News

  • 28 January: Data Protection Day 2020 marked with public event

    We are hosting a special event on 28 January to observe the 14th International Data Protection Day.

    Also known as Data Privacy Day, International Data Protection Day signifies an international effort to empower individuals and businesses to respect privacy, safeguard data and enable trust. We will be hosting a one-hour event on Tuesday 28 January that will focus on the data protection landscape in 2020 and the Authority’s strategic approach of predicting, preventing and detecting data harms along with enforcing the local data protection law.

    Emma Martins, the Bailiwick’s Data Protection Commissioner, said:

    ‘It is interesting that Data Protection Day was established by the Council of Europe, which is a human rights organisation. It recognised the importance of personal data and that a change in perspective is necessary so that our human rights are viewed both ethically and legally.’

    ‘Our aim is to ensure there is a cultural shift in society in terms of attitudes to people’s data and this comes from individuals, business and government. The law is a starting point and not an end point and the protection of personal data should be embedded and demanded in all areas of life,’ Mrs Martins added.

    Data Protection Day, which is held on 28 January each year, commemorates the signing of ‘Convention 108‘ (or to give it its other title: The Convention for the Protection of Individuals with regard to Automated Processing of Personal Data) by the Council of Europe in 1981 which was the first, legally binding international treaty dealing with privacy and data protection. 14 years ago, the Council, launched the day to help raise awareness of the issues and our rights regarding our data.

    The event takes place on Tuesday 28 January, at the ODPA’s office at St Martin’s House in Le Bordage, St Peter Port, between 17:30 and 18:30.
    A limited number of remaining tickets can be booked here

    READ: The Convention for the Protection of Individuals with regard to Automated Processing of Personal Data (Convention 108) 

    Read more >
  • Data Protection Commissioner calls for a culture of improvement

    Forty-eight personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 28 December 2019.

    Of the reported breaches, 39 were due to human error, highlighting again, how people’s action continues to be the biggest cause of personal data breaches locally. Information sent via email or post to the wrong person has consistently been the most common type of data breach reported since statutory reporting requirements came into effect. In response to this trend, the ODPA has recently been focussing on the role of human error in its events programme to help organisations and individuals understand and respond to the risks.

    The Bailiwick’s Data Protection Commissioner, Emma Martins, notes that changing attitudes and behaviour is key to reducing data breaches and preventing harm.

    ‘These latest figures again illustrate how important it is for us all, whatever our role, to understand data protection as something more than an IT issue. We must focus on ensuring individuals’ rights are respected while also recognising the impact of human error when using personal data. It is unrealistic to expect people to never make any mistakes, but we can positively influence attitude and a culture in organisations where mistakes are learnt from, behaviours change as a result and the risk of future harm is reduced.

    ‘We do not seek a culture of blame, rather we seek a culture of improvement,’ added Mrs Martins.

    The remaining self-reported breaches for the two month period fell into other categories including mislaid data, criminal, hacking, unauthorised access and unauthorised disclosure.

    NOTES 

    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

     Number of personal data breaches reported to ODPA:

     

    2 months to 28 December 2019 (details above) 48
    Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
    Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
    Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
    Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
    ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
    Increase in local data breaches (2 months to 18 Dec 2018) 28
    ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

     

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >
  • The changing face of data protection: new environment vs. established principles

    Our commissioner, Emma Martins, marks the start of 2020 by reflecting on the need for a well-informed public conversation about data, and the role data protection professionals must play in it.

    ‘Data protection legislation has been around for many decades. Despite the fanfare that greeted the General Data Protection Regulation (GDPR) in May 2018 (and it was beyond doubt a hugely significant step), at its heart, the new Regulation is similar in shape and form to its predecessor. But we continue to be faced with a problem. This problem is not one of new principles but of a new environment. Data has taken on a new life in recent years and we are struggling to keep up. The speed of technological change in this digital age means that the culture and norms that inform our attitudes and behaviours have insufficient time to evolve. So it is therefore unsurprising that, despite its relatively long history, there remains much that is misunderstood and misinterpreted about the legislation; its origins, its aims, and the legal and ethical principles which underpin it.

    There does, however, seem to be change in the air as we are being increasingly exposed to the often shocking reality of the scale and impact of data use and misuse. The crucial role of public discussion; feeding better awareness and understanding of what good data protection means, cannot be overstated. All parts of society have a part to play, but as with so many other areas of our lives, journalists do perhaps shoulder a greater responsibility.

