News

  • Enforcement order and reprimand issued to Guernsey Police

    The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
    Public Statement
    Issued: 10:10 20 October 2020
    Controller: Guernsey Police


    1. The Data Protection Authority for the Bailiwick of Guernsey (the Authority) has determined that Guernsey Police has breached section 6(2)(a) of the Law.

    2. The Authority finds that Guernsey Police did not process special category personal data relating to an individual in a lawful, fair and transparent manner. In particular, the individual’s personal information was processed without the demonstrable consent that was needed in this case.

    3. This led to the individual lodging a formal complaint to the Authority regarding the processing of personal data by Guernsey Police under section 67 of the Law.

    4. The Authority finds that Guernsey Police was unclear as to how the processing was compliant with the requirements of the Law, section 6(2)(a) in particular, and the procedures around the sharing of data in these circumstances evidenced a lack of compliance.

    5. The Authority is therefore satisfied that Guernsey Police failed to comply with section 6(2)(a), the principle relating to “Lawfulness, Fairness and Transparency”.

    6. The Authority is clear that where organisations do not ensure that personal data is processed in a lawful, fair and transparent manner, consideration will be given to the appropriate sanction including the issuing of a fine.

    7. In this case, the Authority has identified the following mitigating factors –

    • The complaint and investigation focused on the sharing of personal data (including special category data) in relation to a single data subject;
    • The Authority is not aware of any other complaints having been made about Guernsey Police in relation to such processing;
    • Data was shared with two professional teams who the Police believed would be able to assist the data subject.
    • When made aware of the complaint, Guernsey Police sought the destruction of the shared information and confirmation of destruction was provided by the parties with whom the data had been shared.
    • It is recognised that Guernsey Police has commenced a review into the existing procedures to support those people they deem vulnerable following an admission that the procedure was not compliant with the requirements of the Law; and
    • Guernsey Police has cooperated with the Authority.

    8. Considering the above factors, the Authority has, by written notice to Guernsey Police imposed a formal enforcement order to bring specified processing operations into compliance and a reprimand for the lack of compliance.

    Legal Framework
    • This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).
    • No detailed information will be provided to protect the identity of the individual and the circumstances of the case.
    • Individuals can make a formal complaint (under section 67 of the Law) to the Authority if they think that a controller has breached the Law and it has affected them.
    • In this case, the controller is Guernsey Police.
    • The Authority may investigate a complaint in accordance with section 68 of the Law. Section 71 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.
    • In accordance with section 71, the Authority, having made the breach determination, will consider which sanction to impose against the controller.
    • Section 73 sets out the sanctions that are available to the Authority where a breach determination has been made. Having considered the details of this case, the Authority has imposed an enforcement order and reprimand against the controller.
    • Section 84 provides for an appeal to the Court against a breach determination made by the Authority. Any such appeal must be made within 28 days. In this case the appeals period has now passed.
    • If the Authority makes a breach determination, the Authority may by written notice to the person concerned impose all or any of the following sanctions against that person –
    a) a reprimand,
    b) a warning that any proposed processing or other act or omission is likely to breach an operative provision, and
    c) an order under subsection (2) including an administrative fine.

    Read more >
  • ‘The Feel Good Guide to Data Protection’ published

    The Feel-Good Guide to Data Protection

    We have today published ‘The Feel-Good Guide to Data Protection’.

    This guide is for those of you who are new to data protection and want an easy and enjoyable introduction that will help you get your organisation/business up to speed, and inform/empower you as a citizen.

    It has been written to help you engage with data protection in a positive way, to see:

    • its value to individuals,
    • its benefits to business, and
    • its place in human society.

    In the guide you will discover that data protection boils down to treating people well.

    The Feel-Good Guide to Data Protection covers:
    1. Background: What ‘personal data’ is (and is not).
    2. Background: What ‘processing’ personal data means.
    3. What the aim of data protection is.
    4. Why you should care about protecting people’s data.
    5. What your organisation/business’ duties are under local data protection law.
    6. How to get started on bringing your activities in-line with the Law.
    7. How your organisation/business benefits from protecting the personal data in its care.
    8. Where to get advice, support and guidance.

    DOWNLOAD: The Feel-Good Guide to Data Protection

    Read more >
  • Registration and beyond: changes coming in January 2021

    Visit odpa.gg/2021 to find out more.

    The Office of the Data Protection Authority (ODPA) is notifying all organisations in the Bailiwick of the need to register with them and pay an appropriate fee from next year.

    This change comes into effect in January 2021 and all organisations, businesses and sole traders that handle data about people will have a legal obligation to complete a registration under The Data Protection (Bailiwick of Guernsey) Law, 2017. The exemption period currently in place ends on 31 December and the ODPA is reaching out to the regulated community in Guernsey, Alderney, Herm and Sark to make sure everyone knows what is changing, why it’s changing, and what they need to do.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, confirmed the new framework is the result of 18 months’ work and looks forward to working with all local organisations engaging with data protection.

