News

  • ODPA response to media enquiries regarding contact tracing

    Local media have asked the ODPA to comment regarding the new data collection requirements for businesses and organisations in light of the move to Phase 4 of the exit and recovery strategy.

    The States of Guernsey have a dedicated data protection team who are responsible for the operational implementation of the data protection law in all areas of government activity. Whilst the ODPA have not been involved in the implementation of this aspect of Phase 4, we are always keen to support the whole regulated community with their compliance duties.

    As part of the Bailiwick community the ODPA welcome the very positive news that we have been able to move to the next phase so swiftly. The ODPA also recognise that a key element of the next phase is going to be efficient, effective and timely contact tracing.

    From Saturday 30 May local businesses and organisations are required to keep records of the names and contact details of all those who visit their premises.

    As with all processing of personal data, it is important that individuals are given information and details about that processing including what personal data is being collected, how it will be used and who else will have access to it. The principles contained within the data protection legislation are there simply to ensure that these elements are included in all processing activities, regardless of their context.

    The reasons for data collection in this context are self-evident and ensuring all personal data is handled in compliant manner will ensure that individuals have trust and confidence in the process as well as in the people directing that process.

    For more information about compliance with the local data protection law please see our Advice, Guidance, and Resources page

    Read more >
  • ODPA reflects two years on from game-changing law

    ‘A Child in Data’

    On 25 May 2018 the data protection landscape shifted.

    To mark the two year anniversary of the day the EU’s GDPR and the Bailiwick’s local data protection law came into force we have put together a selection of content (presented below) that explores the breadth and complexity of our relationship with personal data, and its protection. We hope you find something of interest, something to be inspired by, or something to share with others.

    Data protection is far from the dry subject many believe it to be, and we hope the diversity and scope of this content helps demonstrate this, encouraging an engagement with the subject that goes beyond sections of a law that we recognise can often seem impenetrable.

    We must all keep in mind, that data protection – at its heart – is simple. It’s about treating people with dignity. And from that simple principle, endless complexities emerge.

    It feels like the world we inhabit today bears little resemblance to the world GDPR was born into in 2018. But as we look to emerge out of a global pandemic, where personal data is being used to protect public health, we would do well to keep in mind the relevance of Recital 4 of the GDPR that our use of personal data “should be designed to serve mankind”.

    Read more >
  • Commissioner ‘encouraged’ by consistent breach reporting trend

    Figure: 30 personal data breaches reported to ODPA between 1 March 2020 – 30 April 2020 by category. (Click to enlarge)

    Thirty personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 30 April 2020, with the majority occurring through people accidentally sending personal data to the wrong person either by post or email.

    Personal data being sent to the incorrect recipient remains the most common incident. In the latest reporting period, 21 of the 30 breaches fell into this category with 12 due to email errors and 9 to postal errors. Cyber incidents led to four, inappropriate disclosure of data led to three whilst other self-reported breaches also included one of inappropriate access.

    The 30 in total were from a range of sectors, including eight from public authorities, six from healthcare, four from investment, three from fiduciaries, three from retail/wholesale and the remaining six spread across five other sectors.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that this period’s statistics covers the period before Covid-19 had reached Guernsey, as well as the lockdown period.

    ‘I am encouraged to see that this period’s statistics are broadly consistent with the trends we have been reporting since 2018. This indicates that despite the unprecedented pressures local organisations have faced over past two months, it has not impacted their attention to their legal requirements to look after people’s data, and to report to us when things have gone wrong. I would like to thank our regulated community for not neglecting their statutory duties at this time.’

    Mrs Martins also reiterated comments made back in March regarding the ODPA’s approach to its enforcement role during the Bailiwick’s lockdown period.

    ‘These are not normal times and I want to make it clear that we will not take enforcement action against any organisation who is trying to do the right thing. We know that everyone’s focus is understandably diverted to dealing with new ways of working and the associated challenges for us all, as employers, employees and citizens. We also understand and are realistic about the impact the current disruption will have on compliance and governance, especially in sectors which are now instrumental in the Bailiwick’s response to the unfolding public health situation. Members of the public will also, we hope, understand that organisations may not be able to respond as quickly as usual to requests relating to their personal data. We are part of a community that is pulling together at an extraordinary time and want to ensure we carry out our duties in a responsible and practical manner in the interests of that whole community.’

    The ODPA has also published Q&As related to the pandemic.

    NOTES:

    • Breach reporting

    One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

    • Why does the ODPA publish breach statistics?