    I was reading this article about the GDPR in the Financial Times recently (which in itself must be welcomed, data is as much a financial issue as it is legal and social).  The article itself was well-written, as you would expect, and it highlighted a number of important areas such as wider privacy harms of certain processing, and some of the innovative developments in areas such as data trusts. But I was struck by how persistent the notion is that the law is a clinical tick box exercise, an administrative burden and something you can almost wash your hands of as long as you can evidence some sort of consent from the individual or individuals concerned. It is easy for data protection professionals to be judgemental and critical in the face of misunderstandings or misinterpretations. But if data protection is to be better understood and embraced, we need to be part of a cultural shift towards enlightened compliance rather than tick box approaches. Part of that requires us to try and rebalance the conversation, not to criticise but to inform.

    With this fresh in my mind, I wrote the letter below to the FT, which they published on 3 January.’ (reproduced here with their permission).

    Letter: Conversation about our data must involve us all
    From Emma Martins, Guernsey, CI
    January 3, 2020 12:00 am

    There is much to agree with in your editorial “Protecting data privacy needs constant evolution” (December 27); data and its protection has become a pressing social and economic issue. It is therefore extremely important to think about the way it is regulated. It is also helpful to highlight the need for regulatory rethinking in the face of increasing overlap of data protection and other regulatory regimes such as antitrust/competition.

    But the way our personal data are collected, created and used goes well beyond notions of data privacy. In our digital age, it goes to the heart of what it is to be an autonomous and free citizen. Despite recent exposés of certain big tech giants, we remain in blissful ignorance of the actual scale of manipulation and how it is changing us and the world in which we live.

    The General Data Protection Regulation is a good starting point but I dispute the suggestion that it presents companies with a list of tick-box demands. Approaching it in such a manner serves no one. Nor is consent enshrined as its core principle. Equally perplexing is the suggestion that principles of “privacy by design” are “encouraged” by the GDPR when in fact such an approach (together with accountability) is a legal requirement.

    I am not suggesting that the law is perfect, especially in the face of such unprecedented technological developments. But I would like us to learn to approach it differently. To expect any one law, or any one regulator, to be the sole arbiter of the handling of personal data is to condemn both to failure. Neither I, nor any of my regulatory colleagues across Europe, has the ability to effect legal or ethical change on our own. We need to look wider and deeper because this is a conversation that must involve us all. Legislation has to be understood as a form of safety net, not as an ethical baseline.

    Only by moving society forward in a way that deliberately and intelligently engages with the realities of the data-driven digital world can we effect real change; change that ensures we are seen as human beings, not as data points.

    Emma Martins
    Data Protection Commissioner,
    Office of the Data Protection Authority,
    Guernsey, CI

    Copyright The Financial Times Limited. All rights reserved. Please don’t copy articles from FT.com and redistribute by email or post to the web.

    Read more >
  • ODPA response to media enquiries regarding complaint by a Guernsey Airport user

    Local media have asked the ODPA to comment on a recent incident involving a police officer speaking with a member of the public at Guernsey Airport. We responded as follows:

    ‘The ODPA can confirm that a formal complaint has been received relating to the alleged processing of personal data by a number of Bailiwick controllers and is being dealt with in line with our statutory obligations. As a result, and in accordance with normal procedure, no further comment will be made at this time.’

    More information:

    Read more >
  • Data protection oils the machine of governance

    Our commissioner Emma Martins has sent this letter to the Editor of The Guernsey Press in response to their Opinion piece on 10 December 2019:

    “Thank you for your Opinion piece (10 Dec.) highlighting how ‘data protection’ are “two of the most misunderstood and misused words in governance” and how the Law should not be “a barrier to honest, open and timely scrutiny of government”. 

    Data protection has indeed been largely misunderstood and misrepresented, which has long been a source of frustration and sadness for those of us that work in this area. Frustration that the Law is blamed so readily, and sadness because it is a law which is about treating all individuals with dignity and respect. As the Bailiwick’s data protection regulator we work hard to encourage better understanding and appreciation of the Law, why it matters and how it can be complied with. Data protection laws do not prevent legitimate activities by government or any other organisations; they seek to ensure that data about us all is treated with robust governance standards and processes.

    Doing things well, and embedding high standards of data governance, takes thought and effort, because the impact on individuals when things are not done well can be significant. When the legislation is cited as the reason good things can’t happen we must all stop and think. When we give our personal data to others, whether our bank, doctor or government, we expect them to handle it properly, as the Law requires. We cannot claim rights for ourselves that we deny others.