    ‘We have been liaising closely with the States of Guernsey on this new reporting and funding model and it is designed to be fair, simple and innovative, recognising that organisations want regulatory administration processes to be as straightforward as possible. Their time should be spent looking after data well, not completing forms that do little to assist in overall compliance standards.’

    ‘The simple act of registering does not make a business compliant with the Law – how they treat people’s data determines that. We are keen to register organisations from January and help them understand and engage positively with their legal duties under our local data protection law.’

    To help make this process as straightforward and accessible as possible, there will be a link from the final page of the Guernsey Registry’s online annual validation process which will point to the ODPA’s online registration process. This is to remind people of the legal requirement to register under the data protection law if they are working with personal data.

    The annual levy to be paid to the ODPA is based on the number of employees in each organisation. It has been set at £2,000 per year for businesses with 50 or more full-time equivalent staff, and remains at £50 for all other entities. This will help fund the ODPA’s activities. Charities and non-profit organisations must register, but do not need to pay any levy.

    Entities, such as corporate service providers, who currently register a number of entities with the ODPA can, from January 2021, opt to become an ODPA Levy Collection Agent (LCA). This will allow them to continue registering their administered entities with the ODPA and collect the relevant fees from them. LCAs must be registered with or regulated by the GFSC. If you wish to act as an LCA you will need to prepare, in consultation with the entities you wish to register, prior to the Christmas break so that you can give the ODPA an accurate count of how many confirmed entities you are registering during January-February 2021.

    Mrs Martins added,

    ‘From 2021, LCAs will provide a second route to register with the ODPA for certain organisations and allows them to outsource this administrative task. Local corporate services providers that are registered with or regulated by the GFSC can act as LCAs, and will help in raising awareness of the legal requirement to register with us. Organisations who register via an LCA can then focus on looking after the data in their care, reaping the benefits of building trust and confidence with their customers, service users, staff and any other people whose data they use. This shift in focus from annual box-ticking, to a truly embedded culture of looking after people’s data well helps avoid data harms that can damage people’s lives, careers, and reputations.’

    All local organisations handling people’s data, regardless of their size or the nature of their business, are encouraged to visit odpa.gg/2021 to find out more.

     

    Notes: 

    About the changes to ODPA Registration & Levy Regime
    From 2021, a new registration and levy regime (approved by the States of Guernsey) will be in place for the Office of the Data Protection Authority (ODPA). This regime requires all controllers and processors established in the Bailiwick who process personal data to:

    • complete an annual return during January-February of each year (as opposed to at any point during the year) to the ODPA, and
    • pay an annual levy.

    The other thing that is changing is that, from 2021, there will be two routes to registering with the ODPA:

    • Route 1: Register directly with ODPA (available to everyone)
    • Route 2: Register via an ODPA Levy Collection Agent (LCA) (only available to certain entities)

    For more details on the changes please see ‘Everything you need to know about: ODPA Registration & Levy Regime at odpa.gg/2021.

    About ODPA Levy Collection Agents (LCAs)
    Starting in January 2021 there is an opportunity for certain entities to become an ODPA ‘Levy Collection Agent’ (LCA) allowing them to register other entities with the ODPA. This opportunity was created by The Data Protection (General Provisions) (Bailiwick of Guernsey) (Amendment No. 2) Regulations, 2020.

    For more details about LCAs please see ‘Guidance Note: Registration via an ODPA Levy Collection Agentat odpa.gg/2021.

    Read more >
  • Lowest number of data breaches: less data harms, or less engagement?

    The Office of the Data Protection Authority (ODPA) has published its latest breach statistics and emphasised the need for local organisations to continue positively engaging with their legal duties around how they handle people’s data.

    Twenty-one personal data breaches were reported to the ODPA in the two months leading up to 31st August 2020. Just over half of these (12 incidents) happened when personal data was accidentally sent to the wrong person by email and the next highest figure was composed of instances where data was sent to the incorrect recipient by post, which totalled just under a fifth (4 incidents).

    The 21 breaches were split across a variety of sectors, with the bulk of the incidents stemming from public authorities (6), retail/wholesale (5) and legal (3). There were also two breaches which originated from employment agencies and the remaining number were split evenly across five other sectors.

    This period’s reported breaches are the lowest on record. On the face of it this implies a positive shift – fewer reported data breaches could be the result of increased awareness of the importance of preventing data breaches from happening in the first place, leading to fewer data harms occurring. Equally the opposite could be true, the low number of reported breaches could indicate under-reporting, a lack of engagement in looking after people’s data well, and data harms going undetected.

