues to be the biggest cause of personal data breaches locally. Information sent via email or post to the wrong person has consistently been the most common type of data breach reported since statutory reporting requirements came into effect. In response to this trend, the ODPA has recently been focussing on the role of human error in its events programme to help organisations and individuals understand and respond to the risks.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, notes that changing attitudes and behaviour is key to reducing data breaches and preventing harm.

    ‘These latest figures again illustrate how important it is for us all, whatever our role, to understand data protection as something more than an IT issue. We must focus on ensuring individuals’ rights are respected while also recognising the impact of human error when using personal data. It is unrealistic to expect people to never make any mistakes, but we can positively influence attitude and a culture in organisations where mistakes are learnt from, behaviours change as a result and the risk of future harm is reduced.

    ‘We do not seek a culture of blame, rather we seek a culture of improvement,’ added Mrs Martins.

    The remaining self-reported breaches for the two month period fell into other categories including mislaid data, criminal, hacking, unauthorised access and unauthorised disclosure.

    NOTES 

    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

     Number of personal data breaches reported to ODPA:

     

    2 months to 28 December 2019 (details above) 48
    Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
    Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
    Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
    Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
    ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
    Increase in local data breaches (2 months to 18 Dec 2018) 28
    ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

     

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >
  • The changing face of data protection: new environment vs. established principles

    Our commissioner, Emma Martins, marks the start of 2020 by reflecting on the need for a well-informed public conversation about data, and the role data protection professionals must play in it.

    ‘Data protection legislation has been around for many decades. Despite the fanfare that greeted the General Data Protection Regulation (GDPR) in May 2018 (and it was beyond doubt a hugely significant step), at its heart, the new Regulation is similar in shape and form to its predecessor. But we continue to be faced with a problem. This problem is not one of new principles but of a new environment. Data has taken on a new life in recent years and we are struggling to keep up. The speed of technological change in this digital age means that the culture and norms that inform our attitudes and behaviours have insufficient time to evolve. So it is therefore unsurprising that, despite its relatively long history, there remains much that is misunderstood and misinterpreted about the legislation; its origins, its aims, and the legal and ethical principles which underpin it.

    There does, however, seem to be change in the air as we are being increasingly exposed to the often shocking reality of the scale and impact of data use and misuse. The crucial role of public discussion; feeding better awareness and understanding of what good data protection means, cannot be overstated. All parts of society have a part to play, but as with so many other areas of our lives, journalists do perhaps shoulder a greater responsibility.

    I was reading this article about the GDPR in the Financial Times recently (which in itself must be welcomed, data is as much a financial issue as it is legal and social).  The article itself was well-written, as you would expect, and it highlighted a number of important areas such as wider privacy harms of certain processing, and some of the innovative developments in areas such as data trusts. But I was struck by how persistent the notion is that the law is a clinical tick box exercise, an administrative burden and something you can almost wash your hands of as long as you can evidence some sort of consent from the individual or individuals concerned. It is easy for data protection professionals to be judgemental and critical in the face of misunderstandings or misinterpretations. But if data protection is to be better understood and embraced, we need to be part of a cultural shift towards enlightened compliance rather than tick box approaches. Part of that requires us to try and rebalance the conversation, not to criticise but to inform.

    With this fresh in my mind, I wrote the letter below to the FT, which they published on 3 January.’ (reproduced here with their permission).

    Letter: Conversation about our data must involve us all
    From Emma Martins, Guernsey, CI
    January 3, 2020 12:00 am

    There is much to agree with in your editorial “Protecting data privacy needs constant evolution” (December 27); data and its protection has become a pressing social and economic issue. It is therefore extremely important to think about the way it is regulated. It is also helpful to highlight the need for regulatory rethinking in the face of increasing overlap of data protection and other regulatory regimes such as antitrust/competition.

    But the way our personal data are collected, created and used goes well beyond notions of data privacy. In our digital age, it goes to the heart of what it is to be an autonomous and free citizen. Despite recent exposés of certain big tech giants, we remain in blissful ignorance of the actual scale of manipulation and how it is changing us and the world in which we live.

    The General Data Protection Regulation is a good starting point but I dispute the suggestion that it presents companies with a list of tick-box demands. Approaching it in such a manner serves no one. Nor is consent enshrined as its core principle. Equally perplexing is the suggestion that principles of “privacy by design” are “encouraged” by the GDPR when in fact such an approach (together with accountability) is a legal requirement.