    Our office does not seek to comment or interfere with ongoing political matters. We seek to ensure the Law is applied in a mature and considered way which, contrary to being the ‘glue in the works’, is the oil in the machine of good governance.”

    Read more >
  • Data breaches: workplace culture change needed

    Forty-four personal data breaches were reported to us in the two months up to 27 October 2019.

    Number of personal data breaches reported to ODPA

    Twenty-four of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining twenty were through hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, system error, or personal data being lost. Overall, forty breaches were the result of human action, with just four resulting from system error.

    The Bailiwick’s data protection commissioner, Emma Martins, commented on the role people play in personal data breaches.

    ‘Once again, this period’s statistics reinforces the trend we have seen for some time: that it’s what people, not systems, do that is the biggest factor in most data breaches reported to us. Protecting data well is first and foremost a human issue.’

    This trend, where people’s awareness, attitudes, behaviour, and choice of actions often pose the biggest risk to the protection of personal data is observed not just locally, but also worldwide. In October 2019 the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) passed a resolution for participating national authorities to ‘address the role of human error in personal data breaches’.

    The resolution, sponsored by the Office of the Australian Information Commissioner, calls on all ICDPPC members (including the ODPA) to ‘promote appropriate security safeguards to prevent human error that can result in personal data breaches’. The resolution identifies the role of ‘building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data.’

    This echoes a statement made by Mrs Martins, in August this year on this subject: ‘Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’ Recognising the crucial role workplace culture plays in looking after personal data well, the ODPA will be starting an initiative, called ‘Project Blue Tit’, in 2020 with the aim of effecting positive, measurable change in organisational culture locally. More details about this project will be announced soon.

     

    NOTES 

    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

    Number of personal data breaches reported to ODPA:

    2 months to 27 October 2019 44
    2 months to 26 August 2019 32
    2 months to 25 June 2019 50
    2 months to 22 April 2019 40
    2 months to 22 February 2019 45
    2 months to 18 December 2018 28
    2 months to 18 October 2018 26

    PREVIOUS RELEASES: bi-monthly breach report statistics

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >
  • ODPA registration exemptions extended

    Anyone who is currently exempt from the legal requirement to register with the Office of the Data Protection Authority (ODPA) will now continue to be exempt until January 2021.

    This means that any local entity (such as small businesses and sole traders) who currently meet the exemption criteria (find out what these are here) will not need to register with the ODPA until the beginning of 2021.

    From 1 January 2021 all exemptions to registering with the ODPA will end, and any local entity doing anything with personal data will be legally obliged to register with the ODPA and pay a small annual fee that will contribute towards the ODPA’s operational costs.

    The ODPA is an independent regulator and as such must be financially independent. It is working with the States of Guernsey towards agreeing a self-funding model which meets its operational costs mostly from annual fees paid by registered entities, rather than taxpayers.

    It has taken longer than expected for the States of Guernsey and the ODPA to agree and implement a self-funding model. Because of this delay the Committee for Home Affairs will shortly be extending the current registration exemptions. They were due to end on 31 December this year, but will now continue until 31 December 2020.

    Emma Martins, the Bailiwick’s Data Protection Commissioner commented on the extension.

    ‘For the past year we have been working hard to try to reach agreement with the States of Guernsey on how the ODPA’s operational activities are funded. Above all else, we want to ensure that we agree on a fair, low-cost, low-admin model that allows local businesses to concentrate their efforts on running their businesses well, rather than filling in bureaucratic forms. We continue to pursue that goal.’

     

    Below are some Q&As around what this means for local businesses and other entities:    

    Q: I’m confused – what exactly does this mean for local organisations and other entities who process personal data?
    A: If you are a currently registered entity, everything stays the same as it is now. Just carry on renewing your annual registration as you always have done. You will be automatically notified if anything changes.

    A: If you are currently exempt from registration, you will continue to be exempt until January 2021. But please remember: you are only exempt from registration, you are not exempt from complying with the local data protection law. Access advice, guidance, and resources on compliance here.

    Q: How do I know if I’m exempt or not?
    A: The following three groups of entities are exempt from registration until January 2021:

    1. entities who only process data for accounts and record-keeping for core business purposes, for staff administration and to market their own goods or services;
    2. entities who only process data under instructions given by another entity;
    3. entities who have charity or not-for-profit

    If you’re still not sure if any of the above exemptions apply to you, please read our guidance document: Exemptions to Registration.