    Emma Martins, the Bailiwick’s Data Protection Commissioner, commented,

    ‘Whilst on the one hand we welcome the low numbers of breaches, we also recognise that our reporting figures are unlikely to reflect the true picture. Some organisations will suffer breaches but not be aware of them, and others may be aware but not report them. Awareness of, and ability to respond to data breaches is essential for all organisations; not just because there is a legal duty to report them to the ODPA, but importantly because data governance is inextricably linked to business success. Organisations thrive on trust and confidence, so the way they look after people’s information is critical in building and maintaining both. We work hard to support and encourage the regulated community to deliver the highest standards of data protection. We also recognise that things do go wrong and that by engaging positively with organisations, we hope they will continue to trust us to handle breach reports in a constructive way and one which seeks to learn and improve.’

    Effective breach management is an essential part of data governance for all organisations and the reporting of breaches that meet the threshold is a statutory requirement.

    It is important to remember that behind the breach statistics there are human beings who have potentially been significantly affected. Because of this it is crucial that organisations carefully consider the impact on the people whose data has been affected when assessing the level of risk. Organisations must have robust mechanisms in place for accurately reviewing the possible impact and the risk level associated with each individual breach, appreciating that the risk may not necessarily be obvious and may not manifest itself immediately.

    NOTES 

    Figure: The ODPA have released bi-monthly personal data breaches statistics since October 2018. The most recent period (July-August 2020) is the lowest recorded.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Breach reporting
    One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law). Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

    Why does the ODPA publish breach statistics?
    The ODPA has published statistics of the number of breach reports it receives, every 2 months since October 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

     Number of personal data breaches reported to ODPA (2018 – present):

     

    Lowest number of data breaches: less data harms, or less engagement?
    2 months to 31 August 2020 – details above 
    21
    Learning and improvement the route to a culture of compliance 
    (2 months to 30 June 2020)
    34
    Commissioner ‘encouraged’ by consistent breach reporting trend
    (2 months to 30 April 2020)
    30
    Lowest number of breaches in more than a year
    (2 months to 29 February 2020)
    28
    Data Protection Commissioner calls for a culture of improvement
    2 months to 28 December 2019
    48
    Data breaches: workplace culture change needed
    (2 months to 27 Oct 2019)
    44
    Human behaviour remains key risk to protecting data
    (2 months to 26 Aug 2019)
    32
    Data Protection Commissioner cautions against a ‘culture of blame’
    (2 months to 25 Jun 2019)
    50
    Human error remains biggest risk in data protection locally
    (2 months to 22 Apr 2019)
    40
    ODPA report further increase in local data breaches
    (2 months to 22 Feb 2019)
    45
    Increase in local data breaches
    (2 months to 18 Dec 2018)
    28
    ODPC offers advice after increase in local data breaches
    (2 months to 18 Oct 2018)
    26

     

    How are personal data breaches categorised?
    The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious. 

    1 Loss of data/paperwork/device accidental
    2 Data sent to incorrect recipient – email accidental
    3 Data sent to incorrect recipient – post accidental
    4 Data sent to incorrect recipient – fax accidental
    5 Inappropriate access accidental
    6 Inappropriate disclosure accidental
    7 System error accidental
    8 Cyber incidents accidental or deliberate
    9 Unauthorised access deliberate
    10 Unauthorised disclosure deliberate
    11 Other accidental or deliberate

    What is a personal data breach?
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    What is the threshold for reporting a data breach to the ODPA?
    Organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident (see section 42 (5) of the Law). It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    What are a person’s ‘significant interests’?
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >
  • Fine issued to Sure over directory inaccuracies

    The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law)
    Public Statement
    Issued: 09:00 2 September 2020
    Controller: Sure (Guernsey) Limited

    1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

    2. The Law seeks to ‘…protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data…’, and the Authority is the independent regulatory body responsible for overseeing it.

    3. Following an inquiry conducted under section 69 of the Law, the Authority determined that Sure (Guernsey) Limited breached the Law in relation to its collation and publication of The Bailiwick of Guernsey Telephone Directory 2019/2020.

    4. The Authority has fined Sure (Guernsey) Limited £80,000 for a lack of transparency as to how personal data was to be processed and for publishing personal data which contained inaccuracies and in some cases was contrary to subscribers’ wishes.

    5. Sure (Guernsey) Limited has the right to appeal this fine.

    6. The Authority confirmed that the Law requires all fine monies to be paid to the States of Guernsey’s general revenue account.

    7. Chairman of the Authority, Richard Thomas CBE, commented:

    “This is the first fine that the Data Protection Authority has imposed under the new Law. It was unanimously agreed by all members of the Authority. Although this fine is substantially lower than the maximum which the Law permits, we hope it will bring home the importance of taking great care with people’s personal information.”

    8. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented:

    “The data protection law provides organisations with a range of accountability tools to ensure appropriate technical and organisational measures are in place including being prepared to deal swiftly and effectively with any breach. In taking this action, the Authority has responded appropriately and proportionately to the evidenced compliance failures. We welcome the positive steps Sure have taken since this incident to ensure better data governance of the personal data in their care.”

    For more information please refer to the administrative fine order.

    Legal Framework

    1. This is a public statement made by the Data Protection Authority (the Authority) under section 64 of The Data Protection (Bailiwick of Guernsey) Law, 2017 (the Law).