    I am not suggesting that the law is perfect, especially in the face of such unprecedented technological developments. But I would like us to learn to approach it differently. To expect any one law, or any one regulator, to be the sole arbiter of the handling of personal data is to condemn both to failure. Neither I, nor any of my regulatory colleagues across Europe, has the ability to effect legal or ethical change on our own. We need to look wider and deeper because this is a conversation that must involve us all. Legislation has to be understood as a form of safety net, not as an ethical baseline.

    Only by moving society forward in a way that deliberately and intelligently engages with the realities of the data-driven digital world can we effect real change; change that ensures we are seen as human beings, not as data points.

    Emma Martins
    Data Protection Commissioner,
    Office of the Data Protection Authority,
    Guernsey, CI

    Copyright The Financial Times Limited. All rights reserved. Please don’t copy articles from FT.com and redistribute by email or post to the web.

    Read more >
  • ODPA response to media enquiries regarding complaint by a Guernsey Airport user

    Local media have asked the ODPA to comment on a recent incident involving a police officer speaking with a member of the public at Guernsey Airport. We responded as follows:

    ‘The ODPA can confirm that a formal complaint has been received relating to the alleged processing of personal data by a number of Bailiwick controllers and is being dealt with in line with our statutory obligations. As a result, and in accordance with normal procedure, no further comment will be made at this time.’

    More information:

    Read more >
  • Data protection oils the machine of governance

    Our commissioner Emma Martins has sent this letter to the Editor of The Guernsey Press in response to their Opinion piece on 10 December 2019:

    “Thank you for your Opinion piece (10 Dec.) highlighting how ‘data protection’ are “two of the most misunderstood and misused words in governance” and how the Law should not be “a barrier to honest, open and timely scrutiny of government”. 

    Data protection has indeed been largely misunderstood and misrepresented, which has long been a source of frustration and sadness for those of us that work in this area. Frustration that the Law is blamed so readily, and sadness because it is a law which is about treating all individuals with dignity and respect. As the Bailiwick’s data protection regulator we work hard to encourage better understanding and appreciation of the Law, why it matters and how it can be complied with. Data protection laws do not prevent legitimate activities by government or any other organisations; they seek to ensure that data about us all is treated with robust governance standards and processes.

    Doing things well, and embedding high standards of data governance, takes thought and effort, because the impact on individuals when things are not done well can be significant. When the legislation is cited as the reason good things can’t happen we must all stop and think. When we give our personal data to others, whether our bank, doctor or government, we expect them to handle it properly, as the Law requires. We cannot claim rights for ourselves that we deny others.

    Our office does not seek to comment or interfere with ongoing political matters. We seek to ensure the Law is applied in a mature and considered way which, contrary to being the ‘glue in the works’, is the oil in the machine of good governance.”

    Read more >
  • Data breaches: workplace culture change needed

    Forty-four personal data breaches were reported to us in the two months up to 27 October 2019.

    Number of personal data breaches reported to ODPA

    Twenty-four of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining twenty were through hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, system error, or personal data being lost. Overall, forty breaches were the result of human action, with just four resulting from system error.

    The Bailiwick’s data protection commissioner, Emma Martins, commented on the role people play in personal data breaches.

    ‘Once again, this period’s statistics reinforces the trend we have seen for some time: that it’s what people, not systems, do that is the biggest factor in most data breaches reported to us. Protecting data well is first and foremost a human issue.’

    This trend, where people’s awareness, attitudes, behaviour, and choice of actions often pose the biggest risk to the protection of personal data is observed not just locally, but also worldwide. In October 2019 the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) passed a resolution for participating national authorities to ‘address the role of human error in personal data breaches’.

    The resolution, sponsored by the Office of the Australian Information Commissioner, calls on all ICDPPC members (including the ODPA) to ‘promote appropriate security safeguards to prevent human error that can result in personal data breaches’. The resolution identifies the role of ‘building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data.’

    This echoes a statement made by Mrs Martins, in August this year on this subject: ‘Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’ Recognising the crucial role workplace culture plays in looking after personal data well, the ODPA will be starting an initiative, called ‘Project Blue Tit’, in 2020 with the aim of effecting positive, measurable change in organisational culture locally. More details about this project will be announced soon.

     

    NOTES 

    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

    Number of personal data breaches reported to ODPA:

    2 months to 27 October 2019 44
    2 months to 26 August 2019 32
    2 months to 25 June 2019 50
    2 months to 22 April 2019 40
    2 months to 22 February 2019 45
    2 months to 18 December 2018 28
    2 months to 18 October 2018 26

    PREVIOUS RELEASES: bi-monthly breach report statistics

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >