• New name for data protection regulator

    As of 14 January 2019, The Office of the Data Protection Authority (ODPA) is the new name for the local data protection regulator.

    This replaces the previous name of The Office of the Data Protection Commissioner.

    This re-naming formally recognises the legal body of the Data Protection Authority which was established in May 2018 and is defined in Part XI of The Data Protection (Bailiwick of Guernsey) Law, 2017.

    The Data Protection Authority is made up of: a Chair, five voting members, and the Data Protection Commissioner is an ex-officio and non-voting member. The Data Protection Authority delegates responsibility for most of the day-to-day regulatory activities to The Office of the Data Protection Authority which employs the Data Protection Commissioner, the Deputy Data Protection Commissioner and other staff.

    This is the new logo:






    Find out more: About Us


    Read more >
  • 28 January: Data Protection Day event

    The Office of the Data Protection Authority (ODPA) is holding an event to mark International Data Protection Day on 28 January, and is extending an open invite to all those who work in data protection to register to attend.

    Data Protection Day has been recognised internationally annually since 2007, with the aim of raising awareness and promoting privacy and data protection best practices.

    The ODPA’s event will present an opportunity for local data protection professionals to meet, share stories, and talk with the commissioner and her team. The event will also explore the role of the Data Protection Officer (DPO), in particular, the special protections the Law gives to individuals who hold these roles within local organisations.

    Emma Martins, Data Protection Commissioner for the Bailiwick of Guernsey commented on the special status that data protection officers, in particular, hold in local organisations:

    ‘An effective data protection professional is good for their organisation and also for compliance which in turn benefits us all. The Data Protection Officer (DPO) role in particular demands many skills ranging from legal and operational to technical. It also, importantly, requires the individual to be able to communicate effectively, including at board/senior management level.’

    ‘I am very keen to support DPOs, and to encourage their recognition as respected and valued employees. They should operate independently, report to the highest tier of management within any organisation and be given sufficient resources to allow them to meet their legal obligations and maintain their knowledge.’

    The informal event will be held at the ODPA’s premises at St Martin’s House, Le Bordage from 13:00-14:00 on Monday 28 January. All data protection professionals who wish to attend should visit to register for their free place. Spaces are limited and will be allocated on a first-come first-served basis.

    Book your free place: Data Protection Day (Mon 28 Jan 13:00 – 14:00) 

    The Office of the Data Protection Authority (ODPA) is the new name for the local data protection regulator. This replaces the previous name of The Office of the Data Protection Commissioner. This re-naming formally recognises the legal body of the Data Protection Authority which was established in May 2018 and is defined in Part XI of The Data Protection (Bailiwick of Guernsey) Law, 2017. The Data Protection Authority is made up of: a Chair, five voting members, and the Data Protection Commissioner is an ex-officio and non-voting member. The Data Protection Authority delegates responsibility for most of the day-to-day regulatory activities to The Office of the Data Protection Authority which employs the Data Protection Commissioner, the Deputy Data Protection Commissioner and other staff.

    Read more >
  • 19 December: update on Brexit and data protection

    With UK parliament set to vote on the draft agreement on Britain’s withdrawal from the European Union in the week of 14 January, we’d like to reassure local organisations that in the event of a ‘no deal’ Brexit in March 2019 consideration is being given to the need to invoke the statutory provision in our local Law to continue to recognise the UK as an adequate country from a data protection perspective. This means that organisations could continue to transfer personal data to/from the UK as they do now.

    We can also confirm that on 17 December we met with the States of Guernsey’s data protection policy team to discuss the situation, to ensure readiness to respond with a firm approach in the event of any Brexit scenario. And we will continue to work in partnership with the States as things evolve over the coming weeks.

    Read more >
  • Increase in local data breaches

    Twenty-eight personal data breaches have been reported to The Office of the Data Protection Commissioner (ODPC) in the last two months up to 13 December 2018.

    The number of breaches has increased slightly, when compared with the previous reporting period of 26 reported breaches over the two months up to 18 October. The increase is likely due to two factors: firstly, organisations are increasingly more aware of their legal obligation to report breaches; and secondly, certain organisations have erred on the side of caution by reporting incidents that do not necessarily meet the breach classification criteria.

    The ODPC encourages all local organisations to continue with this cautious approach as this provides valuable intelligence to the real-world risks faced by local organisations.

    Most incidents reported to the ODPC were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require significant further inquiry.