    2. The Authority may conduct an Inquiry on its own initiative (under section 69 of the Law) into whether a controller or processor has breached or is likely to breach an operative provision of the Law.

    3. In this case, the controller is Sure (Guernsey) Limited.

    4. Section 72 of the Law requires the Authority to determine whether or not there has been a breach of an operative provision of the Law.

    5. Section 73 of the Law sets out the sanctions that are available to the Authority where a breach determination has been made.

    6. Having considered the details of this case, the Authority has imposed an administrative fine order under section 73(2)(g) and 74 of the Law.

    7. Section 84 of the Law provides for an appeal by the controller to the Court against a determination made by the Authority. Any such appeal must be made within 28 days.

    Read more >
  • ODPA Annual Report (2019) published

    Click on image to read: ODPA Annual Report 2019

    The Office of the Data Protection Authority (ODPA) has published its annual report for 2019 which details the highlights from the first full year of its activities under The Data Protection (Bailiwick of Guernsey) Law, 2017 which came into effect in May 2018.

    The Authority has identified a number of key achievements, including taking steps towards full independence from the States of Guernsey, which ensures statutory duties can be carried out with the highest standards of integrity and accountability, along with project management and delivery of a self-funding model that is to be introduced in 2021.

    Commenting on 2019’s activities, Emma Martins, the Bailiwick’s Data Protection Commissioner, said:

    “We have seen evidence of a global awakening of the extraordinary scale and impact of personal data processing in this digital area and how it goes to the very core of who and what we are as human beings.

    “At its heart, data protection is about protecting and empowering individuals and I am delighted that, despite some early challenges, the law in the Bailiwick is now working well. It is clear that data protection is starting to bed into everyone’s personal and professional lives, not just locally, but across the globe.

    “Against the global backdrop of economic and political uncertainty, we want to ensure that the Bailiwick maintains a high-quality, stable and forward-looking regulatory environment which recognises that innovation and good governance are interdependent.”

    The ODPA’s report highlights progress made towards its five strategic objectives:

    1. delivering its enhanced statutory duties;
    2. being a relevant, responsive and effective regulator;
    3. supporting organisations to meet their obligations and empowering individuals to exercise their rights;
    4. developing and maintaining effective relationships; and
    5. elevating discussions around the protection of personal data.

    The Chair of the Data Protection Authority, Richard Thomas CBE commented on why data protection matters,

    “Data Protection is actually People Protection. In the real world, where personal information has now become incredibly valuable, it protects people’s privacy and it protects them from a wide range of social and economic harms which threaten their well-being. Data protection equally protects organisations. There cannot be any organisation – private, public or voluntary sector – that does not handle personal information. Getting data protection right for their customers, clients, suppliers, patients, citizens and voters is simply a matter of self-interest.

    Mr Thomas concluded,

    “For the Bailiwick, there is a further reason why data protection matters. Soon, in accordance with the General Data Protection Regulation (GDPR), the European Commission will decide whether the Bailiwick should keep its ‘Adequacy’ status. Loss of that status, which permits the free flows of personal data which underpin the global digital economy, would be devastating for the financial services industry and other parts of the Bailiwick’s economy.

    “Of course, the European Commission is scrutinising the 2017 Law to make sure that it closely mirrors GDPR’s provisions. But it is also required to make sure that Guernsey has a genuinely independent supervisory authority that can demonstrate effective functioning.”

    DOWNLOAD: ODPA Annual Report 2019

    See also: 

    Read more >
  • EU/US Privacy Shield data transfers invalid

    The Office of the Data Protection Authority (ODPA) is alerting local organisations to take note of a recent judgement from the Court of Justice of the European Union (CJEU) which affects all businesses who transfer personal data outside of the Bailiwick and the EU.

    On 16 July 2020 the CJEU ruled that the EU-US legal framework for data transfers known as ‘Privacy Shield’ is invalid. This means that local organisations need to take steps outlined below to ensure they have proper safeguards around any data transfers that rely on either ‘Privacy Shield’ or EU ‘Standard Contractual Clauses’.

    The now invalid Privacy Shield was a legal framework between the EU and the United States of America (US) that allowed personal data from the EU to be transferred to the US. ‘Standard Contractual Clauses’ (SCCs) are a set of terms and conditions organisations use to protect personal data transferred outside the European Economic Area (EEA).

    The CJEU ruled on both Privacy Shield and SCCs in their judgement of 16 July 2020. They concluded in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18, “Schrems II”), that Privacy Shield is invalid but affirmed SCCs’ validity.

    The background which led to this CJEU judgement goes back many years and involves Maximillian Schrems, an Austrian activist and author. In 2013, Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner seeking to stop Facebook transferring personal data from Ireland to the US. Schrems’ complaint related to Facebook’s alleged involvement in the ‘PRISM’ surveillance programme.