    The ODPA has published statistics of the number of breach reports it receives, every 2 months since June 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

    • Number of personal data breaches reported to ODPA (June 2018 – present):
     

     2 months to 30 April 2020 – details above  30
    Lowest number of breaches in more than a year (2 months to 29 February 2020) 28
    Data Protection Commissioner calls for a culture of improvement
    2 months to 28 December 2019
    48
    Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
    Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
    Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
    Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
    ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
    Increase in local data breaches (2 months to 18 Dec 2018) 28
    ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

     

    • How are personal data breaches categorised?

    The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.

    1 Loss of data/paperwork/device accidental
    2 Data sent to incorrect recipient – email accidental
    3 Data sent to incorrect recipient – post accidental
    4 Data sent to incorrect recipient – fax accidental
    5 Inappropriate access accidental
    6 Inappropriate disclosure accidental
    7 System error accidental
    8 Cyber incidents accidental or deliberate
    9 Unauthorised access deliberate
    10 Unauthorised disclosure deliberate
    11 Other accidental or deliberate

      

    • What is a personal data breach?
      A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
    • What are a person’s ‘significant interests’?
      A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
    Read more >
  • ODPA events programme update (21 April)

    Please note our 2020 Events Programme is suspended.

    • Registered attendees
      If you are registered to attend an event we will email you with new details as soon as we are able.
    • Waiting lists
      If you are on a waiting list for an event you will only be contacted if a space becomes available.

    Please visit our events page for more details. 

    If you have any questions about our events programme please email communications@odpa.gg.


    Our events programme should be considered in the context of section 61 of The Data Protection (Bailiwick of Guernsey) Law, 2017 which outlines our duty to raise public awareness of citizens’ rights and to promote awareness of controllers/processors’ legal duties.

    Our events programme is a key aspect of our Communications Strategy, and we intend to use our events to effect positive cultural change by:

    • being accessible to local organisations and citizens of all ages
    • improving compliance by building awareness of topical issues in data protection
    • encouraging innovation and excellence in data protection practices
    • exploring official guidance with the regulated community
    • gathering feedback from local industry and individuals

    Read more >
  • Data Protection and Law Enforcement sign MoU

    The Office of the Data Protection Authority (ODPA) and Guernsey Police have signed a Memorandum of Understanding (MoU).

    The MoU formalises how the two organisations can work together furthering relationships, developing cooperation on matters of mutual interest and ensure collaborative working where appropriate.

    The agreement also means the ODPA and Police are able to provide each other with investigative support and operational assistance, increasing their overall effectiveness. This includes exchanging information where it is deemed justified, necessary, proportionate and legally permissible.

    Emma Martins, the Data Protection Commissioner for Bailiwick of Guernsey, commented on this positive development which formalises the mutual respect and professional courtesy that already exists between the ODPA and the Police.

    “This MoU is an important move in further safeguarding the safety and security of people’s data and privacy in the Bailiwick. It is logical for both the Police and the ODPA to have a framework in place that allows us to collaborate and assist each other in our duties to protect people locally. Together we can try to prevent the harms caused by misuse of data and, where appropriate, bring to task those that wish to, or have, deliberately caused distress.”

    Mrs Martins added, “We are very pleased to have worked closely with the Police to form the agreement and are extremely grateful to all those in the force that helped bring it to fruition.”

    Read more >
  • ODPA takes ‘realistic’ approach to regulatory activity during Bailiwick ‘lockdown’

    The Office of the Data Protection Authority (ODPA) is reassuring local organisations that it is taking a realistic and pragmatic approach to its regulatory activities during the Bailiwick’s ‘lockdown’.

    The ODPA is the operational body that carries out the regulatory functions of The Data Protection (Bailiwick of Guernsey) Law, 2017 delegated by the Data Protection Authority. This law places a number of legal obligations on local organisations who handle personal data, and gives 10 rights to Bailiwick citizens around how their data is used.

    Whilst the ODPA cannot extend timescales that are defined in law, they would like to reassure local regulated organisations that it is taking a realistic approach to its regulatory activities during the Bailiwick’s lockdown period, which started on Wednesday 25 March.

    Bailiwick Data Protection Commissioner, Emma Martins, emphasised this,

    ‘These are not normal times and I want to make it clear that we will not take enforcement action against any organisation who is trying to do the right thing. We know that everyone’s focus is understandably diverted to dealing with new ways of working and the associated challenges for us all, as employers, employees and citizens. We also understand and are realistic about the impact the current disruption will have on compliance and governance, especially in sectors which are now instrumental in the Bailiwick’s response to the unfolding public health situation. Members of the public will also, we hope, understand that organisations may not be able to respond as quickly as usual to requests relating to their personal data. We are part of a community that is pulling together at an extraordinary time and want to ensure we carry out our duties in a responsible and practical manner in the interests of that whole community.’