    As with the previous reporting period, there have been a number of incidents where hackers have gained control of email accounts using social engineering techniques.

    Guernsey’s Data Protection Commissioner, Emma Martins commented on the role of breach reporting and organisations’ duty to consider the people affected.

    ‘We continue to see local organisations engaging in their legal obligation to report data breaches to our office. This is an essential aspect of compliance as it requires organisations to proactively engage with the risks they face in protecting people’s personal information. It also ensures they robustly consider the impact a breach may have on the people whose data has been affected.’

    The ODPC uses the breach report information received to shape activities, particularly its communications strategy and regulatory action plan. Understanding where organisations are vulnerable enables the ODPC to target its resources in the most effective way.

    The ODPC is working to improve its online breach reporting mechanism and has asked for any comments to be submitted via


    DOWNLOAD INFOGRAPHIC – personal data breach: legal criteria

    Personal data breach: legal criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

    There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPC encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in our local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Action points for organisations after a personal data breach:

    • Read: ODPC breach reporting guidance document(includes checklists and templates);
    • Let ODPC know the breach has occurred – via the secure online breach reporting mechanism;
    • Take steps to limit the damage. Where appropriate, advise any person who received data in error that they should delete the data and must not make use of or disclose the data to anyone else;
    • Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency;
    • In some cases you will need to notify the person whose data was disclosed in the breach;
    • Ensure your organisation reviews and learns from what has happened.

    Action ODPC take following a reported breach:

    • They record the breach, securely and confidentially, and assess its severity;
    • They contact the organisation to confirm receipt of the breach report and discuss what happens next (each report is assessed on a case by case basis);
    • Where necessary the ODPC may need to communicate with other data protection authorities, if the breach is likely to affect people outside of the Bailiwick.
    Read more >
  • 6 December 2018: Official office opening event

    On Thursday 6 December, we welcomed invited guests to attend the official opening of our new offices at St Martin’s House. We would like to thank all our guests who braved the elements to attend, it was our pleasure to see you all.

    We reflected on the significance of our office environment, which allows us to now host our own board meetings (the third of which was held during the day yesterday), meet privately with members of the public, and in 2019 – begin holding public events.

    Special thanks also to Ben Fiore and Louise Lawton – both immensely talented local artists whose work depicts our jurisdiction and islanders, in the public areas of our offices.


    Read more >
  • Marriott breach: advice published by National Cyber Security Centre

    For any Bailiwick residents who may have been affected by the hotel group, Marriott International’s large data breach, we would like to point you to this NCSC advice.

    A spokesperson for the National Cyber Security Centre said:

    “We are working with partners to better understand the data breach affecting Marriott International and how it has affected customers.

    “The company has confirmed an unauthorised access to a database they say contains information on up to approximately 500 million guests worldwide who made a reservation at a Starwood property.

    “The NCSC website includes advice for people who think they have been affected by the data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.

    “We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.”

    Read full advice from National Cyber Security Centre.

    If you have any concerns please call us on +44 1481 742074, or email

    Read more >
  • Data protection implications of Brexit for the Bailiwick

    We have received an increasing number of queries from organisations exploring the potential impact Brexit may have on Bailiwick organisations and data transfers to and from the UK.

    Following the publication of the draft agreement on Britain’s withdrawal from the European Union on 14 November 2018 we would like to give the following update:

    • Our understanding is that the UK will remain subject to the GDPR during transition (so until December 2020) for data related to EU citizens  unless adequacy is recognised before then. This would seem to indicate that transfers of personal data from EU to UK will continue as at present, although we note that the word ‘transfer’ is absent from that section’s text in the draft agreement.
    • The draft agreement also gives 21 months for the UK to navigate the adequacy process, something recognised in the accompanying Political Declaration document that sets out the relationship between the UK and the EU once the transition period ends.

    Following EU leaders approval of the draft agreement on 25 November, we continue to monitor this position as the agreement makes its way to the UK parliament on 11 December.

    For more in-depth information please refer to: ‘Leaving the EU: the data protection implications of a Hard Brexit for UK businesses with EU data flows and clients‘ (May 2018 document) 

    Read more >
  • Christmas: keeping children safe through data protection

    The festive season is upon us, if you’re worried that data protection is here to ruin Christmas – fear not. Below is some advice on how to ensure you and/or your organisation protect children’s rights, when sharing photographs/videos of school nativity plays or other festive events*.