    The ODPA emphasises that the CJEU’s judgement:

    • highlights the crucial role of privacy protections;
    • emphasises that these protections must travel with data;
    • relates to all non-EEA and non-‘adequate’ jurisdictions, not just the US;
    • and that these types of data transfers cannot be a tick-box exercise.

    The Bailiwick is currently recognised by the European Commission as an adequate jurisdiction for the purposes of the General Data Protection Regulation (GDPR). This means that personal data can flow freely between the Bailiwick and the EEA.

    The ODPA is keen to provide clear and consistent advice and support to local organisations. This multi-layered and complex judgement requires analysis and guidance. The European Data Protection Board (EDPB) have published an early statement indicating that further guidance will be published in due course which will provide clarification and support consistency.

    In the meantime, considering the immediate effect of Privacy Shield being invalid, any local organisations that may be affected should do the following:

    1. Identify if you have been relying on the EU-US Privacy Shield for data transfers. You will need to check the terms of service, contracts or Privacy Statements for all third parties you may use to process your data (e.g. Eventbrite, Facebook, MailChimp, LinkedIn, Twitter, Instagram, Basecamp, Slack etc.)
    2. If you find that you have been relying on Privacy Shield you must work towards an alternative. Please refer to sections 56, 57 and 59 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for details of data transfer requirements.
    3. If you are relying on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), you must comprehensively review them and ensure they accurately reflect detailed consideration of risks and safeguards. Whilst the CJEU judgement recognises SCCs as valid, it also raises significant questions around their use. It is clear that relying on ‘derogations’ (such as SCCs or BCRs) in light of this judgement is no longer a straightforward matter and reliance upon any mechanisms cannot be a paper exercise.
    4. Whilst this judgement does not prohibit data transfers outside of the EEA and adequate jurisdictions, you do need to carefully review your position and invest resources into ensuring appropriate safeguards are in place.

    NOTES 

    Read more >
  • Blog: World Day of International Justice

    To mark World Day of International Justice, our commissioner Emma Martins reflects on justice, individuals’ rights, and the fair treatment of human beings. 

    The World Day of International Justice is celebrated throughout the world on 17 July as part of efforts to recognise the importance of international criminal justice. It marks the date of the adoption of the treaty that created the International Criminal Court (ICC). The ICC investigates crimes of concern to the international community such as genocide, war crimes and crimes against humanity.

    Taking a look at the ICC’s website, one of the first things you will see is the following statement –

    Justice is a key requisite for lasting peace. International justice can contribute to long-term peace, stability and equitable development in post-conflict societies.

    We live in a world where so many people do not have the rights that we, in our community, have and often take for granted. And a day such as this, which you may think has little or nothing to do with you, is a good opportunity to understand and appreciate its relevance to our lives and to the lives of others.

    Justice is a word we use and hear a lot – often in the context of ‘fighting for’ or ‘defending’ but how often do we reflect on what we mean by it and what others mean by it as well as the role it plays in our lives?

    The root of the word itself, ‘just’, comes from the Latin ‘jus’ meaning right or law and is commonly seen as based on behaving according to what is morally right and fair.

    As with the ICC, it is a term often used in the context of law but it is also strongly related to culture. Justice is perceived and applied differently across the globe and what it looks like in any particular place says a lot about that community and culture; what it values; who it values; who has power and who doesn’t.

    Early theories of justice came from the Ancient Greek Philosophers. Aristotle considered justice to consist of what is lawful and fair, with fairness involving equitable distributions and the correction of what is inequitable.

    In our modern world, the distribution of wealth is largely decided by governments using tax laws and the correction of what is inequitable is largely determined through civil and criminal law. Laws are the basis of much of our lives, shaping and directing so much of our behaviour, sometimes in ways we give little or no thought to. Think how intuitive it is to put a seatbelt on,  I very much doubt that when you do so, you are thinking ‘I am only doing this because the law says I must’; you do it because it has simply become embedded in normal, everyday behaviour.

    Certainly, law raises important and complex issues around equality, fairness and justice. What sort of society do we want to live in? How do we want to treat each other? How do we want to be treated? Looking at the legislation in place in any jurisdiction will give answers to many of these questions and the fact that we live in a small jurisdiction does not mean that those issues are any less relevant. As Albert Einstein said –

    In matters of truth and justice, there is no difference between large and small problems, for issues concerning the treatment of people are all the same”.

    Looking at the legal foundations that underpin our lives, data protection is one of a suite of laws that provides specific rights to individuals (this podcast talks through the seven data protection principles) and is seen as essential for a functioning democracy. Indeed, the link between privacy and democracy is not at all accidental. If you look at those countries with strong data protection and privacy laws, you will also see countries that have committed to strong human and democratic rights.

    Not only does the need for proper protection of our personal data becoming increasingly important as we speed into the digital age (listen to this podcast on your digital footprint, and this podcast on cyber security for more context), it is also a right from which other rights derive – rights such as freedom of association and freedom of speech.

    In the context of justice, equality and fairness, I want to highlight one specific element of data protection legislation here in the Bailiwick (and across Europe); the fact that certain types of personal data are afforded much higher levels of protection than others.