    Q: Why are the exemptions being extended?
    A: It has taken longer than expected for The States of Guernsey and The Data Protection Authority to reach agreement on a self-funding model.

    In November 2018 The Data Protection Authority and the Committee for Home Affairs submitted a joint proposal to the Policy & Resources Committee outlining an innovative, low-cost, low-admin, equitable self-funding model that would involve automatically tacking on a ‘data protection fee’ to Guernsey Registry’s annual validation process. The proposed fee was 10% of any given entity’s annual validation fee (i.e. £25 – £50 per entity, per year).

    This model was supported by the Policy & Resources Committee, but the Committee for Economic Development could not support it.

    All parties continue to work closely with the aim of developing a model that everyone can support, and that works for local businesses. Whilst the details of the model are being worked out it makes sense to maintain the status quo (i.e. keep exemptions in place) to minimise disruption to Bailiwick organisations.

    Q: What is going to happen in January 2021?
    A: On the 1 January 2021 (or perhaps earlier, if a workable self-funding model can be implemented) all exemptions to registration will cease. Any entity who is doing anything with personal data will be legally obliged to register with the ODPA for the first time. There is an annual fee associated with this registration, which each entity must pay. This annual fee goes toward funding the ODPA’s operational activity. It is not yet clear what the annual fee will be, but The Data Protection Authority would like it to be low (between £25-£50/year per entity).

    Q: 1 January 2021 is a public holiday and my office will be closed. Do I need to register on that specific day?
    A: No, you can register at any point in the normal working days leading up to 1 January 2021 if you wish. The ODPA are exploring the possibility of an amnesty period for the month of January 2021 to give local organisations more time to register, details on whether this is possible will be announced in due course.

    Q: The ODPA annual registration fee is currently £50, will I have to pay more from 2021?
    A: Hopefully not, but it’s not yet clear what the fee will be. What is clear is that The Data Protection Authority is committed to keeping the fee as low as possible in order to maintain the Bailiwick’s competitiveness as a place to set-up, and operate successful businesses. It is also committed to a fair, low-admin approach to collecting its fee.

    Q: Why do I need to pay at all?
    A: Anyone doing anything with personal data in the Bailiwick has a legal obligation under The Data Protection (Bailiwick of Guernsey), Law 2017 to pay an annual fee to the ODPA. This law also states that the ODPA must be self-funded, to allow itself to be independent of The States of Guernsey. This independence is essential as the ODPA regulates the States in the same way it regulates all other local entities.

    Q: Why can’t the ODPA just fund itself by giving out large fines?
    A: Any fines issued by The Data Protection Authority are payable to The States of Guernsey’s general revenue fund and are not used to fund the ODPA. To maintain its independence and neutrality the ODPA cannot be seen to be financially benefitting from any fines it issues: large or frequent fines could be misinterpreted as being based on a funding need rather than a levy for wrongdoing.

    Q: How much funding is The States of Guernsey giving the ODPA for 2020?
    A: £1.1 million has been requested to meet the ODPA’s 2020 operating costs. This will enable the ODPA to fulfil its statutory duties, and includes the cost of staff, premises, casework, public awareness activities, maintaining secure IT systems etc. The ODPA provides full financial information in its Annual Report (see all previous reports here).

    Q: How much annual funding will The States of Guernsey give the ODPA from 2021 onwards?
    A: This isn’t clear yet. Hopefully the ODPA will not have to rely too heavily on taxpayers’ money from 2021 as by then the self-funding model should be in place. However, the States are legally obliged to meet any shortfall between what the ODPA raises in fee income and what its operational budget is in any given year.

    Q: What is personal data? 
    A: It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.

    Q: What is ‘processing’ personal data? 
    A: ‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
    *An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.

    Q: What does the ODPA do?
    A: The ODPA is the operational body that carries out the regulatory functions of the Law delegated by The Data Protection Authority. The ODPA records data breaches, investigates complaints, runs education programmes and examines proposed legislation and how it may affect individual privacy. The ODPA empowers individuals to exercise their rights, as well as supporting organisations to meet their compliance requirements and take action if they fall short.

    Q: What happens next?
    A: There is still some uncertainty as to when the self-funding model will be in place, and how this will affect local entities. The ODPA expects a decision on its self-funding model from The States of Guernsey by the end of 2019. It is committed to providing a workable lead-in-time and will provide regular updates through its website, newsletter and the usual media channels.