    Q: I’m a parent/carer/grandparent – does the Data Protection Law stop me taking photos of my children at school?
    A: In short, probably not. The Data Protection Law is unlikely to prevent you from photographing/filming your own children in their school. Remember, if photos are taken for your own personal use they are not covered by the Law. The school may have its own rules around the taking of photographs/video which may reflect safeguarding policies that have been adopted. Also, some schools make a decision to have an official photographer/videographer at events. If in doubt, check directly with the school.

    Q: What about sharing photos/videos of my children on social media?
    A: Again, the law does not prevent you from doing this, as long as you are sharing this content privately with family members/friends.

    Q: What if the photographs/video I’m sharing feature other people’s children too?
    A: When you share this kind of content in a public group or platform, the Law would apply, and you must respect the children’s rights under the Data Protection Law.

    Remember that ‘data protection’ is really ‘people protection’, and that there are children whose family situation is not known to you – if you publicly share content that identifies them as attending a particular school you may be inadvertently compromising their privacy or even putting them in danger. Avoiding scenarios like this goes to the heart of the reason why data protection laws were strengthened in 2018, both locally and in many other jurisdictions worldwide. Also, remember that this applies to other parents/carers that may be taking images of your child. Treat others as you would expect to be treated yourself. The law is not designed to prevent legitimate activity, it is designed to protect the rights of all of us.

    Q: As a school are we allowed to share content featuring our pupils in school newsletters, or online?
    A: As a school processing personal information about children, their family and your employees, the Data Protection Law applies. You should have comprehensive, readily-available, and up-to-date data protection policies that detail how you protect your pupils’ personal data (including imagery of them). If you are relying on children (or their legal guardian) consenting to your use of their personal data then you must have a record of how that consent was freely given and what use it applied to. But, remember that consent is not your only option – there are a number of other conditions that you can legally base your handling of personal data on. It is important that parents/guardians of children are fully informed of the way in which you handle all personal data and are given an opportunity to ask you for further information about the processing.

    In summary:

    • Check the rules for recording visual content (photos/videos) at your own school.
    • Treat other people’s children in the same way that you would expect them to treat yours – with respect.
    • Do not record or share visual content of children publicly without making sure that is what all parties are happy with.
    • Enjoy the event!

    If you need any further advice on this, or any other matter related to protecting personal data please call us on 742074 or email

    * This advice applies all year round, to all school events such as sports day, prize givings, open days, fundraisers etc.

    Read more >
  • Data protection law change, 6 months on

    The Office of the Data Protection Commissioner staff (L-R: Tim Loveridge, Leanne Archer, Mike Appelqvist, Emma Martins, Rachel Masterton, Lesley Le Bailly, Lawrence West)

    The Office of the Data Protection Commissioner (ODPC) is marking the six-month anniversary of the introduction of Europe’s General Data Protection Regulation (GDPR), and equivalent local legislation by providing an update on their activities since 25 May, as well as an indication of the road ahead.

    The unprecedented interest in data protection in the lead up to 25 May 2018, combined with a stream of data scandals has ensured the issue of data has remained high on the agenda of business, government and individuals in the six months since implementation of wide-ranging legal reform across Europe and in the Bailiwick.

    The ODPC has, along with other regulatory offices, been focused on ensuring the new legislation is workable and effective. Like any significant legal framework, there remains some ambiguity and uncertainty as society grapples with fast evolving global technological and social change which may take time to work through. That should not deflect from the significance of the reform and a true understanding of why it is needed and what it seeks to deliver.

    The data protection commissioner, Emma Martins, commented on the ODPC’s role and regulatory approach:

    ‘The ‘datification’ of all our lives has brought with it changes to the way we live and how others shape our experiences, relationships and power balances. Regulatory effectiveness plays a major role in ensuring delivery of obligations in respect of data protection standards. How we, as the regulator, use our powers will fundamentally affect the nature and quality of compliance and we want to ensure we do so with integrity and with appropriate accountability and governance mechanisms embedded into everything we do. Part of delivering on that means that we ensure relevant and timely information is published about the law and our activities recognising that we are funded by the community and industries we are here to support.’

    Increase in local organisations registered with ODPC
    Since 25 May 454 local organisations have fulfilled the legal obligation to register with the ODPC. This is on top of the 2,000 who registered prior to that date. It is a criminal offence for local organisations to be handling any information related to any living person without registering, unless a legal exemption applies.