    The law calls this special category data and it consists of the following –

    • Data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief or trade union membership
    • Genetic data
    • Biometric data
    • Health data
    • Personal data concerning an individual’s sex life or sexual orientation
    • Criminal data

    It is a list of data types that, for those working in data protection, will likely have been discussed at length on training courses and studied and memorised for exams. I would, however, like to encourage us to think a little deeper about this list, not from a perspective of law or legal text, but from the perspective of a human being.

    I have picked out a few examples to help illustrate –

    • Racial or ethnic origin – even before the Black Lives Matter protests swept the globe, questions of race and bias were rarely out of the news. In the UK last year, concerns were raised by scientific and civic groups about the possible intrinsic biases in facial recognition software used for law enforcement purposes that disadvantage black, Asian and minority ethnic individuals.
      (See BBC article: Use of facial recognition tech ‘dangerously irresponsible’)
    • Political opinion – Itai Dzamara was a Zimbabwean journalist and pro-democracy campaigner that disappeared in 2015. He had previously been targeted by state security agents, suffered beatings, abductions and unlawful detentions, his subsequent disappearance is widely believed to be the work of the state because of his pro-democratic views.
      (See BBC article: Itai Dzamara: The man who stood up to Zimbabwe’s Robert Mugabe and vanished)
    • Religious or philosophical belief – The ways in which the Nazi regime collected data to identify, log and locate the Jewish population facilitated the holocaust (listen to this podcast for context on this). It is so important for us to remember that data protection laws include the often-hidden agenda of preventing the reappearance of oppressive regimes that seek to use data for nefarious purposes.
    • Sexual orientation – same sex sexual activity is a crime in around 70 countries with some even imposing a death penalty. A photograph was taken of a woman waving a rainbow flag at a concert in Cairo in June 2017 and widely circulated. Sarah Hegazi was identified and subsequently arrested, tortured and imprisoned for three months as part of a crackdown by authorities. After her release she was given asylum in Canada but took her own life in June 2020.
      (See CBC article: LGBTQ activist Sarah Hegazi, exiled in Canada after torture in Egypt, dead at 30)

    These few examples illustrate how interwoven the question of individual’s rights are with the way in which identifying information is collected, recorded and used and the profound affect it can have on people’s lives and on how justly they are treated.

    Relating personally to these events may feel like a bit of a leap because they are so alien compared to the world in which we live. But the public health crisis has brought into stark focus that, as much as we are part of a strong local community, we are also part of a wider global community.

    Our lives connect in so many ways, so to end with another quote, this time from Martin Luther King,

    Injustice anywhere is a threat to justice everywhere”.

    Read more >
  • Learning and improvement the route to a culture of compliance

    The Office of the Data Protection Authority (ODPA) has published its latest breach statistics and emphasised the need for learning and improvement to better safeguard personal data handled in the Bailiwick and build a culture of compliance.

    Figure: 34 personal data breaches reported to ODPA between 1 May 2020 – 30 June 2020 by category. (Click to enlarge)

    Thirty-four personal data breaches were reported to the ODPA in the two months leading up to 30 June 2020. Just under three-quarters of these (22) happened when personal data was accidentally sent to the wrong person by email. There were two instances where data was sent to the incorrect recipient by post.

    Other self-reported breaches for the two-month period included three of inappropriate access, three cyber incidents, two unauthorised disclosure, one unauthorised access and one loss of data/paperwork/device.

    The 34 breaches were split across a variety of sectors, five from public authorities, four from fiduciary entities and three each from banking, insurance and retail/wholesale establishments. Charities/not for profits, education/training organisations, investment organisations and legal practices all reported two each with the remaining eight split across five other sectors.

    This is the second group of statistics covering the Covid-19 lockdown period and again, the figures show a similar number of breaches reported since collation of the data began two years ago.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the continuing trend.

    ‘We would like to offer our thanks to those businesses and organisations that have managed to continue to fulfil their statutory duties under the recent challenging circumstances. Whilst it’s largely reassuring that the number of reported breaches is remaining consistent, perhaps it’s time to ask organisations that don’t routinely report to us to have another look at their procedures to ensure that there aren’t breaches occurring that we should be advised of.’

    Mrs Martins continued by highlighting that the Authority’s mandate is to educate and engage not just enforce.

    ‘Our aim is to help and empower all organisations, large or small, to handle personal data correctly because first and foremost we want to prevent breaches from happening in the first place. If we are going to do that effectively we need to have good knowledge and understanding of the nature of incidents and how often they are occurring. That in turn will enable us to provide more relevant and targeted support and guidance to those most at risk. Now that lockdown has eased, our fortnightly drop-in sessions to support our local regulated community are starting again on 22 July so local businesses and organisations can visit our offices and meet with a member of staff for advice. We are committed to building a culture of compliance for the Bailiwick; one that recognises that we’re all only human and we all make mistakes, but by learning from those mistakes and improving how we work, we can strive for better levels of data protection, benefitting our community and our economy.’