    The ODPA’s premises on Le Bordage shut on Monday 23 March and its nine staff members are now working remotely. Staff are available during normal office hours to answer any queries about data resulting from the evolving public health situation, or otherwise, and can be contacted via enquiries@odpa.gg.

    In common with other organisations, all ODPA public events and drop-ins are suspended until further notice. Efforts are underway to support local organisations via online platforms to ensure continued focus on improving compliance and preventing people being harmed by misuse of their data.

    Read more >
  • Protecting personal data in extraordinary circumstances

    With an increased number of the Bailiwick’s workforce working remotely, it’s a good opportunity to explore how best to ensure that your organisation’s protection of personal data is maintained.

    Remember: the object of data protection legislation is to protect people’s rights in relation to how their data is treated.

    All organisations, from sole-traders to multinational companies, charities to governments handle personal data of their staff/clients/suppliers/citizens. Doing this well enables trust and good relationships to be maintained, and prevents people being harmed by misuse of their data.

    With this in mind, all local organisations need to consider the fact that remote working may pose an increased risk to personal data. It is possible to take positive and effective steps to mitigate this risk by considering these common-sense steps:

    1. Make sure staff are aware of, and able to implement, your existing policies surrounding remote-working.
    2. Depending on what your staff are doing with personal data whilst they’re working remotely, consider whether it may be helpful (or legally required) for your organisation to perform a Data Protection Impact Assessment.
    3. If you identify a potentially high-risk processing activity involving personal data you need your staff to perform remotely, seek advice from your Data Protection Officer (if you have one), or visit odpa.gg/advice-guidance.
    4. Ensure staff only use secure network connections, and that all devices have appropriate and up-to-date anti-virus software and other security measures.
    5. Take extra care when transporting any paperwork or devices that may contain personal data: where appropriate use additional security measures such as two-factor authentication for devices, or use physical locks for storing paperwork.
    6. Be extra vigilant to social engineering (e.g. criminals impersonating your staff/suppliers/clients) in all its forms, as criminals are actively trying to take advantage of the current disruption.
    7. Inevitably people’s attention-to-detail, focus and vigilance may suffer from not being in their usual workplace. This is especially true if their attention is being demanded by other household members, such as small children who are in their care. So be realistic with your staff about what level of productivity you are expecting from them and think about limiting them to performing only low-risk, business-critical tasks.
    8. Think about the accountability principle: is your organisation using personal data in a new (or different) way as a result of the current public health situation? If so, document the decision-making process that led to this and update any relevant policies.

    Is the ODPA taking a more ‘relaxed’ approach to enforcement activities during the current public health situation?

    We would like to reassure local organisations that we are taking a realistic and pragmatic approach to regulatory activities during the Bailiwick’s ‘lockdown’.

    Read more >
  • Coronavirus (COVID-19) statement

    Our commissioner, Emma Martins, made the following statement on 17 March 2020:

    “The current public health situation presents our community and the world at large with extraordinary and fast evolving challenges which are increasingly affecting every aspect our lives both from a personal and professional perspective.

    In recent weeks at the ODPA, we have been working hard to ensure our business continuity plans are updated and strengthened in response to developments. The safety and wellbeing of our staff is a priority. We are part of the community we serve and owe it to ourselves and the wider community to conduct ourselves responsibly. We are also committed to delivering on our statutory duties as best we can but recognise that, as a small team, this may become more challenging if staff need to self-isolate or become unwell.

    It is impossible to predict what the next few weeks and months will bring but we will continue to work hard to fulfil our responsibilities, as an employer and a regulator, as best we can. If this means we are more difficult to contact or take more time to respond to communications, I want to offer my personal apologies in advance whilst reassuring everyone that we are doing everything we can to minimise possible disruption.

    Situations like this will inevitably bring out the best in people, but it will also bring out the worst. You will likely come across ‘fake news’ and you may well be targeted by scammers as they seek to exploit the current uncertainty and fear. Choose your news and information sources carefully and don’t click on links unless you know they are legitimate.

    For updated information about the Bailiwick of Guernsey please see –https://www.gov.gg/covid19resources

    The word ‘community’ comes from the Latin ‘communis’ meaning ‘common, public, shared by all or many’. We are all part of a global as well as local community and share the challenges and concerns. We also share the commitment to get through this difficult time by working together in a responsible and practical way.”

    – Emma Martins
    Data Protection Commissioner (Bailiwick of Guernsey)

    Read more >