    Enquiries and outreach
    The ODPC answered approximately 400 emails sent to since 25 May. Organisations and citizens are welcome to submit any queries they have to the ODPC via email, phone, letter, or in person. Since 25 May the data protection commissioner, and her deputy have undertaken 14 speaking engagements at events held by local industry bodies, associations, charities, schools etc. The ODPC events programme will commence in early 2019 – this is a key aspect of the ODPC’s statutory obligation to raise public awareness of citizens’ rights and to promote awareness of local organisations’ legal duties when handling personal information.

    Funding secured to end of 2019
    On 15 May 2018 Policy & Resources Committee approved the investment case and funding for the establishment of the ODPC and its operational costs through till the end of 2019. Thereafter, there is an intention to move towards a model that is predominantly funded through the collection of fees from local organisations. Our operating budget for 2018 stood at approximately £667,000 with a predicted operating budget for 2019 of ~£1.1 million.

    Online breach reporting introduced
    A secure, online system was developed to allow organisations to perform their new legal duty of reporting data breaches to the ODPC. This was in place for 25 May 2018, and in the six months to date we have received 71 breach notifications via this system.

    Independent status
    The ODPC’s board is The Data Protection Authority which officially became a fully independent regulator on 25 May 2018. This Board provides independent governance and oversight of the Office of the Data Protection Commissioner which performs the day-to-day regulatory function. The Board has met twice in the 6 months since 25 May to formalise the governance arrangements for delivery of its statutory functions.

    The Board retains the power to fine organisations up to a maximum of £10 million, for any data protection breaches that are deemed deliberate, wilful, repeated, seriously negligent or having caused significant harm.

    New recruits
    To assist in delivering on their statutory duties, between June and August 2018 three members of staff were recruited: an interim Chief Operating Officer, an Office Manager, and a Communications Manager, bringing the total headcount to 7.

    Office move
    In July 2018 the ODPC moved into new premises that allow sufficient office space for current staff and future growth. An event space was created within the office which will allow the ODPC to deliver on their statutory requirement to raise public awareness of citizens’ data protection rights and to promote awareness of data controllers/processors’ legal duties.

    Systems and data migration
    A key part of the ODPC’s independence from the States has been establishing stand-alone systems, financial controls and infrastructure. This took place during May – August 2018.

    Project work
    Work has commenced on the following projects: what the ODPC funding model from 2020 will look like; re-development of web-based services to bring in-line with upcoming statutory requirements; best practice in investigation and compliance; best practice in data forensics; public/industry engagement via an events programme; and establishing Memoranda of Understanding with key entities.

    The next 6 months
    The key change ahead for local organisations and citizens to be aware of is the end of what the Law calls ‘transitional relief’. Transitional relief relates to the period of time from when the Law was introduced (25 May 2018), to when every aspect of it comes into force (25 May 2019). The year delay was built into our local Law specifically to give local organisations sufficient time to fully prepare for the more complicated areas which are subject to this transitional relief.

    — Notes —


    Key statistics: in the 6 months since 25 May law change

    454 Number of additional local organisations who have fulfilled their legal obligation to register with the ODPC
    400 Number of email enquiries ODPC have answered
    14 Number of speaking engagements by the commissioner and deputy commissioner
    £667,000 The ODPC’s operating budget for 2018
    2 Number of board meetings held by The Data Protection Authority
    3 Number of additional staff recruited to ODPC


    Infographic of key milestones (May 2018 – May 2019)










    Transitional relief

    As its name suggests ‘transitional relief’ refers to the year-long grace period following the introduction of the new Law in May 2018. When the Data Protection (Bailiwick of Guernsey) Law, 2017 was introduced the following nine areas did not fully come into force because they are subject to ‘transitional relief’:

    1. Duty to notify pre-collected data (sections 12 & 13)
    2. Duties of joint controllers (section 33)
    3. Duty to carry our impact assessment (sections 44 & 45)
    4. Processor-use duty (section 34)
    5. Processor duty to establish measures (sections 35 & 36)
    6. Duty of processor to obtain controller authorisation (section 36)
    7. Delay of right to data portability (section 14)
    8. Validity of consents obtained before 25 May 2018
    9. New registration requirements (sections 39 & 40)

    What does the end of transitional relief mean for organisations?
    Local organisations should use the remaining 6 months of transitional relief to review how the nine areas impact them and fully prepare themselves to be compliant. A good place to start is to read the ODPC guidance note published in June 2018 at

    What does the end of transitional relief mean for citizens?
    When the transition period ends in May 2019, all islanders will gain a new right of ‘data portability’. This means that they will be legally entitled to request an organisation who holds their personal data to transport it to another organisation. This data must be provided in a format that is easy to download, organise, tag, and be machine-readable.