     

    NOTES:

    • Fortnightly drop-ins
      Anyone representing an organisation can come along to the ODPA’s fortnightly drop-in sessions which are normally held between 09:00 – 12:00 every other Wednesday morning.
    • Breach reporting
      One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.
    • Why does the ODPA publish breach statistics?
      The ODPA has published statistics of the number of breach reports it receives, every 2 months since June 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.
    • Number of personal data breaches reported to ODPA (June 2018 – present):
     

    2 months to 30 June 2020 – details above  34
    Commissioner ‘encouraged’ by consistent breach reporting trend (2 months to 30 April 2020) 30
    Lowest number of breaches in more than a year (2 months to 29 February 2020) 28
    Data Protection Commissioner calls for a culture of improvement
    2 months to 28 December 2019
    48
    Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
    Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
    Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
    Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
    ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
    Increase in local data breaches (2 months to 18 Dec 2018) 28
    ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

     

    • How are personal data breaches categorised?
      The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.
    1 Loss of data/paperwork/device accidental
    2 Data sent to incorrect recipient – email accidental
    3 Data sent to incorrect recipient – post accidental
    4 Data sent to incorrect recipient – fax accidental
    5 Inappropriate access accidental
    6 Inappropriate disclosure accidental
    7 System error accidental
    8 Cyber incidents accidental or deliberate
    9 Unauthorised access deliberate
    10 Unauthorised disclosure deliberate
    11 Other accidental or deliberate
    • What is a personal data breach?
      A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

     

    • What are a person’s ‘significant interests’?
      A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
    Read more >
  • States of Guernsey approves ODPA self-funding model

    The States of Guernsey is supporting a self-funding model for the Office of the Data Protection Authority (ODPA), to reinforce its role as a fully independent regulatory body.

    The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. Its new self-funding model means that, from January 2021, most of its operational costs will be met by annual fees paid by the regulated community (i.e. local businesses and other organisations who handle personal data), with the States of Guernsey contributing around £300,000 per year.

    The way the ODPA is funded has changed because it is legally and politically obliged to operate independently of the States of Guernsey. Reinforcing this independence is an important part of the ODPA’s effective regulatory oversight, and being able to demonstrate this independence is critical to the Bailiwick retaining its ‘adequacy’ status with the European Commission. This status allows the free-flow of data between the islands and the EU which is crucial to the Bailiwick’s current and future economic success.

    Deputy Mary Lowe, President of the Committee for Home Affairs said,

    Data is an essential part of the modern economy. It is a precious commodity in both our business and personal lives and needs to be properly safeguarded. The Committee has been working closely with the Authority and we are in agreement that moving the ODPA to become self-funding will prove important in demonstrating that while the States creates the Data Protection legislation, the Authority is able to act without fear or favour in its investigations.’

    Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the work that has led to this point,

    ‘The States of Guernsey civil servants, politicians, as well as ODPA staff and board members have worked hard since 2018 to reach agreement on how best to fund the ODPA. Our focus was always on ensuring that we agreed on a low-cost, low-admin model that is as fair as possible to local businesses. Especially at this challenging time for everyone, we want people to focus their efforts on running their businesses well, rather than filling in bureaucratic forms. We are pleased to finally be in a position to start work preparing for the changes ahead and we will publish further details over the coming months.’

    FREQUENTLY ASKED QUESTIONS

    Q: What is personal data? 
    It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.

    Q: What is ‘processing’ personal data? 
    ‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
    *An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.

    Q. What is changing?
    From 2021, a new registration regime (approved by the States of Guernsey) will be in place for the Office of the Data Protection Authority (ODPA). This regime means that all controllers and processors established in the Bailiwick that process personal data will be legally required to register with the ODPA and pay a fee each year.

    Q. Why is the registration regime changing?
    The new data protection legislation that came into force for the Bailiwick in 2018 (The Data Protection (Bailiwick of Guernsey) Law, 2017) provided for the creation of an independent regulator. The funding mechanism that was in place prior to that time was maintained until the end of 2020 to allow for political agreement on a sustainable and efficient funding model for the future.

    Q. Who decided to make these changes?
    The States of Guernsey agreed that the ODPA should be self-funding to ensure full independence.

    Since legislation came into force in 2018, the ODPA has been working with the States of Guernsey to agree a new registration regime to enable this. All parties have focused on providing a regime that is as low cost and administratively straightforward as possible for organisations.

    The Committee for Home Affairs agreed the new model in February 2020 and the Policy and Resources Committee agreed it in March 2020. The ODPA was then tasked with implementing the model ready for January 2021.

    Q. I am registered with the ODPA now, what does it mean for me?
    If you are currently registered with the ODPA, you will need to provide the ODPA with new information confirming your registration, between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you can simply register directly via the ODPA’s website.