    Please ensure you subscribe to the ODPA’s monthly newsletter so that you are kept up to date.

    ————————————————————————————————————————————————————————————————

    Below is an extract from Deputy Mary Lowe’s statement regarding the ODPA’s 2020 funding position: Statement by the President of the Committee for Home Affairs (Wednesday 16 October 2019) 

    I move on to Data Protection[.]

    As Members may be aware discussions are continuing with the Data Protection Authority and the Policy and Resources Committee to find the best way to introduce a universal annual data protection licence fee which is modest and unbureaucratic.

    Apart from very small businesses and charities, most of those who will need to have a licence will be Guernsey registered companies. We therefore need to help business owners and managers to pay the fee with the minimum of fuss. We had explored the possibility of it becoming part and parcel of the annual validation process of the Company Registry but it became apparent from our colleagues at Economic Development that this could have unforeseen complications.

    We have therefore moved to exploring an alternative which preserves the independence of the Company Registry but seamlessly allows company owners to continue, after having completed their Annual Validation, through to the Data Protection Office website to pay their licence fee, unless they declare they are exempt.

    All this is taking time to develop and will probably require some legislation.

    This does mean that for 2020 the States, as required under the Law, will have to continue to fund the Data Protection Authority from General Revenue as part of the budget.”

    Read more >
  • Chris Docksey gives keynote at international conference

    Our board member Chris Docksey was the keynote speaker for the second day of the 41st International Conference of Data Protection and Privacy Commissioners open session.

    He spoke about the blossoming of data protection accountability across the globe, the philosophy behind accountability and the toolbox that can be used to demonstrate it.

    Chris emphasised the inclusion of the accountability principle in data protection legislation, including our own 2017 Law, and the need for controllers and regulators to embrace this fundamental principle to ‘give life’ to data protection compliance and regulations.

    Chris closed with this quote:

    “Not everything that is legally compliant and technically feasible is morally sustainable”
    – Giovanni Buttarelli (1957 – 2019 ) of EDPS – European Data Protection Supervisor

    READ: transcript of Chris Docksey’s keynote.
    LISTEN: audio recording of Chris Docksey’s keynote
    DOWNLOAD: Chris Docksey’s presentation (PDF) 

    READ: our guidance note on Accountability and Governance.

    READ: the ICDPPC 2019 resolutions, as adopted

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Read more >
  • Emma Martins speaks at international data protection summit

    The Bailiwick’s Data Protection Commissioner, Emma Martins, was an invited speaker at a recent international data protection conference.

    PrivSec’ took place in Dublin on 23 and 24 September and the two day summit brought together over 700 worldwide delegates in privacy and data protection to hear an international line-up of expert speakers. Alongside Mrs Martins, representatives from Google, Hewlett Packard, Etihad Airways, Aviva and the Bank of Ireland explored a range of conference topics covering data protection, security and governance and how successful data protection and security programmes need to be interdependent.

    Mrs Martins commented on how data protection has shifted from being merely tolerated to actively embraced.

    ‘It was thrilling to be part of PrivSec this year, there was genuine excitement in the room when privacy activists Max Schrems and David Carroll took the stage, and I’m so grateful to have witnessed that. It was humbling to represent our Bailiwick alongside global heavyweight organisations. We should be proud, as a jurisdiction, that the international community is aware of the approach we’re taking towards effective, independent regulation that encourages our regulated community towards excellence, and protects individuals’ rights.’

    Mrs Martins spoke on four key areas of regulation: prediction, prevention, detection and enforcement. Central to her presentation was how regulators should aim for balance across these four areas by describing The Office of the Data Protection Authority’s (ODPA) approach, the implications for regulated entities and how it can secure better outcomes.

    Read more >
  • ODPA start investigation into Sure Directory issues

    On 1 October 2019, the Office of the Data Protection Authority (ODPA) began an investigation in relation to how Sure handled personal data for the 2019 Sure Directory.

    Sure have been notified of the start of this investigation. The ODPA welcomes Sure’s constructive engagement and their full co-operation is anticipated.

    The ODPA will be investigating Sure under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017. The investigation will cover the processing of personal data for, and publication of, the 2019/2020 telephone directory. Concerns raised by several members of the public will also be taken into account to determine whether any aspects of the Law have been breached.

    The outcome of the ODPA’s investigation should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time.

    Whilst as previously advised individuals should speak to Sure in the first instance if they are concerned about their personal data, ongoing issues can be reported to the ODPA.

    Read more >