    Over the next 6 months the ODPC will be publishing and disseminating further guidance to support local organisations. To ensure you receive this guidance you are encouraged to sign up to the ODPC’s monthly newsletter at:

    Read more >
  • The philosophy of privacy

    Thursday 15th November is World Philosophy Day, below our commissioner Emma Martins outlines why it is imperative that we apply a philosophical approach to matters of privacy.

    Philosophy is, I would argue, something of interest in every area of our lives and privacy is no exception.

    The word ‘philosophy’ comes from the Greek ‘philo’ – meaning love, and ‘sophos’ – meaning wisdom, so, philosophy is literally ‘love of wisdom’.

    Philosophy is important because it allows us to develop critical and logical thinking skills which help us to decide what is and what isn’t true. Although it can be used to improve critical thinking and most people want to reason properly, it is often not given the priority it deserves because people who know the least about logic think they know quite a lot thanks to a cognitive bias known as the Dunning-Kruger effect. Most people think they reason properly and understand logic but very few feel a need to improve their understanding of these things.

    But we surely need wisdom in all aspects of our lives? Especially when we are talking about subjects which get to the very heart of what it is to be human, to understand our world, our values, and ourselves?

    Privacy has historical origins in philosophical discourse, most notably Aristotle’s distinction between the public sphere of political activity and the private sphere relating to family and domestic life.

    Although the modern world would be unrecognisable to early philosophers, the principles and importance of philosophy; of wisdom and thought, have never been more relevant and the tools of philosophy can help us to think better, more clearly, and with greater perspective about almost everything.

    Technology is giving rise to new and fundamental questions about human relationships, autonomy and liberty. A philosophical analysis of the social dimension of these advances will ensure that we have technology serving humankind, rather than humankind serving technology.

    Privacy is increasingly a matter of real daily concern with revelations around surveillance, manipulation and security breaches. We live in a big data society where our ‘digital exhaust’ leaves behind a trail of data which gives a comprehensive picture of our lives in its wake – who we know, how we are feeling, our shopping habits, our travel plans…everything! The way in which that information can be scrutinised, profited from, and manipulated has the potential to affect individuals and societies. So how, as individuals and societies, should we frame discussions around rights and responsibilities in our data driven world? The answer must begin with a love of wisdom. Because at its heart, privacy is fundamentally a philosophical question as it relates to treating people fairly (or not) and what the right thing to do is.

    Privacy itself is undeniably difficult to define and measure. If we are talking about the importance of privacy rights, where do those rights come from, what are they designed to do, can they be trumped and if so, by whom and in what circumstances? Philosophy in many cases is about deciding which goals and values are worthy to pursue – what ends are important. We can be scientific or pragmatic about pursuing goals in the most efficient manner, but it is important to have the right or most reasonable goals in the first place. Philosophy is a way of scrutinising ideas about which goals are the most important ones.

    There are many challenging questions that surround the notion of privacy, but that is exactly why philosophical input is vital. If we reduce questions of privacy rights to binary matters of law, we risk hindering important discussions around the human condition.

    Unlike other disciplines, philosophy does not seek to examine empirical facts. The tools of philosophy are important to individuals and to society because as long as we are not omniscient, facts by themselves are not a substitute for philosophy, just as philosophy is not a substitute for facts. Rather, it is about the intelligent and rational uses of those facts, and it is about the objective scrutiny of beliefs to see how clear and how reasonable they are in the light of the facts we have.

    So philosophy encompasses not only logic but notions of a moral and ethical means of understanding. This goes a long way to explain the recent heightened interest around the role of ethics in matters of data privacy by data protection regulators, representing a long overdue acknowledgement that these are as much human, sociological challenges as they are legal and technical. Such interest is to be welcomed and nurtured.

    So, whatever your profession or interest, let’s celebrate World Philosophy Day. For privacy professionals, do not underestimate the importance of wisdom. We must apply philosophical as well as legal analysis to the fast-evolving social, political and technological landscape if we are to engage with them as intelligent human beings.

    Facts, knowledge and science help us live longer, philosophy helps us live better.

    Excellence is never an accident. It is always the result of high intention, sincere effort, and intelligent execution. It represents the wise choice of many alternatives – choice, not chance determines your destiny.” – Aristotle

    Read more >