    Q. I am not currently registered with the ODPA, what will I have to do?
    If you are not currently required to register with the ODPA because you benefit from the limited exemptions (see odpa.gg/exemptions for details), those exemptions will end at the end of 2020 (the only exception is for domestic/household purposes). You will therefore need to register and pay between January-March 2021. If you complete an annual validation with Guernsey Registry, you will be prompted to complete your ODPA registration at the end of the Registry’s process. If you do not complete an annual validation with Guernsey Registry, you will be able to register directly via the ODPA website. You will need to do this between January-March 2021.

    Q. I am a charity/not-for-profit, what does this mean for me?
    You will need to complete the registration process as above between January-March 2021, but you do not need to pay.

    Q. How much will it cost?
    It is recognised that no one wants to pay large administrative costs for running a business, however big or small. The ODPA has always been absolutely clear that its funding model should be as cost effective as possible. The 2020 economic climate has redoubled efforts to ensure that all expenditure is proportionate, necessary and has the highest standards of financial and operational governance built in. The ODPA has worked hard, together with the States of Guernsey, to keep the cost organisations are required to pay as low as possible.

    With all of that in mind, there is a simple two-tier cost structure:

    • For small organisations with fewer than 50 full-time equivalent (FTE*) employees, the annual levy will remain £50/year.
    • For large organisations with 50 or more FTEs the annual levy will be £2,000/year.

    * The Regulation will include details on how to calculate your total FTE.

    All charities/not-for profits will pay zero fee, but must still register and review this each year.

    Q.Where will the money go?
    The new fees regime will allow the ODPA to move towards self-funding status, giving it full financial independence from the States of Guernsey. This independent status is both a political and legal requirement. The ODPA’s statutory responsibilities are set out at odpa.gg/about-us (under ‘Functions of The Authority and ODPA’) and you can see its plan for performing these tasks via the ODPA Strategic Plan (2019-2022) at odpa.gg/strategic-plan.

    The Bailiwick has had a data protection regulator for many years. Up to now, it has received funding from the States of Guernsey with some income also coming directly from registration fees paid by local organisations. The strengthened data protection regulatory framework has enhanced individuals’ rights to reflect the scale of personal data processing in this digital era. It has also strengthened the role of the regulator to provide for appropriate powers and ensuring independence.

    Q. How often do I need to pay?
    Following your initial registration fee, payable by all (except charities/not-for-profits) in January-March 2021 an annual levy (of either £50 or £2,000 depending on your organisation’s size) will be due during the first quarter of each following year.

    Q. I am responsible for registering a number of entities. What are the changes for us?
    The ODPA is aware that where an organisation is responsible for registering a number of controllers and/or processors a simpler bulk registration process would be helpful. Consideration is being given to this and more information will be released when available.

    Q. I complete an annual validation via Guernsey Registry, how will this process work for me?
    The ODPA want to make the registration process as easy as possible. This ensures that costs are kept to a minimum and it also does not divert you with administrative processes which do little to support overall data protection compliance.

    To this end, the ODPA has worked with Guernsey Registry to make sure you are given a timely prompt to register with the ODPA once you have completed your annual validation with the Guernsey Registry. This allows the process to be as straightforward as possible for you.

    If you prefer, you can of course disregard the prompt at the end of the Guernsey Registry process and simply register directly with the ODPA at a time convenient to you between January-March 2021.

    Q. I do not complete an annual validation with Guernsey Registry, how will this process work for me?
    You will be able to register directly via the ODPA website. The process is designed to be as straightforward as possible whilst recognising that the ODPA have a statutory requirement to collect certain information from you.

    Q. What does the ODPA do with the data it collects for the registration process?
    Following changes to legislation in May 2019, the ODPA is no longer required to maintain a public-facing register of controllers and processors. Therefore, all registration data will be processed internally for administrative purposes only.

    Q. Why do we need to fund a data protection regulator?
    Data increasingly powers the economy as well as affecting our own individual lives, both personally and professionally. The Bailiwick relies on the free flow of data to support and develop the current economy as well as to ensure it is well positioned to take advantage of the emerging digital economy.

    Our government recognises how important data protection standards are for our jurisdiction and has therefore provided high quality legislation to ensure appropriate safeguards sit around the personal data that resides and flows through the Islands. As with any legislation, there needs to be effective oversight – both to ensure people and businesses are supported in complying with the requirements, as well as to ensure that complaints are investigated independently and robustly.

    Whilst most funding has come from the States of Guernsey up until now, it raised challenges in relation to ensuring the ODPA’s independence (both actual and perceived). With government responsible for handling some of the highest volumes and most sensitive personal data in the Bailiwick, fully independent oversight is essential. Once government made the decision to move the ODPA to a self-funding model, a lot of effort went into devising a fair, low-cost, simple registration model that provides the ODPA with sufficient funding.

    Ensuring our jurisdiction has a properly resourced and effective data protection regulator supports islanders’ rights, supports businesses to handle data properly and serves to underpin the Bailiwick’s digital strategy.

    Read more >